-
Notifications
You must be signed in to change notification settings - Fork 462
Common Functions
Scott Sutherland edited this page Oct 20, 2017
·
10 revisions
These functions are used for common information gathering tasks. Similar to core functions, the common functions can be executed by themselves, but are also used by other functions in the PowerUpSQL module.
Function Name | Description |
---|---|
Get-SQLAgentJob | Returns a list of SQL Agent jobs from target servers that includes the command to be executed. |
Get-SQLAuditDatabaseSpec | Returns Audit database specifications from target SQL Servers. |
Get-SQLAuditServerSpec | Returns Audit server specifications from target SQL Servers. |
Get-SQLColumn | Returns column information from target SQL Servers. Supports keyword search. |
Get-SQLColumnSampleData | Returns column information from target SQL Servers. Supports search by keywords, sampling data, and validating credit card numbers. |
Get-SQLColumnSampleDataThreaded | Returns column information from target SQL Servers. Supports search by keywords, sampling data, and validating credit card numbers. Supports host threading. |
Get-SQLDatabase | Returns database information from target SQL Servers. |
Get-SQLDatabaseThreaded | Returns database information from target SQL Servers. Supports host threading. |
Get-SQLDatabasePriv | Returns database user privilege information from target SQL Servers. |
Get-SQLDatabaseRole | Returns database role information from target SQL Servers. |
Get-SQLDatabaseRoleMember | Returns database role member information from target SQL Servers. |
Get-SQLDatabaseSchema | Returns schema information from target SQL Servers. |
Get-SQLDatabaseUser | Returns database user information from target SQL Servers. |
Get-SQLServerConfiguration | Returns configuration settings from sp_configure. Output includes advanced options if the connecting user is a sysadmin. |
Get-SQLServerCredential | Returns credentials from target SQL Servers. |
Get-SQLServerInfo | Returns basic server and user information from target SQL Servers. |
Get-SQLServerInfoThreaded | Returns basic server and user information from target SQL Servers. Supports host threading. |
Get-SQLServerLink | Returns link servers from target SQL Servers. |
Get-SQLServerLinkCrawl | Crawls linked servers and supports SQL query and OS command execution. |
Get-SQLServerLogin | Returns logins from target SQL Servers. |
Get-SQLServerPriv | Returns SQL Server login privilege information from target SQL Servers. |
Get-SQLServerRole | Returns SQL Server role information from target SQL Servers. |
Get-SQLServerRoleMember | Returns SQL Server role member information from target SQL Servers. |
Get-SQLServiceAccount | Returns a list of service account names for SQL Servers services by querying the registry with xp_regread. This can be executed against remote systems. |
Get-SQLSession | Returns active sessions from target SQL Servers. |
Get-SQLStoredProcedure | Returns stored procedures from target SQL Servers. |
Get-SQLStoredProcedureCLR | Returns stored procedures created from CLR assemblies. Supports exporting them to DLLs. |
Get-SQLSysadminCheck | Check if login is has sysadmin privilege on the target SQL Servers. |
Get-SQLTable | Returns table information from target SQL Servers. |
Get-SQLTriggerDdl | Returns DDL trigger information from target SQL Servers. This includes logon triggers. |
Get-SQLTriggerDml | Returns DML trigger information from target SQL Servers. |
Get-SQLView | Returns view information from target SQL Servers. |
Get-SQLLocalAdminCheck | Checks if the current Windows user has local administrator privileges and is running in an elevated process on the system. |
Get-SQLOleDbProvder | Returns a list of OLE DB providers install on the server and their properties. Requires Sysadmin. |
Examples:
Get-SQLInstanceLocal | Get-SQLDatabase -Verbose -NoDefaults
Get-SQLInstanceLocal | Get-SQLColumnSampleData -Keywords "account,credit,card" -SampleSize 5 -ValidateCC
Roadmap:
Get-SQLSubSystem - Returns sub systems from target SQL Servers that are supported by the job agent.
Get-SQLProxyAccount - Returns proxy accounts from target SQL Servers.
Get-SQLTempObject - Returns temp objects from target SQL Servers.
Get-SQLCachePlan - Returns cache plans from target SQL Servers.
Get-SQLQueryHistory - Returns recent query history from target SQL Servers.
Get-SQLHiddenSystemObject - Returns hidden system objects from target SQL Servers.
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar