-
Notifications
You must be signed in to change notification settings - Fork 463
Utility Functions
Scott Sutherland edited this page Oct 23, 2017
·
14 revisions
These are essentially helper functions. Some of them are used by other PowerUpSQL functions, but all of them can be run independently.
| Function Name | Description |
|---|---|
| Get-SQLConnectionObject | Creates a object for connecting to SQL Server. |
| Get-SQLFuzzObjectName | Enumerates objects based on object id using OBJECT_NAME() and only the Public role. |
| Get-SQLFuzzDatabaseName | Enumerates databases based on database id using DB_NAME() and only the Public role. |
| Get-SQLFuzzServerLogin | Enumerates SQL Server Logins based on login id using SUSER_NAME() and only the Public role. |
| Get-SQLFuzzDomainAccount | Enumerates domain groups, computer accounts, and user accounts based on domain RID using SUSER_SNAME() and only the Public role. Note: In a typical domain 10000 or more is recommended for the EndId. |
| Get-ComputerNameFromInstance | Parses computer name from a provided instance. |
| Get-SQLServiceLocal | Returns local SQL Server services. |
| Create-SQLFileXpDll | Used to create CPP DLLs with exported functions that can be imported as extended stored procedures in SQL Server. Supports arbitrary command execution. |
| Get-DomainSpn | Returns a list of SPNs for the target domain. Supports authentication from non domain systems. |
| Get-DomainObject | Used to query domain controllers via LDAP. Supports alternative credentials from non-domain system. |
| Get-SQLStoredProcedureSQLi | Returns stored procedures using dynamic SQL and the "WITH EXECUTE AS OWNER" clause. If the stored procedure is vulnerable to SQLi it may be possible to impersonate the procedure owner. |
| Get-SQLServerLoginDefaultPw | Based on the instance name, test if SQL Server is configured with default passwords. |
| Create-SQLFileXpDll | Used to generate DLLs that can be imported to create a custom stored procedure that executes OS commands |
| Create-SQLFileCLRDll | Used to generate DLLs that can be imported to create a CLR stored procedure that executes OS commands. It also generates a file containing TSQL code for creating the procedure without the DLL. |
| Get-SQLAssemblyFile | Returns imported assembly file information for each database. It can also be used to export existing CLR assembly file imports back to a DLL file. |
| Get-SQLDomainUser | Use OLE DB ADSI connections to grab a list of domain users via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet). |
| Get-SQLDomainObject | Use OLE DB ADSI connections to grab a list of domain objects via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet). |
Examples:
Get-SQLFuzzServerLogin -Verbose -Instance "SQLSVR1\Instance1"
Get-SQLAssemblyFile -Verbose -Instance SQLServer1\Instance1 -ExportFolder c:\temp
Roadmap:
Get-SQLFuzzDatabase
Get-SQLFuzzSchema
Get-SQLDatabaseOrphanUser
Get-SQLDatabaseUser - add fuzzing option
Get-SQLStoredProcedureEncrypted
Get-SQLDecryptedStoreProcedure
Get-SQLDownloadFile
Get-SQLDownloadFileAdHocQuery
Get-SQLDownloadFileAssembly
Get-SQLDownloadFileBulkInsert
Get-SQLDownloadFileServerLine
Get-SQLDownloadFileXpCmdshell
Get-SQLInstalledSoftware
Get-SQLServerLogin - add fuzzing option
Get-SQLUploadFile
Get-SQLUploadFileAdHocQuery
Get-SQLUploadFileAgent
Get-SQLUploadFileAssembly
Get-SQLUploadFileServerLink
Get-SQLUploadFileXpCmdshell
Invoke-SqlOSCmdServerLinkMd
Invoke-SqlOSCmdAdHoQueryMd
Invoke-SqlOSCmdAgentAnalysis
Invoke-SqlOSCmdAgentOther
Invoke-SqlOSCmdAgentSsisExecuteProcessTask
Enable-FullRegRead
Disable-FullRegRead
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar