A PowerShell Toolkit for Attacking SQL Server


The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to inventory the SQL Servers on their ADS domain.


PowerUpSQL was designed with six objectives in mind:

  • Scalability: Multi-threading is supported on core functions so they can be executed against many SQL Servers quickly.
  • Portability: Default .net libraries are used and there are no dependencies on SQLPS or the SMO libraries. Functions have also been designed so they can be run independently. As a result, it’s easy to use on any Windows system with PowerShell v3 installed.
  • Flexibility: PowerUpSQL functions support the PowerShell pipeline so they can be used together, and with other scripts.
  • Easy Server Discovery: Discovery functions can be used to blindly identify local, domain, and non-domain SQL Server instances on scale.
  • Easy Server Auditing: The Invoke-SQLAudit function can be used to audit for common high impact vulnerabilities and weak configurations using the current login’s privileges. Also, Invoke-SQLDumpInfo can be used to quickly inventory databases, privileges, and other information.
  • Easy Server Exploitation: The Invoke-SQLEscalatePriv function attempts to obtain sysadmin privileges using identified vulnerabilities.

Installing the Module

  • Option 1: Install it from the PowerShell Gallery. This requires local administrative privileges and will permanently install the module.Install-Module -Name PowerUpSQL
  • Option 2: Download the project and import it. This does not require administrative privileges and will only be imported into the current session. However, it may be blocked by restrictive execution policies.

    Import-Module PowerUpSQL.psd1

  • Option 3: Load it into a session via a download cradle. This does not require administrative privileges and will only be imported into the current session. It should not be blocked by executions policies.

    IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")

    Note: To run as an alternative domain user, use the runas command to launch PowerShell first.

    runas /noprofile /netonly /user:domain\user PowerShell.exe

Getting Command Help

  • To list functions from the module, type: Get-Command -Module PowerUpSQL
  • To list help for a function, type: Get-Help FunctionName

Discovery Functions

These functions can be used for enumerating SQL Server instances. Discovered instances can then be piped into other PowerUpSQL functions.

Function Name Description
Get-SQLInstanceFile Returns SQL Server instances from a file. One per line.
Get-SQLInstanceLocal Returns SQL Server instances from the local system based on a registry search.
Get-SQLInstanceDomain Returns a list of SQL Server instances discovered by querying a domain controller for systems with registered MSSQL service principal names. The function will default to the current user’s domain and logon server, but an alternative domain controller can be provided. UDP scanning of management servers is optional.
Get-SQLInstanceScanUDP Returns SQL Server instances from UDP scan results.
Get-SQLInstanceScanUDPThreaded Returns SQL Server instances from UDP scan results and supports threading.

Primary Attack Functions

These are the functions used to quickly dump databse information, audit for common vulnerabilities, and attempt to obtain sysadmin privileges.

Function Name Description
Invoke-SQLDumpInfo This can be used to dump SQL Server and database information to csv or xml files. This can be handy for doing a quick inventory of databases, logins, privileges etc.
Invoke-SQLAudit This can be used to review the SQL Server and databases for common configuration weaknesses and provide a vulnerability report along with recommendations for each item.
Invoke-SQLEscalatePriv This can be used to obtain sysadmin privileges via identified configuration weaknesses. Think of it like getsystem, but for SQL Server.

Core Functions

These functions are used to test connections, execute SQL Server queries, and execute OS commands. All other functions use these core functions. However, they can also be executed independently.

Function Name Description
Get-SQLConnectionTest Tests if the current Windows account or provided SQL Server login can log into an SQL Server.
Get-SQLConnectionTestThreaded Tests if the current Windows account or provided SQL Server login can log into an SQL Server and supports threading.
Get-SQLQuery Executes a query on target SQL servers.
Get-SQLQueryThreaded Executes a query on target SQL servers and supports threading.
Invoke-SQLOSCmd Execute command on the operating system as the SQL Server service account using xp_cmdshell. Supports threading, raw output, and table output.

Third Party Functions

A few PowerUpSQL functions use the third party functions below.

Function Name Description
Invoke-Parallel A PowerShell function created by Warren F. ( RamblingCookieMonster) for running multiple threads in PowerShell via runspaces.
Invoke-Inveigh A Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool create by Kevin Robertson.
Test-IsLuhnValid Valdidate a number based on the Luhn Algorithm. Function written by Oyvind Kallstad.

Utility Functions

These are essentially helper functions. Some of them are used by other PowerUpSQL functions, but all of them can be run independently.

Function Name Description
Get-SQLConnectionObject Creates a object for connecting to SQL Server.
Get-SQLFuzzObjectName Enumerates objects based on object id using OBJECT_NAME() and only the Public role.
Get-SQLFuzzDatabaseName Enumerates databases based on database id using DB_NAME() and only the Public role.
Get-SQLFuzzServerLogin Enumerates SQL Server Logins based on login id using SUSER_NAME() and only the Public role.
Get-SQLFuzzDomainAccount Enumerates domain groups, computer accounts, and user accounts based on domain RID using SUSER_SNAME() and only the Public role. Note: In a typical domain 10000 or more is recommended for the EndId.
Get-ComputerNameFromInstance Parses computer name from a provided instance.
Get-SQLServiceLocal Returns local SQL Server services.
Create-SQLFileXpDll Used to create CPP DLLs with exported functions that can be imported as extended stored procedures in SQL Server. Supports arbitrary command execution.
Get-DomainSpn Returns a list of SPNs for the target domain. Supports authentication from non domain systems.
Get-DomainObject Used to query domain controllers via LDAP. Supports alternative credentials from non-domain system.

