forked from thinkst/canarytokens
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patht-sql.txt
174 lines (131 loc) · 5.14 KB
/
t-sql.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
CREATE TRIGGER t_t_1
ON trace1
AFTER INSERT
AS
BEGIN
declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3);
--setup the variables
set @tokendomain = 'tcvqnrqidezba68kfu0dpa3ts.honeydrops.net';
set @size = 128;
set @done = 0;
set @random = cast(round(rand()*100,0) as varchar(2));
set @random = concat(@random, '.');
--set @username = SUSER_SNAME();
set @username = SELECT LOGINNAME FROM INSERTED;
--loop runs until the UNC path is 128 chars or less
while @done <= 0
begin
--convert username into base64
select @base64 = (SELECT
CAST(N'' AS XML).value(
'xs:base64Binary(xs:hexBinary(sql:column("bin")))'
, 'VARCHAR(MAX)'
) Base64Encoding
FROM (
SELECT CAST(@username AS VARBINARY(MAX)) AS bin
) AS bin_sql_server_temp);
--replace base64 padding as dns will choke on =
select @base64 = replace(@base64,'=','-')
--construct the UNC path
select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a')
-- if too big, trim the username and try again
if len(@unc) <= @size
set @done = 1
else
--trim from the front, to keep the username and lose domain details
select @username = substring(@username, 2, len(@username)-1)
end
exec master.dbo.xp_dirtree @unc;
END
--create a stored proc that'll ping honeydrops
CREATE proc ping_honeydrop
AS
BEGIN
declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3);
--setup the variables
set @tokendomain = 'tcvqnrqidezba68kfu0dpa3ts.honeydrops.net';
set @size = 128;
set @done = 0;
set @random = cast(round(rand()*100,0) as varchar(2));
set @random = concat(@random, '.');
set @username = SUSER_SNAME();
--loop runs until the UNC path is 128 chars or less
while @done <= 0
begin
--convert username into base64
select @base64 = (SELECT
CAST(N'' AS XML).value(
'xs:base64Binary(xs:hexBinary(sql:column("bin")))'
, 'VARCHAR(MAX)'
) Base64Encoding
FROM (
SELECT CAST(@username AS VARBINARY(MAX)) AS bin
) AS bin_sql_server_temp);
--replace base64 padding as dns will choke on =
select @base64 = replace(@base64,'=','-')
--construct the UNC path
select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a')
-- if too big, trim the username and try again
if len(@unc) <= @size
set @done = 1
else
--trim from the front, to keep the username and lose domain details
select @username = substring(@username, 2, len(@username)-1)
end
exec master.dbo.xp_fileexist @unc;
END
--add a trigger if data is altered
CREATE TRIGGER trigger2
ON table1
AFTER UPDATE
AS
BEGIN
exec ping_honeydrop
end
--create a table-view function to query the honey hostname
ALTER function innocuous_name(@RAND FLOAT) returns @output table (col1 varchar(max))
AS
BEGIN
declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3);
--setup the variables
set @tokendomain = 'tcvqnrqidezba68kfu0dpa3ts.honeydrops.net';
set @size = 128;
set @done = 0;
set @random = cast(round(@RAND*100,0) as varchar(2));
set @random = concat(@random, '.');
set @username = SUSER_SNAME();
--loop runs until the UNC path is 128 chars or less
while @done <= 0
begin
--convert username into base64
select @base64 = (SELECT
CAST(N'' AS XML).value(
'xs:base64Binary(xs:hexBinary(sql:column("bin")))'
, 'VARCHAR(MAX)'
) Base64Encoding
FROM (
SELECT CAST(@username AS VARBINARY(MAX)) AS bin
) AS bin_sql_server_temp);
--replace base64 padding as dns will choke on =
select @base64 = replace(@base64,'=','0')
--construct the UNC path
select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a')
-- if too big, trim the username and try again
if len(@unc) <= @size
set @done = 1
else
--trim from the front, to keep the username and lose domain details
select @username = substring(@username, 2, len(@username)-1)
end
exec master.dbo.xp_dirtree @unc-- WITH RESULT SETS (([result] varchar(max)));
return
END
--create a view that calls the function
alter view view1 as select * from master.dbo.innocuous_name(rand());
--change permissions on innocuous_name to SELECT for [public]
--change permissions on lucrative_name to SELECT for [public]
--don't allow [public] to view the definitions
--return IP address
SELECT CONVERT(char(15), CONNECTIONPROPERTY('client_net_address'))
--approach to finding failed logins:
--http://blogs.technet.com/b/sql_server_isv/archive/2011/03/07/adding-failed-sql-server-logon-support-to-a-plm-sql-server.aspx