PySQLRecon - Offensive MSSQL Toolkit Written In Python, Based Off SQLRecon
PySQLRecon is a Python port of the awesome SQLRecon project by @sanjivkawa. See the commands section for a list of capabilities.
Install
PySQLRecon can be installed with pip3 install pysqlrecon or by cloning this repository and running pip3 install .
Commands
All of the main modules from SQLRecon have equivalent commands. Commands noted with [PRIV] require elevated privileges or sysadmin rights to run. Alternatively, commands marked with [NORM] can likely be run by normal users and do not require elevated privileges.
Support for impersonation ([I]) or execution on linked servers ([L]) are denoted at the end of the command description.
adsi [PRIV] Obtain ADSI creds from ADSI linked server [I,L]agentcmd [PRIV] Execute a system command using agent jobs [I,L]agentstatus [PRIV] Enumerate SQL agent status and jobs [I,L]checkrpc [NORM] Enumerate RPC status of linked servers [I,L]clr [PRIV] Load and execute .NET assembly in a stored procedure [I,L]columns [NORM] Enumerate columns within a table [I,L]databases [NORM] Enumerate databases on a server [I,L]disableclr [PRIV] Disable CLR integration [I,L]disableole [PRIV] Disable OLE automation procedures [I,L]disablerpc [PRIV] Disable RPC and RPC Out on linked server [I]disablexp [PRIV] Disable xp_cmdshell [I,L]enableclr [PRIV] Enable CLR integration [I,L]enableole [PRIV] Enable OLE automation procedures [I,L]enablerpc [PRIV] Enable RPC and RPC Out on linked server [I]enablexp [PRIV] Enable xp_cmdshell [I,L]impersonate [NORM] Enumerate users that can be impersonatedinfo [NORM] Gather information about the SQL serverlinks [NORM] Enumerate linked servers [I,L]olecmd [PRIV] Execute a system command using OLE automation procedures [I,L]query [NORM] Execute a custom SQL query [I,L]rows [NORM] Get the count of rows in a table [I,L]search [NORM] Search a table for a column name [I,L]smb [NORM] Coerce NetNTLM auth via xp_dirtree [I,L]tables [NORM] Enu merate tables within a database [I,L]users [NORM] Enumerate users with database access [I,L]whoami [NORM] Gather logged in user, mapped user and roles [I,L]xpcmd [PRIV] Execute a system command using xp_cmdshell [I,L] Usage
PySQLRecon has global options (available to any command), with some commands introducing additional flags. All global options must be specified before the command name:
pysqlrecon [GLOBAL_OPTS] COMMAND [COMMAND_OPTS]View global options:
pysqlrecon --helpView command specific options:
pysqlrecon [GLOBAL_OPTS] COMMAND --helpChange the database authenticated to, or used in certain PySQLRecon commands (query, tables, columns rows), with the --database flag.
Target execution of a PySQLRecon command on a linked server (instead of the SQL server being authenticated to) using the --link flag.
Impersonate a user account while running a PySQLRecon command with the --impersonate flag.
--link and --impersonate and incompatible.
Development
pysqlrecon uses Poetry to manage dependencies. Install from source and setup for development with:
git clone https://github.com/tw1sm/pysqlreconcd pysqlreconpoetry installpoetry run pysqlrecon --helpAdding a Command
PySQLRecon is easily extensible - see the template and instructions in resources
TODO
- Add SQLRecon SCCM commands
- Add Azure SQL DB support?
References and Credits
- Impacket
- @sanjivkawa for the SQLRecon project
- https://securityintelligence.com/x-force/databases-beware-abusing-microsoft-sql-server-with-sqlrecon/
- https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410
- Also checkout MSSqlPwner for other offensive MSSQL capabilities written in Python
Source: www.kitploit.com
Reviewed by Zion3R
on
5:00 AM
Rating:
