Incoming .NET SQLClient
2020-07-13 22:21:15 Author: fortynorthsecurity.com(查看原文) 阅读量:173 收藏

13 July 2020

The github repo for SQLClient is available here - https://github.com/FortyNorthSecurity/SqlClient

On an assume breach assessment, FortyNorth was able to successfully obtain a web.config file (always great to find this) and within the config file were database credentials. For this assessment, the team had a Cobalt Srike Beacon for controlling the compromised system. This lead us to wanting to find a tool we could used which could query the MSSQL database through Beacon's execute-assembly functionality.

While searching for this functionality, the only real existing utility we found was TrustedSec's QuickSQL tool. However this was written in Python and wouldn't have worked with execute-assembly. However, we found a blog post which showed how to remotely query a remote MSSQL database and find its version information in .NET. We used this code as the foundation for writing a .NET assembly which would allow anyone to remotely perform SQL queries against a MSSQL database. This lead us to writing SQLClient.exe which is now publicly available.

You can use SQLClient to connect to remote databases by providing multiple command line options.

SQLClient.exe CLI Arguments

If you provide the username, password, IP, and database name, you can easily query database tables from the command line.

Enumerate SQL Tables

When performing a standard SQL query to enumerate information within the "Login_info" table, you will receive the same results as if you used the SQL Management Studio.

CLI Results Compared to GUI

We were also able to accomplish the main goal of making this work within Cobalt Strike's execute-assembly.

Working within Beacon

We hope that this can give others an option to have a quick and easy to use MSSQL client without requiring to install a large application like SQL Server Management Studio or other applications which require a driver installation (and admin rights). If you have any questions, don't hesitate to reach out to us!


文章来源: https://fortynorthsecurity.com/blog/sql-client-post/
如有侵权请联系:admin#unsafe.sh