-
Notifications
You must be signed in to change notification settings - Fork 462
Primary Attack Functions
Scott Sutherland edited this page Jun 8, 2017
·
11 revisions
These are the functions used to quickly dump database information, audit for common vulnerabilities, and attempt to obtain sysadmin privileges.
Function Name | Description | Obtains Sysadmin Privs |
---|---|---|
Invoke-SQLDumpInfo | This can be used to dump SQL Server and database information to csv or xml files. This can be handy for doing a quick inventory of databases, logins, privileges etc. | No |
Invoke-SQLAudit | This can be used to review the SQL Server and databases for common configuration weaknesses and provide a vulnerability report along with recommendations for each item. | No |
Invoke-SQLEscalatePriv | This can be used to obtain sysadmin privileges via identified configuration weaknesses. | Yes |
Invoke-SQLImpersonateService | This can be used to impersonate a provided SQL Server service account using a provided SQL Server instance as a local admin . After impersonation any PowerUpSQL command can be run in the sysadmin context. | Yes |
Invoke-SQLImpersonateServiceCmd | This can be used to run any OS command as the target SQL Server service account. It can be used to provide a local administrator with sysadmin privileges. | Yes |
Invoke-SQLOSCmd | Run OS commands as the SQL Server service account via xp_cmdshell. Typically requires sysadmin privileges. | No |
Invoke-SQLOSCmdCLR | Run OS commands as the SQL Server service account via CLR assemblies. Does not require reading a DLL from disk. Typically requires sysadmin privileges. | No |
Invoke-SQLOSCmdOle | Run OS commands as the SQL Server service account via Ole Automation Procedures. Does not require reading a DLL from disk. Typically requires sysadmin privileges. | No |
Invoke-SQLOSCmdR | Run OS commands as the SQL Server service account via external scripting using R. Does not require reading a DLL from disk. Typically requires sysadmin privileges. | No |
Examples:
Get-SQLInstanceDomain -Verbose | Invoke-SQLDumpInfo -Verbose
Get-SQLInstanceLocal -Verbose | Invoke-SQLAudit -Verbose
Invoke-SQLEscalatePriv -Verbose -Instance "SQLSERVER1\MyInstance" -Username MyUser -Password MyPassword
Invoke-SQLImpersonateServiceCmd -Verbose -Instance SQLServer1\STANDARDDEV2014 -EngineOnly -Exe 'PowerShell -c "notepad.exe"'
Invoke-SQLImpersonateServiceCmd -Verbose -Instance SQLServer1\STANDARDDEV2014 -EngineOnly
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar