Executing Commands
xp_cmdshell could be used to execute commands on the SQL Server.
Last updated
xp_cmdshell could be used to execute commands on the SQL Server.
Last updated
xp_cmdshell is a SQL Server functionality that is disabled by default. However it can be enabled using sp_configure. It spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account.
In this example and screenshots mssql-cli is used, but this also works with Heidisql in the query tab.
Enable xp_cmdshell with the following commands:
2. Execute commands with xp_cmdshell:
3. Gain a reverse shell and execute commands by executing the following query after doing the following:
Create a webserver directory to host some files.
Download Invoke-PowerShellTCP
Save a amsi bypass in amsi.txt, for example.
This query will download and load into memory the amsi.txt file and then the Invoke-PowerShellTcp script creating a reverse shell. These should be hosted on your webserver on the attacking machine. For more information about this technique check out:
Execute the following queries on WEB01 to disable xp_cmdshell again:
Do the following to clean up the constrained delegation:
Login to DC03 as Administrator with the password Welcome01!.
Execute the following command to remove the msDS-AllowedToActOnBehalfOfOtherIdentity attribute from DATA01.
3. Execute the following command to remove the FAKE01 computer we created:
Sysadmin users can enable xp_cmdshell, so limit these users.
