Tools & Scripts

MS SQL Security Admin – Priv Esc

It’s been a while – I have been crazy busy with work and life in general and unfortunately let the blog slip a little. All the plans I want to do are in the pipeline at some point. It’s just a case of finding the time!!

Anyway, today I give you a custom Metasploit module to add to your arsenal. Within MS SQL Server, there is a very easy way to elevate your privileges from the “Security Admin” server role. By default, the “Security Admin” role does not have permission to enable “xp_cmdshell” to allow you to get code execution on the machine. However, you can create new users. The user you create cannot be assigned a permission higher than the “Security Admin” (which makes sense). But what you can do is grant “Control Server” permissions instead.

I won’t go into detail on what the differences between “Control Server vs sysadmin” are here. But rest assured there are plenty of other blogs out there which highlight this / similar issues to what this Metasploit module exploits. With the “Control Server” permissions, you pretty much have the keys to the castle and have the ability to enable “xp_cmdshell” in order to get code execution.

I may be wrong, but I haven’t seen an equivalent Metasploit module for this? Anyway, I’ll just to give you a run down of what the script does:

  • Checks to see if the user has “securityadmin” role.
  • If so, then a new user is created.
  • Control Server permissions assigned to new user.
  • Then you will need to manually log in as your new user and enable xp_cmdshell.

So as you can see it’s straight forward. Installation instructions will be on the Github page.

If you would like to run these steps manually then these will be the steps after logging into SQL Server:

select is_srvrolemember('securityadmin') as IsSecAdmin
create login pwned with password=Password123!, check_policy=off;
grant control server to pwned;

It’s as simple as that.

Anyway, I hope this has helped someone. At some point I may change the script to automatically log in as the new user and then pwn using xp_cmdshell. This is my first go at a custom Metasploit module and I haven’t done a lot of Ruby yet, so it’ll be quite a nice project to continue with when I get the time.

Thanks for reading 🙂