Enabling xp_cmdshell for SQL Server 2005

It’s disappointing to exploit a SQL injection, find you’re “sa”, then realise they’ve disabled xp_cmdshell (the default for MSSQL 2005). Fortunately, it’s possible to re-enable it quite easily…

Under SQL Server 2000 the database administrator can do lots of cool things like “bulk insert”, reading the registry and connecting to other SQL Servers. By far the most fun, though was xp_cmdshell to run arbitrary OS commands as SYSTEM.

Some of this fun is still possible on SQL Server 2005, but some of the pentester-friendly extended stored procedures are disabled by default. I recently realised that if they haven’t been removed completely from the server, it’s trivial to re-enabled them. To enable xp_cmdshell, for example:

EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure 'xp_cmdshell', 1;

The above even seems to work through SQL injection. Handy eh? Unfortunately, xp_cmdshell no longer runs as SYSTEM.

Once you’ve had your fun, you can disable xp_cmdshell again like so:

EXEC sp_configure 'xp_cmdshell', 0;
EXEC sp_configure 'show advanced options', 0;

I don’t claim to be the first to notice that xp_cmdshell could be re-enabled so easily, I just thought it was interesting enough to duplicate this information one more time.

Check out these links for more information about RECONFIGURE and enabling xp_cmdshell.

Tags: , ,

Posted in Blog