Skip to content

Commit

Permalink
* Enhanced MSSQLShell in NTLMRelayX leveraging TcpShell (as in SMB an…
Browse files Browse the repository at this point in the history
…d LDAP)
  • Loading branch information
gabrielg5 committed Sep 12, 2023
1 parent 3f64510 commit cc5a74c
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 6 deletions.
17 changes: 15 additions & 2 deletions impacket/examples/mssqlshell.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,22 @@

import os
import cmd
import sys


class SQLSHELL(cmd.Cmd):
def __init__(self, SQL, show_queries=False):
cmd.Cmd.__init__(self)
def __init__(self, SQL, show_queries=False, tcpShell=None):
if tcpShell is not None:
cmd.Cmd.__init__(self, stdin=tcpShell.stdin, stdout=tcpShell.stdout)
sys.stdout = tcpShell.stdout
sys.stdin = tcpShell.stdin
sys.stderr = tcpShell.stdout
self.use_rawinput = False
self.shell = tcpShell
else:
cmd.Cmd.__init__(self)
self.shell = None

self.sql = SQL
self.show_queries = show_queries
self.at = []
Expand Down Expand Up @@ -256,4 +267,6 @@ def emptyline(self):
pass

def do_exit(self, line):
if self.shell is not None:
self.shell.close()
return True
20 changes: 16 additions & 4 deletions impacket/examples/ntlmrelayx/attacks/mssqlattack.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,22 +18,34 @@
from impacket import LOG
from impacket.examples.mssqlshell import SQLSHELL
from impacket.examples.ntlmrelayx.attacks import ProtocolAttack
from impacket.examples.ntlmrelayx.utils.tcpshell import TcpShell

PROTOCOL_ATTACK_CLASS = "MSSQLAttack"

class MSSQLAttack(ProtocolAttack):
PLUGIN_NAMES = ["MSSQL"]
def __init__(self, config, MSSQLclient, username):
ProtocolAttack.__init__(self, config, MSSQLclient, username)
if self.config.interactive:
# Launch locally listening interactive shell.
self.tcp_shell = TcpShell()

def run(self):
if self.config.interactive:
if self.tcp_shell is not None:
LOG.info('Started interactive MSSQL shell via TCP on 127.0.0.1:%d' % self.tcp_shell.port)
# Start listening and launch interactive shell.
self.tcp_shell.listen()
mssql_shell = SQLSHELL(self.client, tcpShell=self.tcp_shell)
mssql_shell.cmdloop()
return

if self.config.queries is not None:
for query in self.config.queries:
LOG.info('Executing SQL: %s' % query)
self.client.sql_query(query)
self.client.printReplies()
self.client.printRows()
elif self.config.interactive is True:
shell = SQLSHELL(self.client)
shell.cmdloop()
return
else:
LOG.error('No SQL queries specified for MSSQL relay!')

0 comments on commit cc5a74c

Please sign in to comment.