Search results for: PowerUpSQL

Karl Fosaaen
August 17th, 2020

Lateral Movement in Azure App Services

We test a lot of web applications at NetSPI, and as everyone continues to move their operations into the cloud, we’re running into more instances of applications being run on Azure App Services. Whenever we run into an App Services application with a serious vulnerability, I’ll frequently get a ping asking about next steps to […]

Scott Sutherland
May 4th, 2020

Evil SQL Client Console: Msbuild All the Things

Evil SQL Client (ESC) is an interactive .net SQL console client that supports enhanced SQL Server discovery, access, and data exfiltration capabilities.

Scott Sutherland
November 11th, 2019

Exploiting SQL Server Global Temporary Table Race Conditions

This blog will walk through how to find and exploit SQL Server global temporary table race conditions to gain unauthorized access to data and execute code.

Scott Sutherland
June 27th, 2018

Bypassing SQL Server Logon Trigger Restrictions

This shows how to bypass SQL Server logon trigger restrictions by spoofing hostnames and application names using lesser known connection string properties.

Alexander Polce Leary
June 19th, 2018

Tokenvator: A Tool to Elevate Privilege using Windows Tokens

Tokenvator: A Tool to Elevate Privilege using Windows Tokens WheresMyImplant is a mini red team toolkit that I have been developing over the past year in .NET. While developing and using it, I found that I consistently needed to alter my process access token to do such things as SYSTEM permissions or add debug privileges […]

Scott Sutherland
May 25th, 2018

Databases and Clouds: SQL Server as a C2

This blog will provide an overview of how to create and maintain access to an environment using SQL Server as the controller and the agent using a new PoC script called SQLC2.

Scott Sutherland
May 8th, 2018

Attacking Application Specific SQL Server Instances

This blog walks through how to quickly identify SQL Server instances used by 3rd party applications that are configured with default passwords using PowerUpSQL.

Gabriel Cogar
August 2nd, 2017

Identifying Payment Cards at Rest – Going Beyond the Key Word Search

In this blog, I’ll be discussing an approach for locating payment card numbers stored in MSSQL databases without relying on key words for data discovery. To overcome the impracticality of pulling an entire database over the wire for advanced analysis, we’ll focus on using MSSQL’s native capability to filter out items that can’t contain cardholder […]

Scott Sutherland
July 13th, 2017

Attacking SQL Server CLR Assemblies

In this blog, I’ll be expanding on the CLR assembly attacks developed by Lee Christensen and covered in Nathan Kirk’s CLR blog series. I’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence.  I’ll also share a few new PowerUpSQL […]