学习笔记

使用metasploit对MSSQL渗透测试方法(因为本人靶机没有mssql服务,所以只有方法hh)
第一步,使用mssql_ping获取信息

 Name: MSSQL Ping UtilityModule: auxiliary/scanner/mssql/mssql_pingLicense: Metasploit Framework License (BSD)Rank: NormalProvided by:MC <mc@metasploit.com>Check supported:NoBasic options:Name                 Current Setting  Required  Description----                 ---------------  --------  -----------PASSWORD             qwer             no        The password for the specified usernameRHOSTS               192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"THREADS              200              yes       The number of concurrent threads (max one per host)USERNAME             root             no        The username to authenticate asUSE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)Description:This module simply queries the MSSQL instance for information.

第二步,使用mssql_login暴力破解

Name: MSSQL Login UtilityModule: auxiliary/scanner/mssql/mssql_loginLicense: Metasploit Framework License (BSD)Rank: NormalProvided by:MC <mc@metasploit.com>Check supported:NoBasic options:Name                 Current Setting  Required  Description----                 ---------------  --------  -----------BLANK_PASSWORDS      true             no        Try blank passwords for all usersBRUTEFORCE_SPEED     5                yes       How fast to bruteforce, from 0 to 5DB_ALL_CREDS         false            no        Try each user/password couple stored in the current databaseDB_ALL_PASS          false            no        Add all passwords in the current database to the listDB_ALL_USERS         false            no        Add all users in the current database to the listPASSWORD             qwer             no        A specific password to authenticate withPASS_FILE            passwords.txt    no        File containing passwords, one per lineRHOSTS               192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'RPORT                1433             yes       The target port (TCP)STOP_ON_SUCCESS      false            yes       Stop guessing when a credential works for a hostTDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"THREADS              200              yes       The number of concurrent threads (max one per host)USERNAME             root             no        A specific username to authenticate asUSERPASS_FILE                         no        File containing users and passwords separated by space, one pair per lineUSER_AS_PASS         false            no        Try the username as the password for all usersUSER_FILE                             no        File containing usernames, one per lineUSE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)VERBOSE              true             yes       Whether to print output for all attemptsDescription:This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).References:https://nvd.nist.gov/vuln/detail/CVE-1999-0506

第三步,使用mssql_payload提权

Name: Microsoft SQL Server Payload ExecutionModule: exploit/windows/mssql/mssql_payloadPlatform: WindowsArch: x86, x64Privileged: NoLicense: Metasploit Framework License (BSD)Rank: ExcellentDisclosed: 2000-05-30Provided by:David Kennedy "ReL1K" <kennedyd013@gmail.com>jduck <jduck@metasploit.com>Available targets:Id  Name--  ----0   AutomaticCheck supported:YesBasic options:Name                 Current Setting  Required  Description----                 ---------------  --------  -----------METHOD               cmd              yes       Which payload delivery method to use (ps, cmd, or old)PASSWORD             qwer             no        The password for the specified usernameRHOSTS               192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'RPORT                1433             yes       The target port (TCP)SRVHOST              0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT              8080             yes       The local port to listen on.SSL                  false            no        Negotiate SSL for incoming connectionsSSLCert                               no        Path to a custom SSL certificate (default is randomly generated)TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"URIPATH                               no        The URI to use for this exploit (default is random)USERNAME             root             no        The username to authenticate asUSE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)Payload information:Description:This module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.此模块在Microsoft SQL Server上执行任意负载通过使用“xp\u cmdshell”存储过程。目前,有三支持传递方式。首先,原始方法使用Windows“debug.com”。文件大小限制可以通过结合SecureStat在由于此方法调用ntvdm,因此在上不可用x64系统。第二种方法利用Command Stager子系统。这允许使用各种技术,例如使用TFTP服务器,发送可执行文件。默认情况下,命令Stager使用“wcsript.exe”在目标上生成可执行文件。最后,ReL1K的最新方法利用PowerShell来传输在目标上重新创建有效负载。注意:本模块将留下攻击完成时目标系统上可执行的有效负载。References:https://nvd.nist.gov/vuln/detail/CVE-2000-0402OSVDB (557)http://www.securityfocus.com/bid/1281https://nvd.nist.gov/vuln/detail/CVE-2000-1209OSVDB (15757)http://www.securityfocus.com/bid/4797

