| CARVIEW |
Select Language
HTTP/2 200
date: Sun, 27 Jul 2025 10:29:54 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"07d871cb5a029bfc5b3681cbc6aeae71"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=1qqnC%2FU6xWSgHPEmqNozxLIYDkZmsAh5%2B%2BPAQ3o7IIcEQqXXhw1jmWtaFcaEB8RX6qiMPpfZkczgIuqKuwibkflfVs1R3b6e9Pbflbv%2Fj3boSj5qxM1XWgL6p6nLW%2FCwMxq6jPXVy4g7QozF1t7ALuO%2F4qu7XmYgfEteRUMeKmfWLjqekuMLAj7fA65jGG9bpT8XESSHFtLFpvoDwiXbzUcY8ZRrn4AAcBg2pOXV27ndPSXoMFEdbeidvqM2Hc4OpbtFtntZyFwU%2FKkYSGGcTg%3D%3D--64hdpu6v38A1Ziq4--tH101gp0QPYR6oq6ANC4hA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.943697626.1753612194; Path=/; Domain=github.com; Expires=Mon, 27 Jul 2026 10:29:54 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 27 Jul 2026 10:29:54 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: E2D6:872F4:D158D0:1156D3C:6885FFA2
Utility Functions · NetSPI/PowerUpSQL Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 480
Utility Functions
Scott Sutherland edited this page Oct 23, 2017
·
14 revisions
These are essentially helper functions. Some of them are used by other PowerUpSQL functions, but all of them can be run independently.
| Function Name | Description |
|---|---|
| Get-SQLConnectionObject | Creates a object for connecting to SQL Server. |
| Get-SQLFuzzObjectName | Enumerates objects based on object id using OBJECT_NAME() and only the Public role. |
| Get-SQLFuzzDatabaseName | Enumerates databases based on database id using DB_NAME() and only the Public role. |
| Get-SQLFuzzServerLogin | Enumerates SQL Server Logins based on login id using SUSER_NAME() and only the Public role. |
| Get-SQLFuzzDomainAccount | Enumerates domain groups, computer accounts, and user accounts based on domain RID using SUSER_SNAME() and only the Public role. Note: In a typical domain 10000 or more is recommended for the EndId. |
| Get-ComputerNameFromInstance | Parses computer name from a provided instance. |
| Get-SQLServiceLocal | Returns local SQL Server services. |
| Create-SQLFileXpDll | Used to create CPP DLLs with exported functions that can be imported as extended stored procedures in SQL Server. Supports arbitrary command execution. |
| Get-DomainSpn | Returns a list of SPNs for the target domain. Supports authentication from non domain systems. |
| Get-DomainObject | Used to query domain controllers via LDAP. Supports alternative credentials from non-domain system. |
| Get-SQLStoredProcedureSQLi | Returns stored procedures using dynamic SQL and the "WITH EXECUTE AS OWNER" clause. If the stored procedure is vulnerable to SQLi it may be possible to impersonate the procedure owner. |
| Get-SQLServerLoginDefaultPw | Based on the instance name, test if SQL Server is configured with default passwords. |
| Create-SQLFileXpDll | Used to generate DLLs that can be imported to create a custom stored procedure that executes OS commands |
| Create-SQLFileCLRDll | Used to generate DLLs that can be imported to create a CLR stored procedure that executes OS commands. It also generates a file containing TSQL code for creating the procedure without the DLL. |
| Get-SQLAssemblyFile | Returns imported assembly file information for each database. It can also be used to export existing CLR assembly file imports back to a DLL file. |
| Get-SQLDomainUser | Use OLE DB ADSI connections to grab a list of domain users via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet). |
| Get-SQLDomainObject | Use OLE DB ADSI connections to grab a list of domain objects via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet). |
Examples:
Get-SQLFuzzServerLogin -Verbose -Instance "SQLSVR1\Instance1"
Get-SQLAssemblyFile -Verbose -Instance SQLServer1\Instance1 -ExportFolder c:\temp
Roadmap:
Get-SQLFuzzDatabase
Get-SQLFuzzSchema
Get-SQLDatabaseOrphanUser
Get-SQLDatabaseUser - add fuzzing option
Get-SQLStoredProcedureEncrypted
Get-SQLDecryptedStoreProcedure
Get-SQLDownloadFile
Get-SQLDownloadFileAdHocQuery
Get-SQLDownloadFileAssembly
Get-SQLDownloadFileBulkInsert
Get-SQLDownloadFileServerLine
Get-SQLDownloadFileXpCmdshell
Get-SQLInstalledSoftware
Get-SQLServerLogin - add fuzzing option
Get-SQLUploadFile
Get-SQLUploadFileAdHocQuery
Get-SQLUploadFileAgent
Get-SQLUploadFileAssembly
Get-SQLUploadFileServerLink
Get-SQLUploadFileXpCmdshell
Invoke-SqlOSCmdServerLinkMd
Invoke-SqlOSCmdAdHoQueryMd
Invoke-SqlOSCmdAgentAnalysis
Invoke-SqlOSCmdAgentOther
Invoke-SqlOSCmdAgentSsisExecuteProcessTask
Enable-FullRegRead
Disable-FullRegRead
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar
Clone this wiki locally
You can’t perform that action at this time.