Skip to content

Commit 5f0a1ad

Browse files
nullbindnullbind
committed
Updates SQLC2, Cheatsheets, Examples
Updates SQLC2, Cheatsheets, Examples
1 parent f489fbc commit 5f0a1ad

12 files changed

Lines changed: 3936 additions & 22 deletions

PowerUpSQL.ps1

Lines changed: 81 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
File: PowerUpSQL.ps1
44
Author: Scott Sutherland (@_nullbind), NetSPI - 2016
55
Major Contributors: Antti Rantasaari and Eric Gruber
6-
Version: 1.103.3
6+
Version: 1.103.7
77
Description: PowerUpSQL is a PowerShell toolkit for attacking SQL Server.
88
License: BSD 3-Clause
99
Required Dependencies: PowerShell v.2
@@ -13,7 +13,7 @@
1313
#########################################################################
1414
#
1515
#region CORE FUNCTIONS
16-
#h
16+
#
1717
#########################################################################
1818

1919
# ----------------------------------
@@ -23,7 +23,7 @@
2323
# Reference: https://msdn.microsoft.com/en-us/library/ms188247.aspx
2424
# Reference: https://raw.githubusercontent.com/sqlcollaborative/dbatools/master/functions/SharedFunctions.ps1
2525
# Reference: https://blogs.msdn.microsoft.com/spike/2008/11/14/connectionstrings-mixing-usernames-and-windows-authentication-who-goes-first/
26-
Function Get-SQLConnectionObject
26+
Function Get-SQLConnectionObject
2727
{
2828
<#
2929
.SYNOPSIS
@@ -36,24 +36,30 @@ Function Get-SQLConnectionObject
3636
SQL Server credential.
3737
.PARAMETER Database
3838
Default database to connect to.
39+
.PARAMETER AppName
40+
Spoof the name of the application you are connecting to SQL Server with.
41+
.PARAMETER Encrypt
42+
Use an encrypted connection.
43+
.PARAMETER TrustServerCert
44+
Trust the certificate of the remote server.
3945
.EXAMPLE
40-
PS C:\> Get-SQLConnectionObject -Username MySQLUser -Password MySQLPassword
41-
46+
PS C:\> Get-SQLConnectionObject -Username myuser -Password mypass -Instance server1 -Encrypt Yes -TrustServerCert Yes -AppName "myapp"
4247
StatisticsEnabled : False
43-
AccessToken :
44-
ConnectionString : Server=SQLServer1;Database=Master;User ID=MySQLUser;Password=MySQLPassword;Connection Timeout=1
48+
AccessToken :
49+
ConnectionString : Server=server1;Database=Master;User ID=myuser;Password=mypass;Connection Timeout=1 ;Application
50+
Name="myapp";Encrypt=Yes;TrustServerCertificate=Yes
4551
ConnectionTimeout : 1
4652
Database : Master
47-
DataSource : SQLServer1
53+
DataSource : server1
4854
PacketSize : 8000
4955
ClientConnectionId : 00000000-0000-0000-0000-000000000000
50-
ServerVersion :
56+
ServerVersion :
5157
State : Closed
52-
WorkstationId : SQLServer1
53-
Credential :
58+
WorkstationId : Workstation1
59+
Credential :
5460
FireInfoMessageEventOnUserErrors : False
55-
Site :
56-
Container :
61+
Site :
62+
Container :
5763
#>
5864
[CmdletBinding()]
5965
Param(
@@ -83,6 +89,20 @@ Function Get-SQLConnectionObject
8389
HelpMessage = 'Default database to connect to.')]
8490
[String]$Database,
8591

92+
[Parameter(Mandatory = $false,
93+
HelpMessage = 'Spoof the name of the application your connecting to the server with.')]
94+
[string]$AppName = "",
95+
96+
[Parameter(Mandatory = $false,
97+
HelpMessage = 'Use an encrypted connection.')]
98+
[ValidateSet("Yes","No","")]
99+
[string]$Encrypt = "",
100+
101+
[Parameter(Mandatory = $false,
102+
HelpMessage = 'Trust the certificate of the remote server.')]
103+
[ValidateSet("Yes","No","")]
104+
[string]$TrustServerCert = "",
105+
86106
[Parameter(Mandatory = $false,
87107
HelpMessage = 'Connection timeout.')]
88108
[string]$TimeOut = 1
@@ -105,6 +125,27 @@ Function Get-SQLConnectionObject
105125
{
106126
$Database = 'Master'
107127
}
128+
129+
# Check if appname was provided
130+
if($AppName){
131+
$AppNameString = ";Application Name=`"$AppName`""
132+
}else{
133+
$AppNameString = ""
134+
}
135+
136+
# Check if encrypt was provided
137+
if($Encrypt){
138+
$EncryptString = ";Encrypt=Yes"
139+
}else{
140+
$EncryptString = ""
141+
}
142+
143+
# Check TrustServerCert was provided
144+
if($TrustServerCert){
145+
$TrustCertString = ";TrustServerCertificate=Yes"
146+
}else{
147+
$TrustCertString = ""
148+
}
108149
}
109150

110151
Process
@@ -125,15 +166,15 @@ Function Get-SQLConnectionObject
125166
$AuthenticationType = "Current Windows Credentials"
126167

127168
# Set connection string
128-
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;Connection Timeout=1"
169+
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;Connection Timeout=1 $AppNameString $EncryptString $TrustCertString"
129170
}
130171

131172
# Set authentcation type - provided windows user
132173
if ($username -like "*\*"){
133174
$AuthenticationType = "Provided Windows Credentials"
134175

135176
# Setup connection string
136-
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;uid=$Username;pwd=$Password;Connection Timeout=$TimeOut"
177+
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;uid=$Username;pwd=$Password;Connection Timeout=$TimeOut$AppNameString$EncryptString$TrustCertString"
137178
}
138179

139180
# Set authentcation type - provided sql login
@@ -143,7 +184,7 @@ Function Get-SQLConnectionObject
143184
$AuthenticationType = "Provided SQL Login"
144185

145186
# Setup connection string
146-
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;User ID=$Username;Password=$Password;Connection Timeout=$TimeOut"
187+
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;User ID=$Username;Password=$Password;Connection Timeout=$TimeOut $AppNameString$EncryptString$TrustCertString"
147188
}
148189

149190
# Return the connection object
@@ -482,11 +523,11 @@ Function Get-SQLConnectionTestThreaded
482523
# Get-SQLQuery
483524
# ----------------------------------
484525
# Author: Scott Sutherland
485-
Function Get-SQLQuery
526+
Function Get-SQLQuery
486527
{
487528
<#
488529
.SYNOPSIS
489-
Executes a query on target SQL servers.This
530+
Executes a query on target SQL servers.
490531
.PARAMETER Username
491532
SQL Server or domain account to authenticate with.
492533
.PARAMETER Password
@@ -507,6 +548,12 @@ Function Get-SQLQuery
507548
Number of concurrent threads.
508549
.PARAMETER Query
509550
Query to be executed on the SQL Server.
551+
.PARAMETER AppName
552+
Spoof the name of the application you are connecting to SQL Server with.
553+
.PARAMETER Encrypt
554+
Use an encrypted connection.
555+
.PARAMETER TrustServerCert
556+
Trust the certificate of the remote server.
510557
.EXAMPLE
511558
PS C:\> Get-SQLQuery -Verbose -Instance "SQLSERVER1.domain.com\SQLExpress" -Query "Select @@version" -Threads 15
512559
.EXAMPLE
@@ -557,6 +604,20 @@ Function Get-SQLQuery
557604
HelpMessage = 'Suppress verbose errors. Used when function is wrapped.')]
558605
[switch]$SuppressVerbose,
559606

607+
[Parameter(Mandatory = $false,
608+
HelpMessage = 'Spoof the name of the application your connecting to the server with.')]
609+
[string]$AppName = "",
610+
611+
[Parameter(Mandatory = $false,
612+
HelpMessage = 'Use an encrypted connection.')]
613+
[ValidateSet("Yes","No","")]
614+
[string]$Encrypt = "",
615+
616+
[Parameter(Mandatory = $false,
617+
HelpMessage = 'Trust the certificate of the remote server.')]
618+
[ValidateSet("Yes","No","")]
619+
[string]$TrustServerCert = "",
620+
560621
[Parameter(Mandatory = $false,
561622
HelpMessage = 'Return error message if exists.')]
562623
[switch]$ReturnError
@@ -574,12 +635,12 @@ Function Get-SQLQuery
574635
if($DAC)
575636
{
576637
# Create connection object
577-
$Connection = Get-SQLConnectionObject -Instance $Instance -Username $Username -Password $Password -Credential $Credential -TimeOut $TimeOut -DAC -Database $Database
638+
$Connection = Get-SQLConnectionObject -Instance $Instance -Username $Username -Password $Password -Credential $Credential -TimeOut $TimeOut -DAC -Database $Database -AppName $AppName -Encrypt $Encrypt -TrustServerCert $TrustServerCert
578639
}
579640
else
580641
{
581642
# Create connection object
582-
$Connection = Get-SQLConnectionObject -Instance $Instance -Username $Username -Password $Password -Credential $Credential -TimeOut $TimeOut -Database $Database
643+
$Connection = Get-SQLConnectionObject -Instance $Instance -Username $Username -Password $Password -Credential $Credential -TimeOut $TimeOut -Database $Database -AppName $AppName -Encrypt $Encrypt -TrustServerCert $TrustServerCert
583644
}
584645

585646
# Parse SQL Server instance name

PowerUpSQL.psd1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#requires -Version 1
22
@{
33
ModuleToProcess = 'PowerUpSQL.psm1'
4-
ModuleVersion = '1.103.0'
4+
ModuleVersion = '1.103.3'
55
GUID = 'dd1fe106-2226-4869-9363-44469e930a4a'
66
Author = 'Scott Sutherland'
77
Copyright = 'BSD 3-Clause'

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ For setup instructions, cheat sheets, blogs, function overviews, and usage infor
2828

2929
### Author, Contributors, and License
3030
* Author: Scott Sutherland (@_nullbind), NetSPI - 2018
31-
* Major Contributors: Antti Rantasaari and Eric Gruber (@egru)
31+
* Major Contributors: Antti Rantasaari, Eric Gruber (@egru), Thomas Elling (@thomaselling)
3232
* Contributors: Alexander Leary (@0xbadjuju), @leoloobeek, Andrew Luke(@Sw4mpf0x), Mike Manzotti (@mmanzo_), and @ktaranov
3333
* License: BSD 3-Clause
3434
* Required Dependencies: None

images/ADS_Query_AdHoc.png

103 KB
Loading

images/ADS_Query_LinkServer.png

80.7 KB
Loading

images/readme.rd

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
This folder simply houses images for the Github repository.

0 commit comments

Comments
 (0)