SQL EXEC xp_cmdshell

Question

I am venturing into SQL injection over the past few days. I am able to leverage a SQL injection vulnerability to bypass login and ping back to my attacking machine from the same injection point using exec xp_cmdshell

My question is how can I get some remote reverse shell kind of connection back to my host machine. What all can I achieve using the xp_cmdshell with whatever default tools installed on the vulnerable server?

Any help regarding xp_cmdshell perhaps any links to the resources would be really helpful.

Thanks

Answer 1

Here's a couple of things that might help;

Its probably worth pointing out that whatever you are using to connect to SQL Server will need to be given the sysadmin server role to use the xp_cmdshell procedure. Also the functionality is not enabled by default. An existing sysadmin would have to change the advanced configuration options first to allow xp_cmdshell use.

Here's how to do that: https://msdn.microsoft.com/en-us/library/ms190693.aspx

Next any commands you pass to the OS will execute as the SQL Server database engine service account, not the SQL user, which may have restricted access. Plus even if the service account is a local admin in Windows you won't be able to force cmd style permissions elevation from SQL Server alone. You'll need the service account password too, assuming this is a domain service account.

Here's the MSDN article about the procedure:

https://msdn.microsoft.com/en-us/library/ms175046.aspx