Pennyw0rth
The enable_cmdshell MSSQL module claims "xp_cmdshell successfully enabled." despite user lacking RECONFIGURE permissions.
Describe the bug
When using the MSSQL enable_cmdshell module to enable xp_cmdshell, the text xp_cmdshell successfully enabled will output even if the user lacks RECONFIGURE permissions.
To Reproduce
Command: nxc mssql target.ip -u 'username' -p 'password' -M enable_cmdshell -o ACTION=enable
Resulted in:
MSSQL target.ip 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:REMOVED)
MSSQL target.ip 1433 DC01 [+] REMOVED\username:password
ENABLE_C... target.ip 1433 DC01 [+] xp_cmdshell successfully enabled.
...
Despite
SQL (REMOVED\username guest@master)> EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
Expected behavior
xp_cmdshell successfully enabled. does not display if the user does not have RECONFIGURE permissions.
NetExec info
- OS: Ubuntu 25.10
- Version of nxc: 1.4.0 - SmoothOperator - 136b45cf - 1006
- Installed from: github
Thanks for the bug report, we'll look into it! What happens if you try to execute a command with netexec? Does that report about the missing permissions?
Normal commands work fine.
nxc mssql 10.10.10.5 -u 'username' -p 'password' -q "SELECT @@VERSION;"
MSSQL 10.10.10.5 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:REMOVED)
MSSQL 10.10.10.5 1433 DC01 [+] REMOVED\username:password
MSSQL 10.10.10.5 1433 DC01 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Enterprise Evaluation Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
Non-permission commands just don't seem to return anything (No difference if the domain resolves).
nxc mssql 10.10.10.5 -u 'username' -p 'password' -q "EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;" --verbose
[22:23:03] INFO Socket info: host=10.10.10.5, hostname=10.10.10.5, kerberos=False, ipv6=False, link-local ipv6=False connection.py:177
[22:23:04] INFO NTLM challenge: mssql.py:119
b'NTLMSSP\x00\x02\x00\x00\x00\x0c\x00\x0c\x008\x00\x00\x00\x05\x02\x89\xa2\x86\xa3*\r\x05#kG\x00\x00\x00\x00\x00\x00\x00\x00~\x00~\x00D\x00\x00\x00\n\x00cE\x00\x00\x00\x0fS\x00I\x00G\x00N\x00E\x00D\x00\x0
2\x00\x0c\x00S\x00I\x00G\x00N\x00E\x00D\x00\x01\x00\x08\x00D\x00C\x000\x001\x00\x04\x00\x14\x00S\x00I\x00G\x00N\x00E\x00D\x00.\x00H\x00T\x00B\x00\x03\x00\x1e\x00D\x00C\x000\x001\x00.\x00S\x00I\x00G\x00N\x
00E\x00D\x00.\x00H\x00T\x00B\x00\x05\x00\x14\x00S\x00I\x00G\x00N\x00E\x00D\x00.\x00H\x00T\x00B\x00\x07\x00\x08\x00T\x82\x03\xad\xda>\xdc\x01\x00\x00\x00\x00'
INFO Error resolving hostname REMOVED: [Errno -2] Name or service not known connection.py:204
INFO Resolved domain: REMOVED with dns, kdcHost: None mssql.py:141
MSSQL 10.10.10.5 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:REMOVED)
MSSQL 10.10.10.50 1433 DC01 [+] REMOVED\username:password
[22:23:05] INFO Query to run: mssql.py:258
EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;
INFO Executed MSSQL query mssql.py:261
reelix@reelix-kubuntu:~$
Hi, Thanks for the report ! A PR has been opened to fix this by adding a permission check before confirming xp_cmdshell enablement
