Adds session documentation

add more console output, add to pentesting side split out session, help, query, query_interactive sections add multiline examples update mysql, smb
rapid7 · Mar 20, 2024 · e8f71f2 · e8f71f2
1 parent 923f4c9
commit e8f71f2
Show file tree

Hide file tree

Showing 9 changed files with 1,209 additions and 8 deletions.
diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md
@@ -3,7 +3,7 @@
 Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications
 and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.
 
-MySQL is frequently found on port on the following ports:
+MSSQL is frequently found on port on the following ports:
 
 - 1433/TCP
 - 1434/UDP
@@ -26,6 +26,175 @@ use auxiliary/admin/mssql/mssql_sql
 run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
 ```
 
+### Logging in and obtaining a session
+To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login
+
+```msf6
+use auxiliary/scanner/mssql_login
+run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
+```
+
+The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine
+on a successful login:
+
+```msf6
+[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
+[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
+[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
+[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
+[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Which you can interact with using `sessions -i <session id>` or `sessions -1` to interact with the most recently opened session.
+
+```msf6
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                     Connection
+  --  ----  ----   -----------                     ----------
+  1         mssql  MSSQL test @ 192.168.2.242:143  192.168.2.1:60963 -> 192.168.2
+                   3                               .242:1433 (192.168.2.242)
+
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
+[*] Starting interaction with 1...
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	    Oct 8 2022 05:58:25
+	    Copyright (C) 2022 Microsoft Corporation
+	    Developer Edition (64-bit) on Windows Server 2022 Stand
+       ard 10.0 <X64> (Build 20348: ) (Hypervisor)
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf6
+mssql @ 192.168.2.242:1433 (master) > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MSSQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queri
+                       es
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mssql/mssql_enum
+  auxiliary/admin/mssql/mssql_escalate_dbowner
+  auxiliary/admin/mssql/mssql_escalate_execute_as
+  auxiliary/admin/mssql/mssql_exec
+  auxiliary/admin/mssql/mssql_findandsampledata
+  auxiliary/admin/mssql/mssql_idf
+  auxiliary/admin/mssql/mssql_sql
+  auxiliary/admin/mssql/mssql_sql_file
+  auxiliary/scanner/mssql/mssql_hashdump
+  auxiliary/scanner/mssql/mssql_schemadump
+  exploit/windows/mssql/mssql_payload
+```
+
+To interact directly with the session as if in a SQL prompt, you can use the `query` command.
+
+```msf6
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
+[*] Starting interaction with 2...
+
+mssql @ 192.168.2.242:1433 (master) > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query select @@version;
+    query select user_name();
+    query select name from master.dbo.sysdatabases;
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	Oct  8 2022 05:58:25
+	Copyright (C) 2022 Microsoft Corporation
+	Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
+       uild 20348: ) (Hypervisor)
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf6
+mssql @ 192.168.2.242:1433 (master) > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mssql @ 192.168.2.242:1433 (master) > query_interactive
+[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> select top 2 table_catalog, table_schema
+SQL *> from information_schema.tables;
+[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables;
+Response
+========
+
+    #  table_catalog  table_schema
+    -  -------------  ------------
+    0  master         dbo
+    1  master         dbo
+
+SQL >>
+```
+
 ### Link crawling
 
 Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:

diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md
@@ -79,6 +79,157 @@ run cidr:/24:mysql://user:[email protected] threads=50
 run cidr:/24:mysql://[email protected] threads=50 pass_file=./wordlist.txt
 ```
 
+### Obtaining an Interactive Session on the Target
+
+The CreateSession option in `scanner/mysql/msql_login` allows you to obtain an interactive session
+for the MySQL client you're connecting to. The run command with CreateSession
+set to true should give you an interactive session:
+
+```msf6
+run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
+
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Success: 'root:password'
+[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
+[*] 127.0.0.1:4306        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+mysql @ 127.0.0.1:4306 >
+```
+
+You can interact with your new session using `sessions -i -1` or `sessions <session id>`.
+You can also use `help` to get more information about how to use your session.
+
+```msf6
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  2         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
+  3         mysql  MySQL root @ 127.0.0.1:4306      127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
+
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
+[*] Starting interaction with 3...
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf6
+mysql @ 127.0.0.1:4306 > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MySQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mysql/mysql_enum
+  auxiliary/admin/mysql/mysql_sql
+  auxiliary/scanner/mysql/mysql_file_enum
+  auxiliary/scanner/mysql/mysql_hashdump
+  auxiliary/scanner/mysql/mysql_schemadump
+  auxiliary/scanner/mysql/mysql_version
+  auxiliary/scanner/mysql/mysql_writable_dirs
+  exploit/multi/mysql/mysql_udf_payload
+  exploit/windows/mysql/mysql_mof
+  exploit/windows/mysql/mysql_start_up
+```
+
+Once you've done that, you can run any MySQL query against the target using the `query` command.
+
+```msf6
+mysql @ 127.0.0.1:4306 > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query SHOW DATABASES;
+    query USE information_schema;
+    query SELECT * FROM SQL_FUNCTIONS;
+    query SELECT version();
+
+mysql @ 127.0.0.1:4306 > query 'SELECT version();'
+Response
+========
+
+    #  version()
+    -  ---------
+    0  11.2.2-MariaDB-1:11.2.2+maria~ubu2204
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf6
+mysql @ 127.0.0.1:4306 () > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mysql @ 127.0.0.1:4306 () > query_interactive
+[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 ()
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> SELECT table_name
+SQL *> FROM information_schema.tables
+SQL *> LIMIT 2;
+[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
+Response
+========
+
+    #  table_name
+    -  ----------
+    0  ALL_PLUGINS
+    1  APPLICABLE_ROLES
+
+SQL >>
+```
+
 ### MySQL Dumping
 
 User and hash dump: