SQLRecon

SQLRecon is an incredibly helpful tool for MS SQL attacks. Here are some example of useful commands:

Database enumeration

recon.exe -a windows -s 127.0.0.1,1433 -m databases

1 | master | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\master.mdf | 
2 | tempdb | 7/20/2023 1:40:55 AM | C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\tempdb.mdf | 
3 | model | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\model.mdf | 
4 | msdb | 9/24/2019 2:21:42 PM | C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf | 
5 | music | 7/6/2020 1:58:52 AM | C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\music.mdf |
recon.exe -a windows -s 127.0.0.1,1433 -m tables -o music

music | dbo | users | BASE TABLE | 
music | dbo | songs | BASE TABLE | 
music | dbo | sqlmapoutput | BASE TABLE |
recon.exe -a windows -s 127.0.0.1,1433 -m query -o "use music; SELECT * FROM users"

0 | alice | pass123 | 
1 | brett | pass123 | 
2 | peter | pass123 | 
3 | eric | pass123 | 
4 | admin | pass123 |

Generic query

Linked servers

Interact with linked server SQL27 as local user webapp11

Land a shell on remote server SQL27, using an authorised user

Tooling

Refer to SQLRecon's github page for a list of all commands:

LogoGitHub - skahwah/SQLRecon: A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.GitHub

Last updated