Metasploit 辅助模块：Admin MySQL

mysql_enum

该“mysql_enum”模块将连接到远程MySQL数据库服务器与一组给定的凭据，并在其上执行一些基本的枚举。

msf > use auxiliary/admin/mysql/mysql_enum
msf auxiliary(mysql_enum) > show options

Module options (auxiliary/admin/mysql/mysql_enum):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOST                      yes       The target address
   RPORT     3306             yes       The target port
   USERNAME                   no        The username to authenticate as

要配置模块，我们为PASSWORD，RHOST和USERNAME提供值，然后让它针对目标运行。

msf auxiliary(mysql_enum) > set PASSWORD s3cr3t
PASSWORD => s3cr3t
msf auxiliary(mysql_enum) > set RHOST 192.168.1.201
RHOST => 192.168.1.201
msf auxiliary(mysql_enum) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_enum) > run

[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*] 	MySQL Version: 5.1.41
[*] 	Compiled for the following OS: Win32
[*] 	Architecture: ia32
[*] 	Server Hostname: xen-xp-sploit
[*] 	Data Directory: C:\xampp\mysql\data\
[*] 	Logging of queries and logins: OFF
[*] 	Old Password Hashing Algorithm OFF
[*] 	Loading of local files: ON
[*] 	Logins with old Pre-4.1 Passwords: OFF
[*] 	Allow Use of symlinks for Database Files: YES
[*] 	Allow Table Merge: 
[*] 	SSL Connection: DISABLED
[*] Enumerating Accounts:
[*] 	List of Accounts with Password Hashes:
[*] 		User: root Host: localhost Password Hash: *58C036CDA51D8E8BBBBF2F9EA5ABF111ADA444F0
[*] 		User: pma Host: localhost Password Hash: *602F8827EA283047036AFA836359E3688401F6CF
[*] 		User: root Host: % Password Hash: *58C036CDA51D8E8BBBBF2F9EA5ABF111ADA444F0
[*] 	The following users have GRANT Privilege:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following users have CREATE USER Privilege:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following users have RELOAD Privilege:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following users have SHUTDOWN Privilege:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following users have SUPER Privilege:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following users have FILE Privilege:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following users have POCESS Privilege:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following accounts have privileges to the mysql databse:
[*] 		User: root Host: localhost
[*] 		User: root Host: %
[*] 	The following accounts are not restricted by source:
[*] 		User: root Host: %
[*] Auxiliary module execution completed
msf auxiliary(mysql_enum) >

mysql_sql

该“mysql_sql”模块时，与一组有效凭证提供的远程服务器上执行SQL查询。

msf > use auxiliary/admin/mysql/mysql_sql
msf auxiliary(mysql_sql) > show options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   PASSWORD                    no        The password for the specified username
   RHOST                       yes       The target address
   RPORT     3306              yes       The target port
   SQL       select version()  yes       The SQL to execute.
   USERNAME                    no        The username to authenticate as

为了配置模块，我们提供了PASSWORD，RHOST和USERNAME设置，我们将保留默认查询来提取服务器版本。

msf auxiliary(mysql_sql) > set PASSWORD s3cr3t
PASSWORD => s3cr3t
msf auxiliary(mysql_sql) > set RHOST 192.168.1.201
RHOST => 192.168.1.201
msf auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_sql) > run

[*] Sending statement: 'select version()'...
[*]  | 5.1.41 |
[*] Auxiliary module execution completed
msf auxiliary(mysql_sql) >