Skip to content

Commit cba0a51

Browse files
nullbindnullbind
authored
Update PowerUpSQL.ps1
Added Get-SQLTableTemp function. Updated Invoke-SQLDumpInfo function.
1 parent a8f4dde commit cba0a51

File tree

1 file changed

+206
-38
lines changed

1 file changed

+206
-38
lines changed

PowerUpSQL.ps1

Lines changed: 206 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
File: PowerUpSQL.ps1
44
Author: Scott Sutherland (@_nullbind), NetSPI - 2023
55
Major Contributors: Antti Rantasaari and Eric Gruber
6-
Version: 1.112
6+
Version: 1.113
77
Description: PowerUpSQL is a PowerShell toolkit for attacking SQL Server.
88
License: BSD 3-Clause
99
Required Dependencies: PowerShell v.2
@@ -4752,6 +4752,191 @@ Function Get-SQLTable
47524752
}
47534753
}
47544754

4755+
# ----------------------------------
4756+
# Get-SQLTableTemp
4757+
# ----------------------------------
4758+
# Author: Scott Sutherland
4759+
Function Get-SQLTableTemp
4760+
{
4761+
<#
4762+
.SYNOPSIS
4763+
Returns table information from target SQL Servers.
4764+
.PARAMETER Username
4765+
SQL Server or domain account to authenticate with.
4766+
.PARAMETER Password
4767+
SQL Server or domain account password to authenticate with.
4768+
.PARAMETER Credential
4769+
SQL Server credential.
4770+
.PARAMETER Instance
4771+
SQL Server instance to connection to.
4772+
.EXAMPLE
4773+
PS C:\> Get-SQLTableTemp -Instance SQLServer1\STANDARDDEV2014
4774+
4775+
Table_Name : #B6E36D7A
4776+
Column_Name : SnapshotDataId
4777+
Column_Type : uniqueidentifier
4778+
Table_Type : TableVariable
4779+
is_ms_shipped : False
4780+
is_published : False
4781+
is_schema_published : False
4782+
create_date : 5/14/2024 6:09:48 PM
4783+
modify_date : 5/14/2024 6:09:48 PM
4784+
4785+
Table_Name : #LocalTempTbl____________________________________________
4786+
_________________________________________________________
4787+
__00000000002D
4788+
Column_Name : Testing123
4789+
Column_Type : text
4790+
Table_Type : LocalTempTable
4791+
is_ms_shipped : False
4792+
is_published : False
4793+
is_schema_published : False
4794+
create_date : 5/15/2024 4:37:46 PM
4795+
modify_date : 5/15/2024 4:37:46 PM
4796+
4797+
Table_Name : ##GlobalTempTbl
4798+
Column_Name : Spy_id
4799+
Column_Type : int
4800+
Table_Type : GlobalTempTable
4801+
is_ms_shipped : False
4802+
is_published : False
4803+
is_schema_published : False
4804+
create_date : 5/15/2024 4:38:10 PM
4805+
modify_date : 5/15/2024 4:38:10 PM
4806+
4807+
Table_Name : ##GlobalTempTbl
4808+
Column_Name : SpyName
4809+
Column_Type : text
4810+
Table_Type : GlobalTempTable
4811+
is_ms_shipped : False
4812+
is_published : False
4813+
is_schema_published : False
4814+
create_date : 5/15/2024 4:38:10 PM
4815+
modify_date : 5/15/2024 4:38:10 PM
4816+
4817+
Table_Name : ##GlobalTempTbl
4818+
Column_Name : RealName
4819+
Column_Type : text
4820+
Table_Type : GlobalTempTable
4821+
is_ms_shipped : False
4822+
is_published : False
4823+
is_schema_published : False
4824+
create_date : 5/15/2024 4:38:10 PM
4825+
modify_date : 5/15/2024 4:38:10 PM
4826+
.EXAMPLE
4827+
PS C:\> Get-SQLInstanceDomain | Get-SQLTableTemp -Verbose
4828+
#>
4829+
[CmdletBinding()]
4830+
Param(
4831+
[Parameter(Mandatory = $false,
4832+
ValueFromPipelineByPropertyName = $true,
4833+
HelpMessage = 'SQL Server or domain account to authenticate with.')]
4834+
[string]$Username,
4835+
4836+
[Parameter(Mandatory = $false,
4837+
ValueFromPipelineByPropertyName = $true,
4838+
HelpMessage = 'SQL Server or domain account password to authenticate with.')]
4839+
[string]$Password,
4840+
4841+
[Parameter(Mandatory = $false,
4842+
HelpMessage = 'Windows credentials.')]