使用这个攻击模块记得更改payload

Name: Microsoft SQL Server Payload Execution via SQL InjectionModule: exploit/windows/mssql/mssql_payload_sqliPlatform: WindowsArch: x86, x64Privileged: NoLicense: Metasploit Framework License (BSD)Rank: ExcellentDisclosed: 2000-05-30Provided by:David Kennedy "ReL1K" <kennedyd013@gmail.com>jduck <jduck@metasploit.com>Rodrigo MarcosAvailable targets:Id  Name--  ----0   AutomaticCheck supported:NoBasic options:Name      Current Setting  Required  Description----      ---------------  --------  -----------COOKIE                     no        Cookie valueDATA                       no        POST data, if necessary, with [SQLi] indicating the injectionDELIVERY  OLD              yes       Payload delivery method (Accepted: PS, CMD, OLD)GET_PATH  /                yes       The complete path with [SQLi] indicating the injectionMETHOD    GET              yes       GET or POSTProxies                    no        A proxy chain of format type:host:port[,type:host:port][...]RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'RPORT     80               yes       The target port (TCP)SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT   8080             yes       The local port to listen on.SSL       false            no        Negotiate SSL/TLS for outgoing connectionsSSLCert                    no        Path to a custom SSL certificate (default is randomly generated)URIPATH                    no        The URI to use for this exploit (default is random)VHOST                      no        HTTP server virtual hostPayload information:Avoid: 27 charactersDescription:This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. For privileged ports execute Metasploit msfconsole as root. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.此模块将在Microsoft SQL上执行任意负载服务器,使用SQL注入漏洞。一旦发现漏洞确定此模块将使用xp\u cmdshell上载和执行Metasploit有效载荷。必须指定准确的点发生SQL注入漏洞的地方。例如,给定以下注射:http://www.example.com/show.asp?id=1;执行xpïcmdshell'dir'--&cat=电气您需要设置以下路径:设置GET\u路径/showproduct.asp?id=1[SQLi]--&cat=有效载荷的foobar,除非web服务器中有一个关闭的端口,否则您不希望使用任何“绑定”负载,特别是在端口80上,因为您将停止访问易受攻击的web服务器主机。你想要“反转”有效负载,可能到您的端口80或任何其他出站端口在防火墙上允许。对于特权端口,执行Metasploitmsfconsole作为根目录。目前,支持三种交付方式。首先,原始方法使用Windows“debug.com”。文件大小通过合并debug bypass方法可以避免限制由SecureStat在Defcon 17上提供。因为此方法调用ntvdm,在x64系统上不可用。第二种方法需要命令级子系统的优点。这允许使用各种发送可执行文件的技术,例如使用TFTP服务器。由默认情况下,命令Stager使用“wcsript.exe”生成目标上的可执行文件。最后,ReL1K的最新方法PowerShell在目标上传输和重新创建有效负载。注:该模块将在目标系统上留下一个有效负载可执行文件当攻击结束时。References:https://nvd.nist.gov/vuln/detail/CVE-2000-0402OSVDB (557)http://www.securityfocus.com/bid/1281https://nvd.nist.gov/vuln/detail/CVE-2000-1209OSVDB (15757)http://www.securityfocus.com/bid/4797http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/

使用Metasploit对MSSQL渗透测试步骤——学习笔记相关推荐

  1. 【Kali Linux 渗透测试】学习笔记

    Kali Linux 渗透测试 文章目录 Kali Linux 渗透测试 介绍 一. 渗透测试标准 二. 安装 三. 定制 网络配置 更新升级 安裝软件包 并发线程限制 电源优化 快捷键 四. 试验环 ...

  2. 常见渗透测试靶场学习笔记

    1.DVWA 作为新手,通常第一个听说的靶场应该就是DVWA,部署简单安装完对应版本的PAM(PHP-Apache-MySQL),简单配置后就可以使用. 1.DVWA靶场可测试漏洞:暴力破解(Brut ...

