Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xp cmd shell

Browse Source
This commit is contained in:
Roman Hergenreder 2023-10-22 15:01:35 +02:00
parent 29a3fd08d6
commit 577fa39263
2 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
fileserver.py
View File

@ -50,6 +50,15 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
res = requests.request(method, target_rewrite, headers=self.headers, data=data) res = requests.request(method, target_rewrite, headers=self.headers, data=data)
return res.status_code, res.content, res.headers return res.status_code, res.content, res.headers
def read_body(self):
if not hasattr(self, "body"):
content_length = self.headers.get('Content-Length')
if content_length and int(content_length) > 0:
self.body = self.rfile.read(int(content_length))
else:
self.body = None
return self.body
def find_route(self, path): def find_route(self, path):
@ -111,14 +120,12 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
self.end_headers() self.end_headers()
if data and self.command.upper() not in ["HEAD","OPTIONS"]: if data and self.command.upper() not in ["HEAD","OPTIONS"]:
if isinstance(data, str):
data = data.encode()
self.wfile.write(data) self.wfile.write(data)
if (path in self.server.dumpRequests or "/" in self.server.dumpRequests) and path != "/dummy": if (path in self.server.dumpRequests or "/" in self.server.dumpRequests) and path != "/dummy":
content_length = self.headers.get('Content-Length') body = self.read_body()
body = None
if content_length and int(content_length) > 0:
body = self.rfile.read(int(content_length))
print("===== Connection from:",self.client_address[0]) print("===== Connection from:",self.client_address[0])
print("%s %s %s" % (self.command, self.path, self.request_version)) print("%s %s %s" % (self.command, self.path, self.request_version))

12
xp_cmdshell.py Normal file → Executable file
View File

@ -1,9 +1,11 @@
# /usr/bin/env python3 #!/usr/bin/env python3
# interactive xp_cmdshell # interactive xp_cmdshell
# with impacket and cmd # with impacket and cmd
# used https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py for reference # used https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py for reference
import base64 import base64
import cmd import cmd
import argparse
from impacket import tds from impacket import tds
@ -163,8 +165,14 @@ if __name__ == '__main__':
# if len(sys.argv) > 1 and sys.argv[1] == '-powershell': # if len(sys.argv) > 1 and sys.argv[1] == '-powershell':
# pwsh = True # pwsh = True
parser = argparse.ArgumentParser(description="Connect to mssql server using username, password, and hostname.")
parser.add_argument('-u', '--username', required=True, help="Username for the server")
parser.add_argument('-p', '--password', required=True, help="Password for the server")
parser.add_argument('-H', '--hostname', required=True, help="Hostname or IP address of the server")
args = parser.parse_args()
# if connection successful # if connection successful
xp_shell = connect_mssql("teignton.htb", username="webappusr", password="d65f4sd5f1s!df1fsd65f1sd") xp_shell = connect_mssql(args.hostname, username=args.username, password=args.password)
if isinstance(xp_shell, XpShell): if isinstance(xp_shell, XpShell):
xp_shell.do_enable_xp_cmdshell() xp_shell.do_enable_xp_cmdshell()
xp_shell.pwsh = True xp_shell.pwsh = True