4843+
[System.Management.Automation.PSCredential]
4844+
[System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty,
4845+
4846+
[Parameter(Mandatory = $false,
4847+
ValueFromPipelineByPropertyName = $true,
4848+
HelpMessage = 'SQL Server instance to connection to.')]
4849+
[string]$Instance,
4850+
4851+
[Parameter(Mandatory = $false,
4852+
HelpMessage = 'Suppress verbose errors. Used when function is wrapped.')]
4853+
[switch]$SuppressVerbose
4854+
)
4855+
4856+
Begin
4857+
{
4858+
$TblTables = New-Object -TypeName System.Data.DataTable
4859+
4860+
# Setup table filter
4861+
if($TableName)
4862+
{
4863+
$TableFilter = " where table_name like '%$TableName%'"
4864+
}
4865+
else
4866+
{
4867+
$TableFilter = ''
4868+
}
4869+
}
4870+
4871+
Process
4872+
{
4873+
# Note: Tables queried by this function can be executed by any login.
4874+
4875+
# Parse computer name from the instance
4876+
$ComputerName = Get-ComputerNameFromInstance -Instance $Instance
4877+
4878+
# Default connection to local default instance
4879+
if(-not $Instance)
4880+
{
4881+
$Instance = $env:COMPUTERNAME
4882+
}
4883+
4884+
# Test connection to instance
4885+
$TestConnection = Get-SQLConnectionTest -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Where-Object -FilterScript {
4886+
$_.Status -eq 'Accessible'
4887+
}
4888+
if($TestConnection)
4889+
{
4890+
if( -not $SuppressVerbose)
4891+
{
4892+
Write-Verbose -Message "$Instance : Connection Success."
4893+
Write-Verbose -Message "$Instance : Grabbing tables from databases below:"
4894+
}
4895+
}
4896+
else
4897+
{
4898+
if( -not $SuppressVerbose)
4899+
{
4900+
Write-Verbose -Message "$Instance : Connection Failed."
4901+
}
4902+
return
4903+
}
4904+
4905+
# Define Query
4906+
$Query = "SELECT
4907+
t1.name AS 'Table_Name',
4908+
t2.name AS 'Column_Name',
4909+
t3.name AS 'Column_Type',
4910+
CASE
4911+
WHEN (SELECT CASE WHEN LEN(t1.name) - LEN(REPLACE(t1.name,'#','')) > 1 THEN 1 ELSE 0 END) = 1 THEN 'GlobalTempTable'
4912+
WHEN t1.name LIKE '%[_]%' AND (SELECT CASE WHEN LEN(t1.name) - LEN(REPLACE(t1.name,'#','')) = 1 THEN 1 ELSE 0 END) = 1 THEN 'LocalTempTable'
4913+
WHEN t1.name NOT LIKE '%[_]%' AND (SELECT CASE WHEN LEN(t1.name) - LEN(REPLACE(t1.name,'#','')) = 1 THEN 1 ELSE 0 END) = 1 THEN 'TableVariable'
4914+
ELSE NULL
4915+
END AS Table_Type,
4916+
t1.is_ms_shipped,
4917+
t1.is_published,
4918+
t1.is_schema_published,
4919+
t1.create_date,
4920+
t1.modify_date
4921+
FROM tempdb.sys.objects AS t1
4922+
JOIN tempdb.sys.columns AS t2 ON t1.OBJECT_ID = t2.OBJECT_ID
4923+
JOIN sys.types AS t3 ON t2.system_type_id = t3.system_type_id
4924+
WHERE t1.name LIKE '#%';"
4925+
4926+
# Execute Query
4927+
$TblResults = Get-SQLQuery -Instance $Instance -Query $Query -Username $Username -Password $Password -Credential $Credential -SuppressVerbose
4928+
4929+
# Append results
4930+
$TblTables = $TblTables + $TblResults
4931+
}
4932+
4933+
End
4934+
{
4935+
# Return data
4936+
$TblTables
4937+
}
4938+
}
4939+
47554940

47564941
# ----------------------------------
47574942
# Get-SQLColumn
@@ -26652,7 +26837,7 @@ Function Invoke-SQLDumpInfo
2665226837
$Results | Export-Csv -NoTypeInformation $OutPutPath
2665326838
}
2665426839

26655-
# Getting DatabaseUsers
26840+
# Getting Database Users
2665626841
Write-Verbose -Message "$Instance - Getting database users for databases..."
2665726842
$Results = Get-SQLDatabaseUser -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -NoDefaults
2665826843
if($xml)
@@ -26666,7 +26851,7 @@ Function Invoke-SQLDumpInfo
2666626851
$Results | Export-Csv -NoTypeInformation $OutPutPath
2666726852
}
2666826853

