search

NetSPI / PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
Other
2.47k stars 462 forks source link

Added Invoke-SQLDownloadFile and Invoke-SQLUploadFileOle functions #55

Closed mgeeky closed 4 years ago

mgeeky commented 4 years ago

Hi there,

I've added two handy functions for file upload via Ole Automation Stored Procedures (instantiating ADODB.Stream ActiveX OLE) and file download using OPENROWSET with BULK option.

The ideas came from this article: Lateral movement via MSSQL and did the trick to me for uploading & downloading files while I was on the assessment.

Found some spare time to implement these primitives into PowerUpSQL as well. Hope I followed the code etiquette you have there :-)

PS> Invoke-SQLUploadFileOle -Verbose -Instance DEVSRV -InputFile C:\windows\win.ini -OutputFile C:\Users\Public\win.ini
VERBOSE: Creating runspace pool and session states
VERBOSE: DEVSRV : Connection Success.
VERBOSE: DEVSRV : You are a sysadmin.
VERBOSE: DEVSRV : Show Advanced Options is already enabled.
VERBOSE: DEVSRV : Ole Automation Procedures are already enabled.
VERBOSE: DEVSRV : Reading input file: C:\windows\win.ini
VERBOSE: DEVSRV : Uploading 92 bytes to: C:\Users\Public\win.ini
VERBOSE: DEVSRV : Checking if file was uploaded correctly...
VERBOSE: DEVSRV : Success. File uploaded.
VERBOSE: Closing the runspace pool

ComputerName Instance UploadResults
------------ -------- -------------
DEVSRV       DEVSRV   True         

PS> Invoke-SQLDownloadFile -Verbose -Instance DEVSRV -SourceFile C:\Windows\win.ini -OutputFile C:\Users\Public\win.ini
VERBOSE: Creating runspace pool and session states
VERBOSE: DEVSRV : Connection Success.
VERBOSE: DEVSRV : File exists. Attempting to download: C:\Windows\win.ini
VERBOSE: DEVSRV : Downloaded. Writing 92 to C:\Users\Public\win.ini...
VERBOSE: Closing the runspace pool

ComputerName Instance DownloadResults
------------ -------- ---------------
DEVSRV       DEVSRV   True

Best regards, Mariusz B.

nullbind commented 4 years ago

Awesome! Can’t wait to sit down and test it out! Thanks for taking the time. I’ll hit you back once I roll it in. Hopefully this week I’ll have a little time to work on my pull request back log :)

nullbind commented 4 years ago

I finally got this rolled in. Thank you again for the contribution. Very much appreciated. Happy Hacking! :)

mgeeky commented 4 years ago

Thank you @nullbind for your time reviewing this PR. Was wondering, do you think we should strive to make these two functions support multiple MSSQL servers as fed from pipeline? I never tested them on more than one server in a row to be honest. The upload one should be already kinda working as it does not require paths mangling, but the download one could use some download paths generation logic reworking. Whato do you think?

By the way - my twitter handle is @mariuszbit :-)

nullbind commented 4 years ago

Yeah, I think it’s definitely possible. The functions may just need a little tweaking. Also, thanks for the twitter handle, I’ll make sure to update it in the contributions/ code refs.