The enable_cmdshell MSSQL module claims "xp_cmdshell successfully enabled." despite user lacking RECONFIGURE permissions.

[Reelix]

Describe the bug
When using the MSSQL enable_cmdshell module to enable xp_cmdshell, the text xp_cmdshell successfully enabled will output even if the user lacks RECONFIGURE permissions.

To Reproduce
Command: nxc mssql target.ip -u 'username' -p 'password' -M enable_cmdshell -o ACTION=enable
Resulted in:

MSSQL       target.ip     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:REMOVED)
MSSQL       target.ip     1433   DC01             [+] REMOVED\username:password
ENABLE_C... target.ip     1433   DC01             [+] xp_cmdshell successfully enabled.
...

Despite

SQL (REMOVED\username  guest@master)> EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.

Expected behavior
xp_cmdshell successfully enabled. does not display if the user does not have RECONFIGURE permissions.

NetExec info

• OS: Ubuntu 25.10
• Version of nxc: 1.4.0 - SmoothOperator - 136b45c - 1006
• Installed from: github

[NeffIsBack]

Thanks for the bug report, we'll look into it! What happens if you try to execute a command with netexec? Does that report about the missing permissions?

[Reelix]

Normal commands work fine.

nxc mssql 10.10.10.5 -u 'username' -p 'password' -q "SELECT @@VERSION;"
MSSQL       10.10.10.5     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:REMOVED)
MSSQL       10.10.10.5     1433   DC01             [+] REMOVED\username:password
MSSQL       10.10.10.5     1433   DC01             Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) 
    Oct  8 2022 05:58:25 
    Copyright (C) 2022 Microsoft Corporation
    Enterprise Evaluation Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)

Non-permission commands just don't seem to return anything (No difference if the domain resolves).

nxc mssql 10.10.10.5 -u 'username' -p 'password' -q "EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;" --verbose
[22:23:03] INFO     Socket info: host=10.10.10.5, hostname=10.10.10.5, kerberos=False, ipv6=False, link-local ipv6=False                                                                                                  connection.py:177
[22:23:04] INFO     NTLM challenge:                                                                                                                                                                                              mssql.py:119
                    b'NTLMSSP\x00\x02\x00\x00\x00\x0c\x00\x0c\x008\x00\x00\x00\x05\x02\x89\xa2\x86\xa3*\r\x05#kG\x00\x00\x00\x00\x00\x00\x00\x00~\x00~\x00D\x00\x00\x00\n\x00cE\x00\x00\x00\x0fS\x00I\x00G\x00N\x00E\x00D\x00\x0             
                    2\x00\x0c\x00S\x00I\x00G\x00N\x00E\x00D\x00\x01\x00\x08\x00D\x00C\x000\x001\x00\x04\x00\x14\x00S\x00I\x00G\x00N\x00E\x00D\x00.\x00H\x00T\x00B\x00\x03\x00\x1e\x00D\x00C\x000\x001\x00.\x00S\x00I\x00G\x00N\x             
                    00E\x00D\x00.\x00H\x00T\x00B\x00\x05\x00\x14\x00S\x00I\x00G\x00N\x00E\x00D\x00.\x00H\x00T\x00B\x00\x07\x00\x08\x00T\x82\x03\xad\xda>\xdc\x01\x00\x00\x00\x00'                                                            
           INFO     Error resolving hostname REMOVED: [Errno -2] Name or service not known                                                                                                                               connection.py:204
           INFO     Resolved domain: REMOVED with dns, kdcHost: None                                                                                                                                                          mssql.py:141
MSSQL       10.10.10.5     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:REMOVED)
MSSQL       10.10.10.50     1433   DC01             [+] REMOVED\username:password
[22:23:05] INFO     Query to run:                                                                                                                                                                                                mssql.py:258
                    EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;                                                                                                                                                                       
           INFO     Executed MSSQL query                                                                                                                                                                                         mssql.py:261
reelix@reelix-kubuntu:~$ 

[azoxlpf]

Hi, Thanks for the report ! A PR has been opened to fix this by adding a permission check before confirming xp_cmdshell enablement