Common Functions

These functions are used for common information gathering tasks. Similar to core functions, the common functions can be executed by themselves, but are also used by other functions in the PowerUpSQL module.

Function Name Description
Get-SQLAuditDatabaseSpec Returns Audit database specifications from target SQL Servers.
Get-SQLAuditServerSpec Returns Audit server specifications from target SQL Servers.
Get-SQLColumn Returns column information from target SQL Servers. Supports keyword search.
Get-SQLColumnSampleData Returns column information from target SQL Servers. Supports search by keywords, sampling data, and validating credit card numbers.
Get-SQLColumnSampleDataThreaded Returns column information from target SQL Servers. Supports search by keywords, sampling data, and validating credit card numbers. Supports host threading.
Get-SQLDatabase Returns database information from target SQL Servers.
Get-SQLDatabase Returns database information from target SQL Servers. Supports host threading.
Get-SQLDatabasePriv Returns database user privilege information from target SQL Servers.
Get-SQLDatabaseRole Returns database role information from target SQL Servers.
Get-SQLDatabaseRoleMember Returns database role member information from target SQL Servers.
Get-SQLDatabaseSchema Returns schema information from target SQL Servers.
Get-SQLDatabaseUser Returns database user information from target SQL Servers.
Get-SQLServerConfiguration Returns configuration settings from sp_configure. Output includes advanced options if the connecting user is a sysadmin.
Get-SQLServerCredential Returns credentials from target SQL Servers.
Get-SQLServerInfo Returns basic server and user information from target SQL Servers.
Get-SQLServerInfoThreaded Returns basic server and user information from target SQL Servers. Supports host threading.
Get-SQLServerLink Returns link servers from target SQL Servers.
Get-SQLServerLogin Returns logins from target SQL Servers.
Get-SQLServerPriv Returns SQL Server login privilege information from target SQL Servers.
Get-SQLServerRole Returns SQL Server role information from target SQL Servers.
Get-SQLServerRoleMember Returns SQL Server role member information from target SQL Servers.
Get-SQLServiceAccount Returns a list of service account names for SQL Servers services by querying the registry with xp_regread. This can be executed against remote systems.
Get-SQLSession Returns active sessions from target SQL Servers.
Get-SQLStoredProcure Returns stored procedures from target SQL Servers.
Get-SQLSysadminCheck Check if login is has sysadmin privilege on the target SQL Servers.
Get-SQLTable Returns table information from target SQL Servers.
Get-SQLTriggerDdl Returns DDL trigger information from target SQL Servers. This includes logon triggers.
Get-SQLTriggerDml Returns DML trigger information from target SQL Servers.
Get-SQLView Returns view information from target SQL Servers.

Audit Functions

These functions are used for identifying weak configurations that can lead to unauthorized access. Invoke-SQLAudit can be used to run all of them at once. Also, all of the audit functions support an exploit flag. In most cases that means the script will try to add your login to the sysadmin server role.

Function Name Description Provide Sysadmin
Invoke-SQLAuditPrivCreateProcedure Check if the current login has the CREATE PROCEDURE permission. Attempt to use permission to obtain sysadmin privileges. No
Invoke-SQLAuditPrivImpersonateLogin Check if the current login has the IMPERSONATE permission on any sysadmin logins. Attempt to use permission to obtain sysadmin privileges. Yes
Invoke-SQLAuditPrivServerLink Check if SQL Server links exist that are preconfigured with alternative credentials that can be impersonated. Provide example queries for execution on remote servers. Yes
Invoke-SQLAuditPrivDbChaining Check if database ownership chaining is enabled at the server or databases levels. No
Invoke-SQLAuditPrivTrustworthy Check if any database have been flagged as trusted. No
Invoke-SQLAuditPrivXpDirtree Checks if the xp_dirtree stored procedure is executable. Uses Inveigh to obtain password hash for the SQL Server service account. Note: Capture likelihood is better when longer timeouts are set. Yes
Invoke-SQLAuditPrivXpFileexist Checks if the xp_fileexist stored procedure is executable. Uses Inveigh to obtain password hash for the SQL Server service account. Note: Capture likelihood is better when longer timeouts are set. Yes
Invoke-SQLAuditRoleDbDdlAdmin Check if the current login has the DB_DdlAdmin role in any databases. Attempt to use permission to obtain sysadmin privileges. No
Invoke-SQLAuditRoleDbOwner Check if the current login has the DB_OWNER role in any databases. Attempt to use permission to obtain sysadmin privileges. Yes
Invoke-SQLAuditSampleDataByColumn Check if the current login can access any database columns that contain the word password. Supports column name keyword search and custom data sample size. For better data searches use Get-SQLColumnSampleData. No
Invoke-SQLAuditWeakLoginPw This can be used for online dictionary attacks. It also support auto-discovery of SQL Logins for testing if you already have a least privilege account. Yes

A PowerShell Toolkit for Attacking SQL Server: PowerUpSQL Download