Capturing SQL Server User Hash with SQLi

By Mike Saunders | September 5, 2018

On a recent external web app pen test, I found a possible SQL injection vulnerability using the Burp Scanner. One of the tests triggered an A record lookup for the Burp Collaborator server. In the screenshot below, we can see the test that triggered the finding.

Collaborator SQLi Test Collaborator SQLi Test[/caption]

We can see that a local variable, @q, is declared and is set to a UNC path of a random subdomain for the Collaborator server and a random directory. @q is then passed as an argument to the xp_dirtree stored procedure. Xp_dirtree is an undocumented stored procedure that will list all directories, subdirectories, and files in the specified directory.

Based on some previous work on this engagement, I suspected that the perimeter firewall had a very relaxed egress filtering policy. I wanted to test this, so I modified the query to point to the IP address of one of my servers. Sure enough, outbound SMB was permitted, so I was able to receive an SMB connection triggered by the SQLi.

Testing SMB Egress Testing SMB Egress

SMB Connection Received SMB Connection Received!

Whenever a Windows system tries to connect to a UNC path, the host will try to authenticate to the remote server by passing the user’s password hash. In other words, I could force the SQL server to authenticate to me and give up the password hash of the user account running the SQL server process!

With this in mind, I fired up the Metasploit auxiliary/server/capture/smb server module. I triggered the SQLi and waited a few seconds for the SQL server to connect and voilà! we have a hash!

Hash Captured with auxiliary/server/capture/smb Hash Captured with auxiliary/server/capture/smb

Abusing SQL server via xp_dirtree and SQLi isn’t a new concept. You can read more about it in Bernardo Damele Assumpção Guimarães’ 2009 Black Hat Briefings Europe slides. Holly Graceful also has a great blog on out-of-band data retrieval via SQLi using xp_dirtree. If you run into a blind SQLi where you can execute xp_dirtree but don’t have SMB egress, you can still exfiltrate data using Holly’s method.

If you happen to encounter SQLi on an MS SQL server in the future, you now have a few more tools in your toolkit. Good luck and happy hunting!

Attacking SAML implementations

By Red Siege | November 2, 2021

SAML and SAML Attacks Recently a client mentioned that they wanted me to pay particular attention to the SAML authentication on an app I was going to be testing. It’s […]

Learn More
Attacking SAML implementations

Bypassing Signature-Based AV

By Red Siege | August 25, 2021

If you want to execute arbitrary code on an endpoint during a penetration test, red team, or assumed breach, chances are you’ll have to evade some kind of antivirus solution. […]

Learn More
Bypassing Signature-Based AV

Sans Core Netwars Tournament of Champions Europe

By Red Siege | August 9, 2021

From Justin Palk, Security Consultant: I’ll be honest, it feels good to win. Popping a shell sends a shiver down my spine. But getting into a duel with another team […]

Learn More
Sans Core Netwars Tournament of Champions Europe

Find Out What’s Next

Stay in the loop with our upcoming events.