A PowerShell Toolkit for Attacking SQL Server

A SQL Server offensive toolkit called PowerUpSQL is designed for attacking SQL Server instances. The PowerUpSQL module includes functions for SQL Server discovery, auditing for common configuration weaknesses, and finding privilege escalation opportunities. While it is intended to be used during penetration tests, you can also use it for red team engagements.

But don’t think of this tool as just something used to attack your servers. It also includes functions that can be used by administrators to inventory any SQL Server instances on their ADS domain.

Functions:

  • Create-SQLFileXpDll
  • Get-SQLAuditDatabaseSpec
  • Get-SQLAuditServerSpec
  • Get-SQLColumn
  • Get-SQLColumnSampleData
  • Get-SQLColumnSampleDataThreaded
  • Get-SQLConnectionTest
  • Get-SQLConnectionTestThreaded
  • Get-SQLDatabase
  • Get-SQLDatabasePriv
  • Get-SQLDatabaseRole
  • Get-SQLDatabaseRoleMember
  • Get-SQLDatabaseSchema
  • Get-SQLDatabaseThreaded
  • Get-SQLDatabaseUser
  • Get-SQLFuzzDatabaseName
  • Get-SQLFuzzDomainAccount
  • Get-SQLFuzzObjectName
  • Get-SQLFuzzServerLogin
  • Get-SQLInstanceDomain
  • Get-SQLInstanceFile
  • Get-SQLInstanceLocal
  • Get-SQLInstanceScanUDP
  • Get-SQLInstanceScanUDPThreaded
  • Get-SQLQuery
  • Get-SQLQueryThreaded
  • Get-SQLServerConfiguration
  • Get-SQLServerCredential
  • Get-SQLServerInfo
  • Get-SQLServerInfoThreaded
  • Get-SQLServerLink
  • Get-SQLServerLogin
  • Get-SQLServerPriv
  • Get-SQLServerRole
  • Get-SQLServerRoleMember
  • Get-SQLServiceAccount
  • Get-SQLServiceLocal
  • Get-SQLSession
  • Get-SQLStoredProcedure
  • Get-SQLSysadminCheck
  • Get-SQLTable
  • Get-SQLTriggerDdl
  • Get-SQLTriggerDml
  • Get-SQLView
  • Invoke-SQLAudit
  • Invoke-SQLAuditPrivCreateProcedure
  • Invoke-SQLAuditPrivDbChaining
  • Invoke-SQLAuditPrivImpersonateLogin
  • Invoke-SQLAuditPrivServerLink
  • Invoke-SQLAuditPrivTrustworthy
  • Invoke-SQLAuditPrivXpDirtree
  • Invoke-SQLAuditPrivXpFileexit
  • Invoke-SQLAuditRoleDbDdlAdmin
  • Invoke-SQLAuditRoleDbOwner
  • Invoke-SQLAuditSampleDataByColumn
  • Invoke-SQLAuditWeakLoginPw
  • Invoke-SQLDumpInfo
  • Invoke-SQLEscalatePriv
  • Invoke-SQLOSCmd

PowerUpSQL was designed with six objectives in mind:

  • Easy Server Discovery: Discovery functions can be used to blindly identify local, domain, and non-domain SQL Server instances on scale.
  • Easy Server Auditing: The Invoke-SQLAudit function can be used to audit for common high impact vulnerabilities and weak configurations using the current login’s privileges. Also, Invoke-SQLDumpInfo can be used to quickly inventory databases, privileges, and other information.
  • Easy Server Exploitation: The Invoke-SQLEscalatePriv function attempts to obtain sysadmin privileges using identified vulnerabilities.
  • Scalability: Multi-threading is supported on core functions so they can be executed against many SQL Servers quickly.
  • Flexibility: PowerUpSQL functions support the PowerShell pipeline so they can be used together, and with other scripts.
  • Portability: Default .net libraries are used and there are no dependencies on SQLPS or the SMO libraries. Functions have also been designed so they can be run independently. As a result, it’s easy to use on any Windows system with PowerShell v2 installed.

You can read more about this useful tool here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s