26669-
# Getting DatabasePrivs
26854+
# Getting Database Privs
2667026855
Write-Verbose -Message "$Instance - Getting privileges for databases..."
2667126856
$Results = Get-SQLDatabasePriv -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -NoDefaults
2667226857
if($xml)
@@ -26680,7 +26865,7 @@ Function Invoke-SQLDumpInfo
2668026865
$Results | Export-Csv -NoTypeInformation $OutPutPath
2668126866
}
2668226867

26683-
# Getting DatabaseRoles
26868+
# Getting Database Roles
2668426869
Write-Verbose -Message "$Instance - Getting database roles..."
2668526870
$Results = Get-SQLDatabaseRole -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -NoDefaults
2668626871
if($xml)
@@ -26708,7 +26893,7 @@ Function Invoke-SQLDumpInfo
2670826893
$Results | Export-Csv -NoTypeInformation $OutPutPath
2670926894
}
2671026895

26711-
# Getting DatabaseTables
26896+
# Getting Database Schemas
2671226897
Write-Verbose -Message "$Instance - Getting database schemas..."
2671326898
$Results = Get-SQLDatabaseSchema -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -NoDefaults
2671426899
if($xml)
@@ -26722,7 +26907,21 @@ Function Invoke-SQLDumpInfo
2672226907
$Results | Export-Csv -NoTypeInformation $OutPutPath
2672326908
}
2672426909

26725-
# Getting DatabaseTables
26910+
# Getting Temp Tables
26911+
Write-Verbose -Message "$Instance - Getting temp tables..."
26912+
$Results = Get-SQLTableTemp -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose
26913+
if($xml)
26914+
{
26915+
$OutPutPath = "$OutFolder\$OutPutInstance"+'_Server_temp_tables.xml'
26916+
$Results | Export-Clixml $OutPutPath
26917+
}
26918+
else
26919+
{
26920+
$OutPutPath = "$OutFolder\$OutPutInstance"+'_Server_temp_tables.csv'
26921+
$Results | Export-Csv -NoTypeInformation $OutPutPath
26922+
}
26923+
26924+
# Getting Database Tables
2672626925
Write-Verbose -Message "$Instance - Getting database tables..."
2672726926
$Results = Get-SQLTable -Instance $Instance -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -NoDefaults
2672826927
if($xml)
@@ -27056,38 +27255,7 @@ Function Invoke-SQLDumpInfo
2705627255
{
2705727256
$OutPutPath = "$OutFolder\$OutPutInstance"+'_Server_oledbproviders.csv'
2705827257
$Results | Export-Csv -NoTypeInformation $OutPutPath
27059-
}
27060-
27061-
# Getting temp table information
27062-
Write-Verbose -Message "$Instance - Getting temp table information..."
27063-
$Query = @'
27064-
-- List temp tables, columns, and column types
27065-
SELECT t1.name as 'Table_Name',
27066-
t2.name as 'Column_Name',
27067-
t3.name as 'Column_Type',
27068-
t1.create_date,
27069-
t1.modify_date,
27070-
t1.parent_object_id,
27071-
OBJECT_ID(t1.parent_object_id) as parent_object,
27072-
(SELECT CASE WHEN (select len(t1.name) - len(replace(t1.name,'#',''))) > 1 THEN 1 ELSE 0 END) as GlobalTempTable,
27073-
(SELECT CASE WHEN t1.name like '%[_]%' AND (select len(t1.name) - len(replace(t1.name,'#',''))) = 1 THEN 1 ELSE 0 END) as LocalTempTable,
27074-
(SELECT CASE WHEN t1.name not like '%[_]%' AND (select len(t1.name) - len(replace(t1.name,'#',''))) = 1 THEN 1 ELSE 0 END) as TableVariable
27075-
FROM tempdb.sys.objects AS t1
27076-
JOIN tempdb.sys.columns AS t2 ON t1.OBJECT_ID = t2.OBJECT_ID
27077-
JOIN sys.types AS t3 ON t2.system_type_id = t3.system_type_id
27078-
WHERE t1.name like '#%';
27079-
'@
27080-
$Results = Get-SQLQuery -Instance $Instance -Query $Query -Username $Username -Password $Password -Credential $Credential -SuppressVerbose
27081-
if($xml)
27082-
{
27083-
$OutPutPath = "$OutFolder\$OutPutInstance"+'_Server_temp_tables.xml'
27084-
$Results | Export-Clixml $OutPutPath
27085-
}
27086-
else
27087-
{
27088-
$OutPutPath = "$OutFolder\$OutPutInstance"+'_Server_temp_tables.csv'
27089-
$Results | Export-Csv -NoTypeInformation $OutPutPath
27090-
}
27258+
}
2709127259

2709227260
Write-Verbose -Message "$Instance - END"
2709327261
}

0 commit comments

Comments
 (0)