MSSQL List Permissions

Context

This article teaches how to list permissions in Microsoft SQL Server (MSSQL) using SQL injection techniques. It assumes prior knowledge of SQL privileges, database roles, and permission granting. Understanding these concepts is crucial when leveraging vulnerabilities to escalate privileges within an MSSQL environment.

Theory

Understanding MSSQL Permissions

Permissions in MSSQL are used to control access to database objects and operations, ensuring that only authorized users can perform certain actions. These permissions are managed through a role-based access control (RBAC) system. RBAC assigns permissions to roles, which are then granted to users, facilitating easier administration of permissions across different user accounts. However, improper configuration or understanding of these permissions can lead to vulnerabilities, including the potential for privilege escalation.

Key Functions for Permission Enumeration

  1. HAS_PERMS_BY_NAME

    • This function checks specific permissions on a securable such as an object, schema, or database. It's a precise tool for assessing if a particular permission exists.

  2. fn_my_permissions

    • This function lists all effective permissions for the current user on a specified securable, allowing a wide view of what actions a user can perform.

  3. is_srvrolemember

    • This function checks if a user is a member of a specific server role, such as 'sysadmin'. Membership in high-privilege roles often allows more extensive access and control over the server.

Exploiting Privilege Escalation in MSSQL

By exploiting vulnerabilities like SQL injection, an attacker can bypass normal permission checks. This bypass allows attackers to view or manipulate the database in ways not originally permitted by its configuration. Understanding how to enumerate permissions is the first step in identifying potential paths for privilege escalation.

Practice

Enumerate Permissions Using SQL Injection

Using SQL injection techniques, attackers can leverage the following commands to enumerate permissions and assess a user’s effective privileges.

  • Check SELECT Permission

    Use the HAS_PERMS_BY_NAME function to check if the SELECT permission is granted, which allows reading data from tables.

    SELECT HAS_PERMS_BY_NAME(null, null, 'SELECT');

  • List All Permissions for the Current User

    Use fn_my_permissions to get a comprehensive list of permissions the current user has on the database. This provides an overview of actions the user is authorized to perform.

    SELECT * FROM fn_my_permissions(null, 'DATABASE');

  • Check Membership in the sysadmin Role

    The is_srvrolemember function helps determine if a user is part of the 'sysadmin' role, which can critical as this role has unrestricted access across the server.

    SELECT is_srvrolemember('sysadmin');

By executing these commands, an attacker can identify which permissions are available and what potential avenues exist for escalating privileges.

Tools

  • sqlmap
  • MSSQL Management Studio

These tools can assist in performing SQL injections and managing MSSQL databases, thus proving essential in the exploitation process to list and assess permissions.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.