  3. 渗透测试体系学习——学习寄语

    渗透测试体系学习--学习寄语 在学习渗透测试成为白帽子之前.你会经历一番磨难,每天可能会遇到各种问题,每天可能比较烧脑,也有可能学到崩溃,真正的高手是把学习当成一种习惯时间久了自然牛逼.不要想着参加个 ...

  4. 渗透测试如何学习? (*╹▽╹*) 信息收集 ~ 其一

    文章目录 简介 本博客学习基础 收集信息简介 收集那些信息 信息收集一(域名信息收集) 收集目标相关子域名 被动方式收集信息 方法一:Google语法 方法二:使用第三方网站接口查询 方法三:使用网络 ...

  5. 渗透测试实战指南笔记

    第二章 2.1 在Linux系统中安装LANMP LANMP是Linux下Apache.Nginx.MySQL和PHP的应用环境,本节演示的是WDLinux的一款集成的安装包. 首先,下载需要的安装包 ...

  6. Cracer渗透视频课程学习笔记——基础知识(1)

    常见的术语介绍 脚本(asp,php,jsp):可以编写动态网站的,浏览器右击查看不到,只能看到静态代码. html(css,js,html):解释语言,静态的,浏览器右击查看源码可以看到 HTTP协 ...

  7. 模糊测试-AFL学习笔记之C/C++

    目录 简介 文档 QuickStartGuide README perf_tips.txt status_screen INSTALL 安装 下载 编译 检查 例子 有源码-标准输入 源代码 编译 f ...

  8. Cracer渗透视频课程学习笔记——信息搜集

                                                  信息搜集 渗透一个网站收集这部分信息基本就够用了. 常用渗透测试系统:Back track5 ,parrot ...

  9. 《安全测试指南》——配置管理测试【学习笔记】

    配置管理测试 1.网路和基础设置配置测试(OTG-CONFIG-001) 测试方法:已知服务器漏洞(APache.IIS等).略. 2.应用平台配置测试(OTG-CONFIG-002) 测试方法: a ...

最新文章

  1. 有效的rtsp流媒体测试地址汇总
  2. 《数学之美》第20章 不要把鸡蛋都放到一个篮子里--谈谈最大熵模型
  3. VTK:简单操作之FloatingPointExceptions
  4. JVM学习笔记之-垃圾回收相关概念 System.gc()的理解 内存溢出与内存泄漏 STW 垃圾回收的并行与并发 安全点与安全区域 再谈引用:强引用 软引用 弱引用 虚引用 终结器引用
  5. 【已解决】The server time zone value ‘�й���׼ʱ��‘ is unrecognize
  6. C和指针之实现strlen函数
  7. Python批量删除错误图片、修改文件名以及删除重复图片
  8. Mysql orangepi_SSH远程登录香橙派Orange Pi Zero2开发板的操作方法
  9. 嘘!你与谷歌语音助手的对话,可能已经泄露……
  10. C++ 类使用规范建议
  11. SCWS分词扩展在UNIX/LINUX下的安装方法
  12. 软件开发中的资源管理
  13. 企业级大数据架构设计及规划方案.ppt
  14. html5的ajax上传图片,html5标准Ajax上传图片
  15. 影驰名人堂送的机器人_6999元纯白信仰!影驰GTX 1080 Ti HOF名人堂评测
  16. Redhat7.5安装谷歌浏览器
  17. python 12306查询不到车次_(经典!!!详细解析!!!)python实现12306余票查询
  18. 为什么压缩卷明明显示有许多空间却无法分出空余空间?
  19. fluent周期边界_在Fluent中采用TUI设置周期性边界的方法
  20. (MIUI)小米手机录音丢失找回

热门文章

  1. 【Matlab】系统预定义变量——元胞数组与结构体
  2. Python中Tkinter模块的Canvas控件绘制jpg图片到指定区域
  3. 淘淘商城第77讲——实现商品详情页面展示
  4. java oracle 时间查询_Oracle 日期查询
  5. 基础商务谈判培训技巧
  6. HDU oj wod sticks
  7. APP遇到大量的真实手机号刷注册用户该如何应对?
  8. 浏览器加载网页的过程
  9. Android 音视频开发相关知识
  10. 美国芯片陆续转向,或许为当初的做法后悔不迭,芯片补贴也难改局面