Skip to content

Primary Attack Functions

Scott Sutherland edited this page Sep 11, 2017 · 11 revisions

These are the functions used to quickly dump database information, audit for common vulnerabilities, and attempt to obtain sysadmin privileges.

Function Name Description Obtains Sysadmin Privs
Invoke-SQLDumpInfo This can be used to dump SQL Server and database information to csv or xml files. This can be handy for doing a quick inventory of databases, logins, privileges etc. No
Invoke-SQLAudit This can be used to review the SQL Server and databases for common configuration weaknesses and provide a vulnerability report along with recommendations for each item. No
Invoke-SQLEscalatePriv This can be used to obtain sysadmin privileges via identified configuration weaknesses. Yes
Invoke-SQLImpersonateService This can be used to impersonate a provided SQL Server service account using a provided SQL Server instance as a local admin . After impersonation any PowerUpSQL command can be run in the sysadmin context. Yes
Invoke-SQLImpersonateServiceCmd This can be used to run any OS command as the target SQL Server service account. It can be used to provide a local administrator with sysadmin privileges. Yes
Invoke-SQLOSCmd Run OS commands as the SQL Server service account via xp_cmdshell. Typically requires sysadmin privileges. No
Invoke-SQLOSCmdCLR Run OS commands as the SQL Server service account via CLR assemblies. Does not require reading a DLL from disk. Typically requires sysadmin privileges. No
Invoke-SQLOSCmdOle Run OS commands as the SQL Server service account via Ole Automation Procedures. Does not require reading a DLL from disk. Typically requires sysadmin privileges. No
Invoke-SQLOSCmdR Run OS commands as the SQL Server service account via external scripting using R. Does not require reading a DLL from disk. Typically requires sysadmin privileges. No
Invoke-SQLOSCmdPython Run OS commands as the SQL Server service account via external scripting using Python. Does not require reading a DLL from disk. Typically requires sysadmin privileges. No
Invoke-SQLOSCmdAgentJob Run OS commands as the SQL Server Agent service account via Agent Jobs from the CMDExec, PowerShell, ActiveX:JScript, and ActiveX:VBScript subsystems. Does not require reading a DLL from disk. Typically requires sysadmin privileges. No

Examples:

Get-SQLInstanceDomain -Verbose | Invoke-SQLDumpInfo -Verbose
Get-SQLInstanceLocal -Verbose | Invoke-SQLAudit -Verbose
Invoke-SQLEscalatePriv -Verbose -Instance "SQLSERVER1\MyInstance" -Username MyUser -Password MyPassword
Invoke-SQLImpersonateServiceCmd -Verbose -Instance SQLServer1\STANDARDDEV2014 -EngineOnly -Exe 'PowerShell -c "notepad.exe"'
Invoke-SQLImpersonateServiceCmd -Verbose -Instance SQLServer1\STANDARDDEV2014 -EngineOnly

Introduction

Cheat Sheets

PowerUpSQL Blogs

PowerUpSQL Talks

PowerUpSQL Videos

Function Categories

Clone this wiki locally
You can’t perform that action at this time.