v3.7
v3.7
- Complete refactor of code base.
- Updated documentation (code comments, README, and wiki)
- Execution against a linked SQL server chain. For example, if
SQL01
has a link toSQL02
, andSQL02
, has a link toSQL03
, andSQL03
, has a link toPAYMENTS01
. It is now possible to execute commands fromSQL01
onPAYMENTS01
using the linked server chain (/link:SQL02,SQL03,PAYMENTS01 /chain
). Credit to Azael Martin (n3rada). - Removed '
l
' and 'i
' modules, and introduced context logic so module names can be the same across standard, impersonation, linked and chained execution. - Added chain support to all linked modules.
- Added support for debug (
/debug
), which will display various debugging information and all SQL queries that will be executed by a module, without executing them. - Added verbose (
/verbose, /v
), which will display all SQL queries that will be executed during module execution. - Added timeout (
/timeout, /t
), which takes an integer value for SQL server database connection timeout. - Improved
links
module to include detailed information. Credit to Azael Martin (n3rada). - Improved
whoami
module to include Windows principals and database users. Credit to Azael Martin (n3rada). - Improved
impersonation
module to include Windows principals and database users. Credit to Azael Martin (n3rada). - Added IP address retrieval into the
sqlspns
enumeration module. Credit to Azael Martin (n3rada). - Standardized console output to markdown where applicable. Credit to Azael Martin (n3rada).
- Added DNS support to
/enum:info
module. - Added optional
/subsystem
argument to theolecmdexec
module, which accepts execution using theCmdExec
orPowerShell
OLE automation subsystems. - Updated test harnesses to reflect CLI changes and new modules.
- Changed
AzureAD
authentication toEntraID
.
v3.6
- Execution against multiple SQL servers supplied in the
/host
or/h
flag is now supported using comma separated values. - Execution against multiple linked SQL servers supplied in the
/link
or/l
flag is now supported using comma separated values. - Changed
/lhost
to/link
. - Removed '
s
' modules and created the/s
,/sccm
switch for SCCM modules. - Added impersonation support to all SCCM modules, with the exception of
DecryptCredentials
. - Added a new enumeration (
/enum
) module calledinfo
which is able to used an unauthenticated context to obtain SQL server information, including instance name and TCP port using the UDP protocol. - Moved argument logic into individual methods within
ModuleHandler.cs
to promote simplification and extensibility. - Moved all SQL queries to
Queries.cs
. - Created
EnumerationModules.cs
. - Created
FormatQuery.cs
. - Created
SccmModules.cs
. - Renamed
ModuleHandler.cs
toSqlModules.cs
.
v3.5
- Bug fix where linked
adsi
execution was not removing the LDAP server. - Removed agent job execution from linked
adsi
, in favor of openquery/rpc. - Changed
/lhost
to/adsi
in inadsi
module. - Changed
/rhost
to/unc
insmb
module. - Removed
CaptureHash.cs
and simplified logic. - Removed
SetEnumerationType.cs
and simplified logic. - Renamed
Impersonation.cs
toImpersonate.cs
. - Renamed
OleCmdExec.cs
toOleAutomation.cs
. - Renamed
PrintUtils.cs
toPrint.cs
. - Renamed
SQLServerInfo.cs
toInfo.cs
.
v3.4
- Added impersonation support for
smb
module. - Added impersonation support for
info
module. - Added linked support for
info
module.