Home
A PowerShell Toolkit for Attacking SQL Server
Below are a few resources to get you started with PowerUpSQL!
Below is a list of PowerUpSQL function categories. The categories are loosely mapped to common SQL Server attack workflows. Each page contains a list of the associated functions that can be used during testing.
- Discovery
- Active Directory Recon
- Audit
- Attack
- Password Recovery
- Persistence
- Data Exfiltration
- Core
- Common
- Utility
- Third Party
Below PowerUpSQL presentation slides. Most of them also cover general SQL Server security topics.
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP AppSec
Below is a list of PowerUpSQL blogs. Each blog is focused on performing a specific SQL Server attack using PowerUpSQL.
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Crawling SQL Server Links
- Using SQL Server to Attack Forest Trusts
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
Below is a list of PowerUpSQL videos. Each video is focused on performing a specific SQL Server attack using PowerUpSQL.
- Discover SQL Server Instances
- Audit Configurations
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Find Sensitive Data
- DerbyCon 2017 Talk
- Domain User to SQL Sysadmin - UNC Injection