- OS: Windows
- Requirements: Standalone and portable
- Install: https://www.heidisql.com/
Run it and add a new connection. Very simple.
- OS: Any
- Requirements; Python
- Install:
pip install mssql-cli, https://github.com/dbcli/mssql-cli
A really nice command line implementation with auto-complete, syntax highlighting, and pretty output.
mssql-cli -S server -U user -P password
A -d option specifies a database and --auto-vertical-output can help if running queries that will return results wider than the terminal.
- OS: Any
- Requirements; Python -Install: https://github.com/CoreSecurity/impacket/blob/master/examples/mssqlclient.py
It works and comes with Impacket. It can be kind of fussy in some cases, but supports useful xp_cmdshell tools.
mssqlclient.py domain/user:password@server
- Get user information:
select SUSER_NAME() - List all databases:
SELECT name FROM master.dbo.sysdatabasesorEXEC sp_databases - List all tables:
- SQL Server 2005+:
SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE' - Alternative:
SELECT * FROM <DATABASE_NAME>.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE' - SQL Server 2000:
SELECT * FROM sysobjects WHERE xtype='U'
- SQL Server 2005+:
- List linked servers:
EXEC sp_linkedserversSELECT name, is_linked FROM sys.serversSELECT * FROM master..sys.servers
- Execute query on a remote SQL Server:
SELECT * FROM OPENQUERY("REMOTE_SERVER_NAME", 'QUERY') - Similar to above:
EXECUTE('query') AT "REMOTE_SERVER_NAME"
- SQL Server 2016's
sp_execute_external_script: Potentially execute Python scripts.EXECUTE sp_execute_external_script @language=N'Python',@script=N'print(1+1)'
A number of Metasploit modules exist for MSSQL. Here are some highlights worth remembering:
- auxiliary(scanner/mssql/mssql_login) : Check logins against a tagret SQL Server.
- auxiliary(admin/mssql/mssql_exec) : Attempts code execution against target SQL Server (xp_cmdshell).
- exploit(windows/mssql/mssql_linkcrawler) : Automatically explore server links.
- Double quotes should only be used around the names of databases and the like.
- Single quotes can be nested by increasing escaped single quotes:
- Ex:
EXECUTE('First ''Second(''''Third'''')''')
- Ex:
- PowerUpSQL: https://github.com/NetSPI/PowerUpSQL