These procedures access the Windows operating system directly to return information or to manage files and processes.
xp_availablemedia: Shows the physical drives on the server.
xp_cmdshell: Allows execution of operating system commands in the security context of the SQL Server service. The most powerful and widely abused stored procedure.
xp_displayparamstmt: Older versions are vulnerable to buffer overflow attacks. Undocumented, it can be used to execute SQL queries but its original purpose is unclear.
xp_dropwebtask: Deletes a defined web job (instruction to render the result of a query into an HTML file).
xp_enumerrorlogs: Displays the error logs used by SQL Server.
xp_enumgroups: Lists the Windows user groups defined on the server.
xp_eventlog: Used to read the Windows event logs.
xp_execresultset: An undocumented procedure used to execute a number of commands passed as a resultset. Can be abused to quickly perform brute-force attacks against passwords if the password dictionary is available as a resultset.
xp_fileexist: Tests if a specified file exists on the server's filesystem.
xp_fixeddrives: Returns information about the server's drives and free space.
xp_getfiledetails: Returns information about a particular file on the server, such as its size /creation date/last modified.
xp_getnetname: Shows the server's network name . This could allow an attacker to guess the names of other machines on the network.
xp_grantlogin: Used to grant a Windows user or group access to the SQL Server.
xp_logevent: Writes a custom event to the SQL Server and Windows error log. Could be abused to corrupt the server's audit trail.
xp_loginconfig: Divulges information about the authentication method used by the server and the current auditing settings.
xp_logininfo: Shows the SQL Server's users and groups.
xp_makewebtask: Creates a webtask, which is used to output table data to an HTML file. Could be used to retrieve data using the Web.
xp_msver: Provides more information about the SQL Server than version. This includes the Windows patch and service pack level.
xp_ntsec_enumdomains: Lists the Windows domains accessed by the server.
xp_perfsample: Used with the SQL Server performance monitor.
xp_perfstart: Used with the SQL Server performance monitor.
xp_printstatements: An undocumented procedure that returns the result of a query.
xp_readerrorlog: Used to view the SQL Server error log. Can also be used to view any file on the local filesystem accessible to the SQL Server process.
xp_revokelogin: Revokes access to the SQL Server from a Windows user or group.
xp_runwebtask: Executes a defined webtask, which outputs SQL Server table data to an HTML file.
xp_servicecontrol: Used to start, stop, pause, and un-pause Windows services.
sp_MSSetServerProperties: Sets whether the SQL Server starts automatically or manually on reboot. Could be used to DoS the server, or stop the server starting so that an attacker can access a shell on the SQL Server port.
xp_snmp_getstate: Returns the current state of the SQL Server using SNMP (Simple Network Management Protocol). Removed after SQL Server 6.5.
xp_snmp_raisetrap: Sends an SNMP trap (alert) to an SNMP client. Removed after SQL Server 6.5.
xp_sprintf: Similar to the C sprintf function, used to create an output string from multiple inputs. Could be used to create executable commands.
xp_sqlinventory: Prior to SQL Server 2000, returns information about the server's installation and configuration settings.
xp_sqlregister: Prior to SQL Server 2000, broadcasts server configuration details used by xp_sqlinventory.
xp_sqltrace: Prior to SQL Server 2000, returns information on the audit traces set, and their activity.
xp_sscanf: Similar to the C function sscanf , used to extract variables from a text string in a certain format. Could help an attacker create executable commands.
xp_subdirs: Displays all of a directory's subdirectories.
xp_terminate_process: Used to kill a Windows process with a specific ID. An attacker could use this to disable anti-virus or firewall software on the host.
xp_unc_to_drive: Converts a UNC (Universal Naming Convention) address to a corresponding local drive.