-
Notifications
You must be signed in to change notification settings - Fork 464
Core Functions
Scott Sutherland edited this page Oct 27, 2016
·
3 revisions
These functions are used to test connections, execute SQL Server queries, and execute OS commands. All other functions use these core functions. However, they can also be executed independently.
| Function Name | Description |
|---|---|
| Get-SQLConnectionTest | Tests if the current Windows account or provided SQL Server login can log into an SQL Server. |
| Get-SQLConnectionTestThreaded | Tests if the current Windows account or provided SQL Server login can log into an SQL Server and supports threading. |
| Get-SQLQuery | Executes a query on target SQL servers. |
| Get-SQLQueryThreaded | Executes a query on target SQL servers and supports threading. |
| Invoke-SQLOSCmd | Execute command on the operating system as the SQL Server service account using xp_cmdshell. Supports threading, raw output, and table output. |
Examples:
Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10
Get-SQLInstanceDomain -Verbose | Invoke-SQLOSCmd -Verbose -Threads 10 -Command "whoami"
RoadMap
Add Encrypt option to core functions
Add ApplicationName option to core functions
Add PacketSize option to core functions
Add ForceNamedPipe option to core functions
https://gist.githubusercontent.com/nullbind/91c573b0e27682733f97d4e6eebe36f8/raw/b37e5fc6ee115a980fe248927e0646429122b7a2/SQL%2520Server%2520Connection%2520Strings%2520CheatSheet
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar