{"id":13542173,"url":"https://github.com/blackarrowsec/mssqlproxy","last_synced_at":"2025-04-04T16:15:49.129Z","repository":{"id":40312553,"uuid":"239964495","full_name":"blackarrowsec/mssqlproxy","owner":"blackarrowsec","description":"mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse","archived":false,"fork":false,"pushed_at":"2021-02-16T20:13:04.000Z","size":184,"stargazers_count":737,"open_issues_count":1,"forks_count":114,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-03-28T15:08:40.539Z","etag":null,"topics":["lateral-movement","mssql","post-exploitation","proxy","security-tool"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blackarrowsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-12T08:44:28.000Z","updated_at":"2025-03-26T16:29:35.000Z","dependencies_parsed_at":"2022-07-15T21:00:58.538Z","dependency_job_id":null,"html_url":"https://github.com/blackarrowsec/mssqlproxy","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackarrowsec%2Fmssqlproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackarrowsec%2Fmssqlproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackarrowsec%2Fmssqlproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackarrowsec%2Fmssqlproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blackarrowsec","download_url":"https://codeload.github.com/blackarrowsec/mssqlproxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247208178,"owners_count":20901570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["lateral-movement","mssql","post-exploitation","proxy","security-tool"],"created_at":"2024-08-01T10:01:02.426Z","updated_at":"2025-04-04T16:15:49.109Z","avatar_url":"https://github.com/blackarrowsec.png","language":"Python","readme":"# mssqlproxy\r\n [![](https://img.shields.io/badge/Category-Lateral%20Movement-E5A505?style=flat-square)]() [![](https://img.shields.io/badge/Language-.NET%20%2f%20C%20%2f%20Python-E5A505?style=flat-square)]()\r\n\r\n\r\n\r\n**mssqlproxy** is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse. The client requires [impacket](https://github.com/SecureAuthCorp/impacket) and **sysadmin** privileges on the SQL server.\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg src=\"scenario.png\" width=\"720\" \u003e\r\n\u003c/p\u003e\r\n\r\n\r\nPlease read [this article](https://www.blackarrow.net/mssqlproxy-pivoting-clr/) carefully before continuing.\r\n\r\nIt consists of three parts:\r\n*  **CLR assembly**: Compile assembly.cs\r\n*  **Core DLL**: Compile reciclador.sln\r\n*  **Client**: mssqlclient.py (based on Impacket's example)\r\n\r\nYou can compile the libraries or download them from [releases](https://github.com/blackarrowsec/mssqlproxy/releases) (x64).\r\n\r\n\r\nCompilation\r\n------------\r\n\r\nTo generate the core DLL, just import the project to Visual Studio (reciclador.sln) and compile it.\r\n\r\nTo generate the CLR assembly, first you need to find the C# compiler:\r\n```powershell\r\nGet-ChildItem -Recurse \"C:\\Windows\\Microsoft.NET\\\" -Filter \"csc.exe\" | Sort-Object fullname -Descending | Select-Object fullname -First 1 -ExpandProperty fullname\r\n```\r\n\r\nThen,\r\n```powershell\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /target:library .\\assembly.cs\r\n```\r\n\r\n\r\nUsage\r\n------------\r\nOnce the two libraries are compiled, upload the core DLL (reciclador) to the target server.\r\n\r\nAuthentication options are the same as the ones in [the original mssqlclient](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py). **mssqlproxy** options:\r\n\r\n```\r\nproxy mode:\r\n  -reciclador path      Remote path where DLL is stored in server\r\n  -install              Installs CLR assembly\r\n  -uninstall            Uninstalls CLR assembly\r\n  -check                Checks if CLR is ready\r\n  -start                Starts proxy\r\n  -local-port port      Local port to listen on\r\n  -clr local_path       Local CLR path\r\n  -no-check-src-port    Use this option when connection is not direct (e.g. proxy)\r\n```\r\n\r\nWe have also implemented two commands (within the SQL shell) for downloading and uploading files. Relating to the proxy stuff, we have four commands:\r\n\r\n* **install**: Creates the CLR assembly and links it to a stored procedure. You need to provide the `-clr` param to read the generated CLR from a local DLL file.\r\n* **uninstall**: Removes what **install** created.\r\n* **check**: Checks if everything is ready to start the proxy. Requires to provide the server DLL location (`-reciclador`), which can be uploaded using the **upload** command.\r\n* **start**: Starts the proxy. If `-local-port` is not specified, it will listen on port 1337/tcp.\r\n\r\nOnce the proxy is started, you can plug in your proxychains ;)\r\n\r\n[![asciicast](https://asciinema.org/a/298949.svg)](https://asciinema.org/a/298949)\r\n\r\n**Note #1:** if using a non-direct connection (e.g. proxies in between), the `-no-check-src-port` flag is needed, so the server only checks the source address.\r\n\r\n**Note #2:** at the moment, only IPv4 targets are supported (nor DNS neither IPv6 addresses).\r\n\r\n**Note #3:** use carefully! by now the MSSQL service will crash if you try to establish multiple concurrent connections\r\n\r\n**Important:** It's important to stop the mssqlproxy by pressing Ctrl+C on the client. If not, the server may crash and you will have to restart the MSSQL service manually.\r\n\r\n\r\n\r\nAuthors\r\n---------------\r\nPablo Martinez ([@xassiz](https://twitter.com/xassiz)), Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL)) [ [www.blackarrow.net](http://blackarrow.net/) - [www.tarlogic.com](https://www.tarlogic.com/en/) ]\r\n\r\n\r\nReferences\r\n---------------\r\n\r\n* https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf\r\n* https://blog.netspi.com/attacking-sql-server-clr-assemblies/\r\n* https://www.codeproject.com/Articles/27298/Dynamic-Invoke-C-DLL-function-in-C\r\n* https://x-c3ll.github.io/posts/Pivoting-MySQL-Proxy/\r\n* https://docs.microsoft.com/en-us/sql/ado/reference/ado-api/stream-object-ado\r\n* https://docs.microsoft.com/es-es/sql/t-sql/functions/openrowset-transact-sql\r\n\r\nLicense\r\n-------\r\n\r\nAll the code included in this project is licensed under the terms of the MIT license. The mssqlclient.py is based on [Impacket](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py).\r\n\r\n#\r\n\r\n[![](https://img.shields.io/badge/www-blackarrow.net-E5A505?style=flat-square)](https://www.blackarrow.net) [![](https://img.shields.io/badge/twitter-@BlackArrowSec-00aced?style=flat-square\u0026logo=twitter\u0026logoColor=white)](https://twitter.com/BlackArrowSec) [![](https://img.shields.io/badge/linkedin-@BlackArrowSec-0084b4?style=flat-square\u0026logo=linkedin\u0026logoColor=white)](https://www.linkedin.com/company/blackarrowsec/)\r\n","funding_links":[],"categories":["Exploitation","Python (1887)","Python","Pentesting"],"sub_categories":["SQL Injection","Exploits"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblackarrowsec%2Fmssqlproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblackarrowsec%2Fmssqlproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblackarrowsec%2Fmssqlproxy/lists"}