Basically if you're admin you own everything. So how would you access an SQL-Server if you don't have SQL-Permissions but you're administrator on the system the SQL-server is running on? Basically you can abuse the fact, that the sql-server has to have at least one account with the necessary permissions. Often this is the local system user.
- So just become system using psexec (or anything else)
- Search for your local SQL-Instance:
- Connect to your SQL-Server using your current (system) credentials:
- If the connection is successful, just enable the sa account and set a new password for it. After that you can use the SQL-Management Studio to administer all permissions:
- If the above is throwing an access denied error for you try a different user for example the mssql service user use process hacker to run a cmd prompt in the context of that user and try again.
- If also that fails, check if there is any application accessing the database that could have an account with too much permissions e. g. Server Admin instead of db_owner and try that one.
- If that all does not help, you have one last way of getting into the database, but that causes a downtime and poses the risk of exposing your database to everyone.
WARNING: BY DOING THIS EVERYBODY COULD GAIN FULL ACCESS TO YOUR SERVER, DEPENDING ON YOUR INFRASTRUCTURE YOU MAY WANT TO BLOCK REMOTE CONNECTIONS ON THE WINDOWS FIREWALL WHILE PERFORMING THIS STEP
- Stop your SQL-Server Services (Server, Browser, Agent, ...) and open an elevated cmd.
- Navigate to the folder containing the executable of the service and start it with the parameter "-m" for single user mode without authentication. I intentionally don't provide the exact command here to discourage "Script kiddies" from following this step. It also should be trivial for a Sysadmin to get the executable path from a windows service and follow along.
- After the server is back up do Step 4 again.
- Stop the server again.
- Start your MSSQL server again using the windows service you stopped earlier.