Land rapid7#18961, Adds session documentation

Author: cgranleese-r7

docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md

@@ -3,11 +3,23 @@
 Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications
 and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.
 
-MySQL is frequently found on port on the following ports:
+MSSQL is frequently found on port on the following ports:
 
 - 1433/TCP
 - 1434/UDP
 
+For a full list of MSSQL modules run the `search` command within msfconsole:
+
+```msf
+msf6 > search mssql
+```
+
+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:mssql
+```
+
 ### Lab Environment
 
 Environment setup:
@@ -26,6 +38,176 @@ use auxiliary/admin/mssql/mssql_sql
 run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
 ```
 
+### Logging in and obtaining a session
+To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login
+
+```msf
+use auxiliary/scanner/mssql_login
+run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
+```
+
+The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine
+on a successful login:
+
+```msf
+[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
+[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
+[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
+[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
+[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
+
+```msf
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  1         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242)
+
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
+[*] Starting interaction with 1...
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	    Oct 8 2022 05:58:25
+	    Copyright (C) 2022 Microsoft Corporation
+	    Developer Edition (64-bit) on Windows Server 2022 Stand
+       ard 10.0 <X64> (Build 20348: ) (Hypervisor)
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+mssql @ 192.168.2.242:1433 (master) > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MSSQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mssql/mssql_enum
+  auxiliary/admin/mssql/mssql_escalate_dbowner
+  auxiliary/admin/mssql/mssql_escalate_execute_as
+  auxiliary/admin/mssql/mssql_exec
+  auxiliary/admin/mssql/mssql_findandsampledata
+  auxiliary/admin/mssql/mssql_idf
+  auxiliary/admin/mssql/mssql_sql
+  auxiliary/admin/mssql/mssql_sql_file
+  auxiliary/scanner/mssql/mssql_hashdump
+  auxiliary/scanner/mssql/mssql_schemadump
+  exploit/windows/mssql/mssql_payload
+```
+
+To interact directly with the session as if in a SQL prompt, you can use the `query` command.
+
+```msf
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
+[*] Starting interaction with 2...
+
+mssql @ 192.168.2.242:1433 (master) > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query select @@version;
+    query select user_name();
+    query select name from master.dbo.sysdatabases;
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	Oct  8 2022 05:58:25
+	Copyright (C) 2022 Microsoft Corporation
+	Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
+       uild 20348: ) (Hypervisor)
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+mssql @ 192.168.2.242:1433 (master) > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mssql @ 192.168.2.242:1433 (master) > query_interactive
+[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> select *
+SQL *> from information_schema.tables
+SQL *> where table_type = 'BASE TABLE';
+[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
+Response
+========
+    #  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME             TABLE_TYPE
+    -  -------------  ------------  ----------             ----------
+    0  master         dbo           spt_fallback_db        BASE TABLE
+    1  master         dbo           spt_fallback_dev       BASE TABLE
+    2  master         dbo           spt_fallback_usg       BASE TABLE
+    4  master         dbo           Users                  BASE TABLE
+    5  master         dbo           spt_monitor            BASE TABLE
+    6  master         dbo           MSreplication_options  BASE TABLE
+SQL >>
+```
+
 ### Link crawling
 
 Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:

docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md

@@ -17,6 +17,12 @@ There are more modules than listed here, for the full list of modules run the `s
 msf6 > search mysql
 ```
 
+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:mysql
+```
+
 ### Lab Environment
 
 When testing in a lab environment MySQL can either be installed on the host machine or within Docker:
@@ -79,6 +85,158 @@ run cidr:/24:mysql://user:[email protected] threads=50
 run cidr:/24:mysql://[email protected] threads=50 pass_file=./wordlist.txt
 ```
 
+### Obtaining an Interactive Session on the Target
+
+The CreateSession option in `auxiliary/scanner/mysql/msql_login` allows you to obtain an interactive session
+for the MySQL client you're connecting to. The run command with CreateSession
+set to true should give you an interactive session:
+
+```msf
+msf6 > use scanner/mysql/mysql_login 
+msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
+
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Success: 'root:password'
+[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
+[*] 127.0.0.1:4306        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+mysql @ 127.0.0.1:4306 >
+```
+
+You can interact with your new session using `sessions -i -1` or `sessions <session id>`.
+You can also use `help` to get more information about how to use your session.
+
+```msf
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  2         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
+  3         mysql  MySQL root @ 127.0.0.1:4306      127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
+
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
+[*] Starting interaction with 3...
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+mysql @ 127.0.0.1:4306 > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MySQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mysql/mysql_enum
+  auxiliary/admin/mysql/mysql_sql
+  auxiliary/scanner/mysql/mysql_file_enum
+  auxiliary/scanner/mysql/mysql_hashdump
+  auxiliary/scanner/mysql/mysql_schemadump
+  auxiliary/scanner/mysql/mysql_version
+  auxiliary/scanner/mysql/mysql_writable_dirs
+  exploit/multi/mysql/mysql_udf_payload
+  exploit/windows/mysql/mysql_mof
+  exploit/windows/mysql/mysql_start_up
+```
+
+Once you've done that, you can run any MySQL query against the target using the `query` command:
+
+```msf
+mysql @ 127.0.0.1:4306 > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query SHOW DATABASES;
+    query USE information_schema;
+    query SELECT * FROM SQL_FUNCTIONS;
+    query SELECT version();
+
+mysql @ 127.0.0.1:4306 > query 'SELECT version();'
+Response
+========
+
+    #  version()
+    -  ---------
+    0  11.2.2-MariaDB-1:11.2.2+maria~ubu2204
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+mysql @ 127.0.0.1:4306 () > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mysql @ 127.0.0.1:4306 () > query_interactive
+[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 ()
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> SELECT table_name
+SQL *> FROM information_schema.tables
+SQL *> LIMIT 2;
+[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
+Response
+========
+
+    #  table_name
+    -  ----------
+    0  ALL_PLUGINS
+    1  APPLICABLE_ROLES
+
+SQL >>
+```
+
 ### MySQL Dumping
 
 User and hash dump: