|
3 | 3 | File: PowerUpSQL.ps1 |
4 | 4 | Author: Scott Sutherland (@_nullbind), NetSPI - 2016 |
5 | 5 | Major Contributors: Antti Rantasaari and Eric Gruber |
6 | | - Version: 1.87.111 |
| 6 | + Version: 1.87.112 |
7 | 7 | Description: PowerUpSQL is a PowerShell toolkit for attacking SQL Server. |
8 | 8 | License: BSD 3-Clause |
9 | 9 | Required Dependencies: PowerShell v.2 |
@@ -7311,14 +7311,6 @@ Function Get-SQLDomainUser |
7311 | 7311 | # Create data tables for output |
7312 | 7312 | $TblResults = New-Object -TypeName System.Data.DataTable |
7313 | 7313 | $TblDomainUsers = New-Object -TypeName System.Data.DataTable |
7314 | | - $null = $TblDomainUsers.Columns.Add('ComputerName') |
7315 | | - $null = $TblDomainUsers.Columns.Add('Instance') |
7316 | | - $null = $TblDomainUsers.Columns.Add('SamAccountName') |
7317 | | - $null = $TblDomainUsers.Columns.Add('Name') |
7318 | | - $null = $TblDomainUsers.Columns.Add('admincount') |
7319 | | - $null = $TblDomainUsers.Columns.Add('whencreated') |
7320 | | - $null = $TblDomainUsers.Columns.Add('whenchanged') |
7321 | | - $null = $TblDomainUsers.Columns.Add('AdsPath') |
7322 | 7314 |
|
7323 | 7315 | # Setup data table for pipeline threading |
7324 | 7316 | $PipelineItems = New-Object -TypeName System.Data.DataTable |
@@ -7351,262 +7343,23 @@ Function Get-SQLDomainUser |
7351 | 7343 | { |
7352 | 7344 | # Define code to be multi-threaded |
7353 | 7345 | $MyScriptBlock = { |
| 7346 | + |
7354 | 7347 | # Set instance |
7355 | 7348 | $Instance = $_.Instance |
7356 | 7349 |
|
7357 | 7350 | # Parse computer name from the instance |
7358 | | - $ComputerName = Get-ComputerNameFromInstance -Instance $Instance |
7359 | | - |
7360 | | - # Test connection to instance |
7361 | | - $TestConnection = Get-SQLConnectionTest -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Where-Object -FilterScript { |
7362 | | - $_.Status -eq 'Accessible' |
7363 | | - } |
7364 | | - if($TestConnection) |
7365 | | - { |
7366 | | - if( -not $SuppressVerbose) |
7367 | | - { |
7368 | | - Write-Verbose -Message "$Instance : Connection Success." |
7369 | | - } |
7370 | | - } |
7371 | | - else |
7372 | | - { |
7373 | | - if( -not $SuppressVerbose) |
7374 | | - { |
7375 | | - Write-Verbose -Message "$Instance : Connection Failed." |
7376 | | - } |
7377 | | - return |
7378 | | - } |
7379 | | - |
7380 | | - # Check sysadmin |
7381 | | - $ServerInfo = Get-SQLServerInfo -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose |
7382 | | - $DomainName = $ServerInfo.DomainName |
7383 | | - $IsSysadmin = $ServerInfo.IsSysadmin |
7384 | | - |
7385 | | - If (-not($SuppressVerbose)){ |
7386 | | - Write-Verbose -Message "$Instance : Domain:$DomainName" |
7387 | | - } |
7388 | | - |
7389 | | - if($IsSysadmin -eq "No") |
7390 | | - { |
7391 | | - If (-not($SuppressVerbose)){ |
7392 | | - Write-Verbose -Message "$Instance : This command requires sysadmin privileges. Exiting." |
7393 | | - } |
7394 | | - return |
7395 | | - }else{ |
7396 | | - |
7397 | | - If (-not($SuppressVerbose)){ |
7398 | | - Write-Verbose -Message "$Instance : You have sysadmin privileges." |
7399 | | - } |
7400 | | - } |
7401 | | - |
7402 | | - # Check if adsi is installed and enabled |
7403 | | - #- get-sqloledbprovider where providername -eq ADSDSOObject |
7404 | | - |
7405 | | - # Determine query type |
7406 | | - if($UseAdHoc){ |
7407 | | - If (-not($SuppressVerbose)){ |
7408 | | - Write-Verbose -Message "$Instance : Executing in AdHoc mode using OpenRowSet." |
7409 | | - } |
7410 | | - }else{ |
7411 | | - If (-not($SuppressVerbose)){ |
7412 | | - Write-Verbose -Message "$Instance : Executing in Link mode using OpenQuery." |
7413 | | - } |
7414 | | - } |
7415 | | - |
7416 | | - # Create ADSI Link (if link) |
7417 | | - if(-not $UseAdHoc){ |
7418 | | - |
7419 | | - # ---------------------------------- |
7420 | | - # Creaet ADSI SQL Server Link |
7421 | | - # ---------------------------------- |
7422 | | - |
7423 | | - # Create Random Name |
7424 | | - $RandomLinkName = (-join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})) |
7425 | | - |
7426 | | - # Status user |
7427 | | - If (-not($SuppressVerbose)){ |
7428 | | - Write-Verbose -Message "$Instance : Creating ADSI SQL Server link named $RandomLinkName." |
7429 | | - } |
7430 | | - |
7431 | | - # Create Link |
7432 | | - $QueryCreateLink = " |
7433 | | - |
7434 | | - -- Create SQL Server link to ADSI |
7435 | | - IF (SELECT count(*) FROM master..sysservers WHERE srvname = '$RandomLinkName') = 0 |
7436 | | - EXEC master.dbo.sp_addlinkedserver @server = N'$RandomLinkName', |
7437 | | - @srvproduct=N'Active Directory Service Interfaces', |
7438 | | - @provider=N'ADSDSOObject', |
7439 | | - @datasrc=N'adsdatasource' |
7440 | | - |
7441 | | - ELSE |
7442 | | - SELECT 'The target SQL Server link already exists.'" |
7443 | | - |
7444 | | - |
7445 | | - # Run query to create link |
7446 | | - $QueryCreateLinkResults = Get-SQLQuery -Instance $Instance -Query $QueryCreateLink -Username $Username -Password $Password -Credential $Credential -ReturnError |
7447 | | - |
7448 | | - # ---------------------------------- |
7449 | | - # Associate Login with Link |
7450 | | - # ---------------------------------- |
7451 | | - |
7452 | | - # Associate Login with the link |
7453 | | - if(($LinkUsername) -and ($LinkPassword)){ |
7454 | | - |
7455 | | - # Status user |
7456 | | - If (-not($SuppressVerbose)){ |
7457 | | - Write-Verbose -Message "$Instance : Associating login '$LinkUsername' with ADSI SQL Server link named $RandomLinkName." |
7458 | | - } |
7459 | | - |
7460 | | - $QueryAssociateLogin = " |
7461 | | - |
7462 | | - EXEC sp_addlinkedsrvlogin |
7463 | | - @rmtsrvname=N'$RandomLinkName', |
7464 | | - @useself=N'False', |
7465 | | - @locallogin=NULL, |
7466 | | - @rmtuser=N'$LinkUsername', |
7467 | | - @rmtpassword=N'$LinkPassword'" |
7468 | | - |
7469 | | - }else{ |
7470 | | - |
7471 | | - # Status user |
7472 | | - If (-not($SuppressVerbose)){ |
7473 | | - Write-Verbose -Message "$Instance : Associating current login with ADSI SQL Server link named $RandomLinkName." |
7474 | | - } |
7475 | | - |
7476 | | - $QueryAssociateLogin = " |
7477 | | - -- Current User Context |
7478 | | - -- Notes: testing tbd, sql login (non sysadmin), sql login (sysadmin), windows login (nonsysadmin), windows login (sysadmin), - test passthru and provided creds |
7479 | | - EXEC sp_addlinkedsrvlogin |
7480 | | - @rmtsrvname=N'$RandomLinkName', |
7481 | | - @useself=N'True', |
7482 | | - @locallogin=NULL, |
7483 | | - @rmtuser=NULL, |
7484 | | - @rmtpassword=NULL" |
7485 | | - } |
7486 | | - |
7487 | | - # Run query to associate login with link |
7488 | | - Get-SQLQuery -Instance $Instance -Query $QueryAssociateLogin -Username $Username -Password $Password -Credential $Credential -SuppressVerbose |
7489 | | - |
7490 | | - } |
7491 | | - |
7492 | | - # Enable AdHoc Queries (if adhoc and required) |
7493 | | - if($UseAdHoc){ |
7494 | | - |
7495 | | - # Get current state |
7496 | | - $Original_State_ShowAdv = Get-SQLQuery -Instance $Instance -Query "SELECT value_in_use FROM master.sys.configurations WHERE name like 'show advanced options'" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Select-Object value_in_use -ExpandProperty value_in_use |
7497 | | - $Original_State_AdHocQuery = Get-SQLQuery -Instance $Instance -Query "SELECT value_in_use FROM master.sys.configurations WHERE name like 'Ad Hoc Distributed Queries'" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Select-Object value_in_use -ExpandProperty value_in_use |
7498 | | - |
7499 | | - # Enabled show advnaced options |
7500 | | - if($Original_State_ShowAdv -eq 0){ |
7501 | | - |
7502 | | - # Execute Query |
7503 | | - Get-SQLQuery -Instance $Instance -Query "sp_configure 'Show Advanced Options',1;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose |
7504 | | - |
7505 | | - # Status user |
7506 | | - If (-not($SuppressVerbose)){ |
7507 | | - Write-Verbose -Message "$Instance : Enabled 'Show Advanced Options'" |
7508 | | - } |
7509 | | - } |
7510 | | - |
7511 | | - if($Original_State_AdHocQuery -eq 0){ |
7512 | | - |
7513 | | - # Execute Query |
7514 | | - Get-SQLQuery -Instance $Instance -Query "sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose |
7515 | | - |
7516 | | - # Status user |
7517 | | - If (-not($SuppressVerbose)){ |
7518 | | - Write-Verbose -Message "$Instance : Enabled 'Ad Hoc Distributed Queries'" |
7519 | | - } |
7520 | | - } |
7521 | | - } |
7522 | | - |
7523 | | - # SetUp Query |
7524 | | - if($UseAdHoc){ |
7525 | | - |
7526 | | - # Define adhoc query auth |
7527 | | - if(($LinkUsername) -and ($LinkPassword)){ |
7528 | | - $AdHocAuth = "User ID=$LinkUsername; Password=$LinkPassword;" |
7529 | | - }else{ |
7530 | | - $AdHocAuth = "adsdatasource" |
7531 | | - } |
7532 | | - |
7533 | | - # Define adhoc query |
7534 | | - $Query = " |
7535 | | - -- Run with credential in syntax option 1 - works as sa |
7536 | | - SELECT * |
7537 | | - FROM OPENROWSET('ADSDSOOBJECT','$AdHocAuth','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath |
7538 | | - FROM ''LDAP://$DomainName'' |
7539 | | - WHERE objectClass = ''User'' ')" |
7540 | | - }else{ |
7541 | | - |
7542 | | - # Define link query |
7543 | | - # $QueryTemplateLink = SELECT * FROM OpenQuery($RandomLinkName,'<LDAP://$DomainName>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree') |
7544 | | - $Query = "SELECT * FROM OpenQuery($RandomLinkName, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,AdsPath FROM ''LDAP://$DomainName'' WHERE objectClass = ''User'' AND objectCategory = ''Person'' ') AS tblADSI" |
7545 | | - } |
| 7351 | + $ComputerName = Get-ComputerNameFromInstance -Instance $Instance |
7546 | 7352 |
|
7547 | | - # Display TSQL Query |
7548 | | - # Write-verbose "Query: $Query" |
7549 | | - |
7550 | | - # Status user |
7551 | | - If (-not($SuppressVerbose)){ |
7552 | | - Write-Verbose -Message "$Instance : Grabbing list of domain users from ADS using ADSI OLEDB..." |
7553 | | - } |
7554 | | - |
7555 | | - # Execute Query |
7556 | | - $TblResults = Get-SQLQuery -Instance $Instance -Query $Query -Username $Username -Password $Password -Credential $Credential |
7557 | | - |
7558 | | - # Append results for pipeline items |
7559 | | - $TblResults | |
7560 | | - ForEach-Object -Process { |
7561 | | - |
7562 | | - # Add record to master table |
7563 | | - $null = $TblDomainUsers.Rows.Add( |
7564 | | - $ComputerName, |
7565 | | - $Instance, |
7566 | | - $_.SamAccountName, |
7567 | | - $_.Name, |
7568 | | - $_.admincount, |
7569 | | - $_.whencreated, |
7570 | | - $_.whenchanged, |
7571 | | - $_.AdsPath) |
7572 | | - } |
7573 | | - |
7574 | | - # Remove ADSI Link (if Link) |
7575 | | - if(-not $UseAdHoc){ |
7576 | | - |
7577 | | - # Status user |
7578 | | - If (-not($SuppressVerbose)){ |
7579 | | - Write-Verbose -Message "$Instance : Removing ADSI SQL Server link named $RandomLinkName" |
7580 | | - } |
7581 | | - |
7582 | | - # Setup query to remove link |
7583 | | - $RemoveLinkQuery = "EXEC master.dbo.sp_dropserver @server=N'$RandomLinkName', @droplogins='droplogins'" |
7584 | | - |
7585 | | - # Run query to remove link |
7586 | | - $RemoveLinkQueryResults = Get-SQLQuery -Instance $Instance -Query $RemoveLinkQuery -Username $Username -Password $Password -Credential $Credential -SuppressVerbose |
7587 | | - } |
7588 | | - |
7589 | | - # Restore AdHoc State (if adhoc) |
| 7353 | + # Call Get-SQLDomainObject |
7590 | 7354 | if($UseAdHoc){ |
7591 | | - |
7592 | | - # Status user |
7593 | | - If (-not($SuppressVerbose)){ |
7594 | | - Write-Verbose -Message "$Instance : Restoring AdHoc settings if needed." |
7595 | | - } |
7596 | | - |
7597 | | - # Restore ad hoc queries |
7598 | | - Get-SQLQuery -Instance $Instance -Query "sp_configure 'Ad Hoc Distributed Queries',$Original_State_AdHocQuery;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose |
7599 | | - |
7600 | | - # Restore Show advanced options |
7601 | | - Get-SQLQuery -Instance $Instance -Query "sp_configure 'Show Advanced Options',$Original_State_ShowAdv;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose |
| 7355 | + Get-SQLDomainObject -Verbose -Instance $Instance -Username $Username -Password $Password -LinkUsername $LinkUsername -LinkPassword $LinkPassword -LdapFilter '(&(objectCategory=Person)(objectClass=user))' -LdapFields 'samaccountname,name,admincount,whencreated,whenchanged,adspath' -UseAdHoc |
| 7356 | + }else{ |
| 7357 | + Get-SQLDomainObject -Verbose -Instance $Instance -Username $Username -Password $Password -LinkUsername $LinkUsername -LinkPassword $LinkPassword -LdapFilter '(&(objectCategory=Person)(objectClass=user))' -LdapFields 'samaccountname,name,admincount,whencreated,whenchanged,adspath' -UseAdHoc |
7602 | 7358 | } |
7603 | 7359 | } |
7604 | 7360 |
|
7605 | 7361 | # Run scriptblock using multi-threading |
7606 | | - $PipelineItems | Invoke-Parallel -ScriptBlock $MyScriptBlock -ImportSessionFunctions -ImportVariables -Throttle $Threads -RunspaceTimeout 2 -Quiet -ErrorAction SilentlyContinue |
7607 | | - |
7608 | | - # Return results |
7609 | | - return $TblDomainUsers |
| 7362 | + $PipelineItems | Invoke-Parallel -ScriptBlock $MyScriptBlock -ImportSessionFunctions -ImportVariables -Throttle $Threads -RunspaceTimeout 2 -Quiet -ErrorAction SilentlyContinue |
7610 | 7363 | } |
7611 | 7364 | } |
7612 | 7365 |
|
|
0 commit comments