Xp_fileexist Exploit

[Evelina Browder]

Thexp_cmdshell stored procedure is an undocumented stored procedure used to execute the DOS command within the T-SQL script. This command becomes handy when you are creating a T-SQL script that requires running some DOS commands. The syntax of the xp_cmdshell command is following:

To rectify the error, we must enable the use of the xp_cmdshell using the sp_configure stored procedure. The xp_cmdshell is an advanced option, so first, we must enable the execution of the advanced options.

Once the configuration has been changed, the query will be executed successfully. Suppose you want to run the dir C:\Backup command using a T-SQL query. To do that, run the following query:

This example shows the output of the xp_fileexist command when the file and directory exist on the specified location. We want to verify that the backup file has been created on the C:\Backup directory. For that purpose, run the following command.

As you can see in the above image, the value of the column named File exists, and the Parent directory exists is one (1), which means that the file and directory both exist on a specified location.

This example shows the output when the file and directory do not exist in the specified location. We want to verify that the backup file has been created on the C:\Backup directory. For that purpose, run the following command:

As you can see in the above image, the column named File Exists is zero (0), and the value of a column named Parent Directory Exists is one (1), which means that the file does not exist. The directory exists in the specified location.

This example shows the output of the command when the file and directory do not exist in the specified location. Suppose we want to verify that the backup file has been created on the D:\Backup directory. For that purpose, run the following command:

As you can see in the above image, the value of the File exists, File is a directory, and Parent directory exists is zero (0), which indicates that the file and directory are not present on the specified location.

In this example, I have written a code that verifies that the file is present at the specified location. If the file is available, then the command prints File is present, or it prints File is not present.

As I mentioned, xp_fileexist is an undocumented extended stored procedure, so while implementing it in an application, we must validate the functionalities and output generated after applying the patches, hotfixes, and SQL Server upgrades.

In SQL Server 2017, a new dynamic management function named sys.dm_os_file_exists replaced xp_fileexist stored procedure. The output returned by the sys.dm_os_file_exists and xp_fileexist is the same. For example, we want to check the backup file is present in the directory or not. To verify, run the following query:

Nisarg Upadhyay is a SQL Server Database Administrator and Microsoft certified professional who has more than 8 years of experience with SQL Server administration and 2 years with Oracle 10g database administration. He has expertise in database design, performance tuning, backup and recovery, HA and DR setup, database migrations and upgrades. He has completed the B.Tech from Ganpat University. He can be reached on nisargup...@outlook.com

These functions are used for identifying weak configurations that can lead to unauthorized access. Invoke-SQLAudit can be used to run all of them at once. Also, all of the audit functions support an exploit flag. In most cases that means the script will try to add your login to the sysadmin server role.

The Exploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.

After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.

TLDR: Domain Users permitted to authenticate to Microsoft SQL databases can use the limited privileges they are granted to run a stored procedure. The stored procedure can be used to send the database service credentials over the network. When the database service is configured with privileges, these can be cracked offline or relayed in order to escalate privileges. I have exploited this multiple times to escalate from domain user to domain administrator!

Or of course port scanning, however you should note that just scanning for the default ports (TCP 1433 and 2433) you will miss a lot of instances running on random ports. Instead you may wish to perform a UDP scan for port 1434 which presents the SQL Browser Service.

There are a number of useful extended stored procedures within MSSQL Server which can be useful to an attacker. Although some like xp_cmdshell require elevated permissions within the database, others such a xp_dirtree and xp_fileexists can be executed with the guest permissions often granted to the domain users group.

The MSSQL service can be configured to run as the local system account (a terrible idea, as escalating privileges within the database also compromises the server), a local service account, a local account, a domain account, or as a domain managed service account.

I use the smbrelayx.py from the impacket library to relay the authentication to a host with SMB signing disabled, and use rundll32 to load a malicious DLL from a network share which establishes a reverse meterpreter shell.

In order to do this, you need to have 2 IP addresses as both smbrelayx.py and the network share both require the same port. This can be accomplished with the following command, assuming eth0 is your network interface.

There are a series of insecure configurations at play here, I would recommend addressing them all to harden your environment. However most significantly, follow the principle of least privilege (1 and 2).

With encryption, another feature called Extended Protection is available since Windows 2018 R2 and Windows 7. Service Binding and Channel Binding can be enforced and protect against relaying attacks but this feature is disabled by default.

It is best practice to use a dedicated service account for running your MSSQL service (as opposed to using SYSTEM). If several instances of MSSQL Server are running under the same service account, this introduces new risks:

Among the many features of MSSQL, it is possible to handle files. The known stored procedures xp_fileexist and xp_dirtree can be misused to trigger an SMB connection to a chosen target. Standard DB users should never have permission to execute these procedures.

We released a tool on github. The tool allows to quickly get an overview of MSSQL instances in a Microsoft Active Directory, find the misconfigurations mentioned above and exploit the two-step relay easily.

From this output, we know that both SPNs are registered to the same service account (svc_sql). This user has SA privileges on the databases. Our user tmassie has no admin privileges but can execute xp_dirtree on fs1 and encryption is not enforced on ws1. We can relay from fs1 to ws1 and elevate privileges!

3a8082e126