Rapid7 Vulnerability & Exploit Database

Microsoft SQL Server Database Link Crawling Command Execution

Back to Search

Microsoft SQL Server Database Link Crawling Command Execution



This module can be used to crawl MS SQL Server database links and deploy Metasploit payloads through links configured with sysadmin privileges using a valid SQL Server Login. If you are attempting to obtain multiple reverse shells using this module we recommend setting the "DisablePayloadHandler" advanced option to "true", and setting up a exploit/multi/handler to run in the background as a job to support multiple incoming shells. If you are interested in deploying payloads to specific servers this module also supports that functionality via the "DEPLOYLIST" option. Currently, the module is capable of delivering payloads to both 32bit and 64bit Windows systems via powershell memory injection methods based on Matthew Graeber's work. As a result, the target server must have powershell installed. By default, all of the crawl information is saved to a CSV formatted log file and MSF loot so that the tool can also be used for auditing without deploying payloads.


  • Antti Rantasaari <antti.rantasaari@netspi.com>
  • Scott Sutherland "nullbind" <scott.sutherland@netspi.com>




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/mssql/mssql_linkcrawler
msf exploit(mssql_linkcrawler) > show targets
msf exploit(mssql_linkcrawler) > set TARGET < target-id >
msf exploit(mssql_linkcrawler) > show options
    ...show and set options...
msf exploit(mssql_linkcrawler) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security