Running commands through xp_cmdshell in MS SQL servers
MS SQL servers have a stored procedure named xp_cmdshell
. This feature allows programmers to execute commands through MS SQL servers. This feature is enabled in a lot of environments and is very dangerous if attackers gain access to a set of credentials, especially if it is the MS SQL super administrator account that has system privileges.
This recipe shows how to run Windows commands through MS SQL servers with Nmap.
How to do it...
Open your terminal and enter the following Nmap command to check whether xp_cmdshell
is enabled:
$ nmap --script-args 'mssql.username="<user>",mssql.password="<password>"' --script ms-sql-xp-cmdshell -p1433 <target>
An error message will be returned if something goes wrong. Otherwise, you should see the output of the command:
PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2011 11.00.1750.00 | ms-sql-xp-cmdshell: | [192.168.1.102:1433] | ...