Requested: Command Execution with SQLi via SeeCLRly

I got a request today from Matt Maley over at Gotham Security (@mjmaley) for a list of SQL queries that could be used to execute the SeeCLRly technique over a SQLi vector. I’ve also seen some interest in this topic on Reddit, so I decided to make this post. Below you will find a series of queries that, when injected, will allow you to perform command execution on a SQL Server without the use of the xp_cmdshell stored procedure. Note that the user which executes the injected queries still needs to have the sysadmin privilege. I haven’t been able to test these queries over a SQLi vector myself so please let me know your results!

Continue Reading →