Home

A PowerShell Toolkit for Attacking SQL Server

PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server.

Note: PowerUpSQL is able to attack SQL Servers through direct connections. It currently does not support SQL injection capabilities. For tips on SQL injection check out the NetSPI SQL Injection Wiki.

Introduction

Below are a few resources to get you started with PowerUpSQL!

• Overview
• Setup
• PowerUpSQL Cheat Sheet
• UNC Injection Cheat Sheet

Function Categories

Below is a list of PowerUpSQL function categories. The categories are loosely mapped to common SQL Server attack workflows. Each page contains a list of the associated functions that can be used during testing.

• Discovery
• Active Directory Recon
• Audit
• Attack
• Password Recovery
• Persistence
• Data Exfiltration
• Core
• Common
• Utility
• Third Party

PowerUpSQL Talks

Below PowerUpSQL presentation slides. Most of them also cover general SQL Server security topics.

• 2017 SEPT DerbyCon7 Slides
• 2017 May Secure360 Slides
• 2017 May THOTCON Slides
• 2016 OCT Arcticcon Slides
• 2016 OCT PASS Webinar Video
• 2016 SEPT DerbyCon6 Slides
• 2016 SEPT DerbyCon6 Video
• 2015 APR OWASP Slides
• 2015 APR OWASP Video

PowerUpSQL Blogs

Below is a list of PowerUpSQL blogs. Each blog is focused on performing a specific SQL Server attack using PowerUpSQL.

• Introduction to PowerUpSQL
• Blindly Discover SQL Server Instances
• Finding Sensitive Data on Domain SQL Servers
• Finding Weak Passwords for Domain SQL Servers on Scale
• Finding Default Passwords Associated with Application Specific Instances
• Get Sysadmin as Local Admin
• Get Windows Auto Login Passwords via SQL Server
• Establishing Registry Persistence via SQL Server
• Crawling SQL Server Links
• Using SQL Server to Attack Forest Trusts
• Attacking SQL Server CLR
• Bypassing SQL Server Logon Trigger Restrictions
• SQL Server as a C2
• Dumping Active Directory Information with SQL Server

PowerUpSQL Videos

Below is a list of PowerUpSQL videos. Each video is focused on performing a specific SQL Server attack using PowerUpSQL.

• Discover SQL Server Instances
• Audit Configurations
• SQL Login to Sysadmin-Auto
• SQL Login to Sysadmin-LoginEnum+PwGuess
• SQL Login to Sysadmin-Link Crawling 1
• SQL Login to Sysadmin-Link Crawling 2
• SQL Login to OS Admin-UNC Path Injection
• OS Admin to Sysadmin-Impersonation
• Find Sensitive Data
• DerbyCon 2017 Talk
• Domain User to SQL Sysadmin - UNC Injection