NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

new module: mssql > enable_cmdshell

Open crosscutsaw opened this issue 11 months ago • 4 comments

Description

during my engagements, i'm really tired of connecting mssql via impacket-mssqlclient, enable xp_cmdshell, do something, disable xp_cmdshell. so here is a high privilege module that enables or disables xp_cmdshell in mssql.

Type of change

  • [x] New feature (non-breaking change which adds functionality)

How Has This Been Tested?

tested against a local fresh mssql server.

Screenshots (if appropriate):

enable: enable

disable: disable

Checklist:

  • [x] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary
  • [x] New and existing e2e tests pass locally with my changes
  • [x] My code follows the style guidelines of this project (should be covered by Ruff above)
  • [ ] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

crosscutsaw avatar Feb 08 '25 12:02 crosscutsaw

Thanks for the PR! However i am not sure if this would improve NetExec. We already has an automatic check for show advanced options/xp_cmdshell which enables/disables them depending on the state of the DB.

EDIT: However, thanks to your screenshots i found a bug :D gonna fix the checks quick

NeffIsBack avatar Feb 09 '25 00:02 NeffIsBack

Fixed the bug in #560

NeffIsBack avatar Feb 09 '25 01:02 NeffIsBack

Thanks for the PR! However i am not sure if this would improve NetExec. We already has an automatic check for show advanced options/xp_cmdshell which enables/disables them depending on the state of the DB.

EDIT: However, thanks to your screenshots i found a bug :D gonna fix the checks quick

darn, i knew it! if i remember correctly, the -x command option worked without manually enabling xp_cmdshell. then some time after it broke. i thought there would be some bug but i couldn't figured it out, so created this module. :))

you're right about improvement but i think this module can be merged to main. think like a penetration tester found open xp_cmdshells that forgotten to be closed. so a system admin could use this module to bulk disable all xp_cmdshells with ease. or i'm a penetration tester and not sure about all tested xp_cmdshells closed. i can use this module to be sure.

crosscutsaw avatar Feb 09 '25 10:02 crosscutsaw

Sounds good :)

NeffIsBack avatar Feb 19 '25 23:02 NeffIsBack

Fyi, changed the name of link_enable_xp module to link_enable_cmdshell so that it has the same naming scheme as this module. See https://github.com/Pennyw0rth/NetExec/pull/415#issuecomment-2884655220

NeffIsBack avatar May 15 '25 18:05 NeffIsBack