Fast-Track in Microsoft SQL Injection

Fast-Track is a built-in penetration tool in the Backtrack tool. It shows her powerful Power in the modern penetration testing process, it also puts a lot of pressure on security personnel.

When it comes to Fast-Track, the user is most familiar with Mssql automated attacks. It can not only automatically restore the Stored Procedure xp_mongoshell, but also automatically escalate permissions and automatically load Payload. All of this requires you to provide a URL with an injection point, of course, the permission must be sa ). Fast-Track will automatically help you complete all this. Even if you only need to provide one IP address, Fast-Track will automatically help you detect injection points and automatically escalate permissions. Is it very powerful? Next we will go to the introduction of Fast-Track:
Fast-Track is introduced in the Matesploit penetration test guide as follows: FastTrack is an open-source Python-based tool that implements some extended advanced penetration technologies. It uses the MSF framework to implant attack loads, or uses the client vector to carry out penetration attacks. In addition, it also adds some new features to supplement MSF: microsoft SQL attacks, more penetration attack modules, and automated browser attacks.
Next, let's enter the world of FT: Start FastTrack

650) this. width = 650; "style =" float: none; "title =" 1.png" alt = "131831200.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H55307-0.png "/>

We recommend that you use the command line interaction mode for penetration testing, which is much simpler and clearer than the graphic interface.

Let's take a look at the Startup menu of Fast-Track:

650) this. width = 650; "style =" float: none; "title =" 2.png" alt = "131850387.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H5E92-1.png "/>

650) this. width = 650; "style =" float: none; "title =" 3.png" alt = "131923953.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H53K2-2.png "/>

Go to the fast-track command line interface

650) this. width = 650; "style =" float: none; "title =" 4.png" alt = "131935181.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H52145-3.png "/>

650) this. width = 650; "title =" RU5HRRU) (P % 23 @~ 'O2XJNJ4.jpg "alt =" 133409630.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/094H53A1-4.jpg"/>

I usually use 4th and 5th options; The first option is Fast-TrackUpdates; The second option is AutopwnAutomation, which is described in the following section. The more automated the function of providing automatic IP address retrieval and automatic Elevation of Privilege, the more error-prone it is (You know ); The third option is the built-in NMAP scanning script, which is not very closely integrated with Fast-Track; The fourth and fifth options will be introduced in an article respectively. Today we will introduce the fourth option of the MicrosoftSQLTools function. The sixth option is that you can compile some typical vulnerability exploitation scripts, which can be used in combination with Fast-Track, but the vulnerability exploitation scripts are too "classic". Even MS08_063 has always been used) token)

Microsoft SQL Injection

650) this. width = 650; "style =" float: none; "title =" 5.png" alt = "131939652.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H5A14-5.png "/>

Like sqlmap, Fast-track requires an attacker to step on the vulnerability and discover a URL that may have an SQL vulnerability. In the MSSQLInjector option, we only need to provide URLs with injection points. The attacker only needs to determine the query statement and POST parameters. fasttrack will automatically restore xp_mongoshell or even automatically escalate permissions. However, you must note that such attacks can only be targeted at MSSQL web systems.

1. MSSQLInjector (MSSQL injection attack)

650) this. width = 650; "style =" float: none; "title =" 6.png" alt = "131948704.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H55M7-6.png "/>

Frequently Used options include the following: · SQL Injection-query statement attack Select SQLInjector-QueryStringParameterAttack Enter the URL to be attacked: http: // localhost: 12345/zblog/view. asp? Id = 'injecthere When fasttrack starts to attack the vulnerability, it searches for all fields with the id field to determine which field can be used for attack. ... Listeningon [any] 4444 .... If the attack succeeds, an external shell will pop up, indicating that the control of the other machine is controlled. The whole process is completed through SQL injection. NOTE: If parameterized SQL query statements or stored procedures are used in the application, the attack will not succeed. · SQL Injection-POST parameter attack Fasttrack POST parameter attacks require less configuration than URL-Based query attacks. We only need to input the URL of the webpage to be attacked into fasttrack, it will automatically recognize the form and launch the attack Enter http: // localhost: 12345/zblog/view. asp If POST injection exists on this page, fastshell will directly bounce back to an external shell!
2. MSSQLBruter (MSSQL brute force cracking)

650) this. width = 650; "style =" float: none; "title =" 7.png" alt = "131958403.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H52212-7.png "/>

It is rare for some Tom to directly use the sa account that comes with the system to create a database. It is generally not Xiao Bai (￣ ˇ) that can use mssql to build a website )). If the sa account password is cracked, attackers can use the extended stored procedure xp_mongoshell to attack the entire system. MSF also has similar MSSQL brute-force dictionary cracking methods) Fasttack uses several methods to discover the MSSQL Server: 1) Use nmap to scan MSSQL's default TCP1433 port. However, if the target host uses MSSQLserver2005 or a later version, these versions use dynamic port technology, which increases the difficulty of guessing. However, fasttrack can directly interact with MSF and use UDP1434 to find the dynamic port running on the MSSQL Server. 2) Once fasttrack identifies the service port and successfully crack the sa account password (it is not so simple, it requires good configuration and a good social engineering dictionary ). Fasttrack uses the advanced binnary-to-hex conversion method to implant an attack load. This attack has a high success rate, especially in large-scale network environments that are widely used in MSSQL. Select MSSQLBruter brute force cracking in the previous list We often use the following options: (A) ttemptSQLPingandAutoQuickBruteForce: use this option to try to scan an IP address, use the same syntax as nmap, and then use a prepared dictionary file containing 50 common passwords for quick brute-force cracking (M) assscananddictionarybrute: provides a password dictionary for brute force cracking on multiple hosts. Fast-Track comes with a very good password dictionary, which is stored in bin/dict/wordlist.txt. S) ingletarget: brute-force cracking against a single target Enter sa as the user name. Enter the following address: 192.168.0.103 or 192.168.0.1/24 If the other host has a weak password, fastshell will directly bounce back to an external shell! 3. SQLPwnage SQLPwnage is a Fast-Track module that can be used to detect SQLI vulnerabilities, scan and Capture web sites and subnetease parameters under SQLI attacks. Is a large-scale penetration attack. SQLPwnage can scan port 80 of a web server segment, use crawlers to traverse your website to find the URL with SQL parameter injection, and try fuzzy testing and POST injection. It supports error injection and blind injection, as well as restoration of xp_mongoshell stored procedures, permission escalation, and other functions.

650) this. width = 650; "style =" float: none; "title =" 8.png" alt = "132001774.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H52102-8.png "/>

After entering SQLPwnage, we select 2. SQLInjectionSearch/ExploitbyBinaryPayloadInjection (ERRORBASED)

650) this. width = 650; "style =" float: none; "title =" 9.png" alt = "132002428.png" src =" http://www.bkjia.com/uploads/allimg/131227/094H51M9-9.png "/>

You can select option 1 for any list of URLs with vulnerabilities, and option 2 for scanning the entire subnet. Is it very simple and Fast? Of course, if it is not Fast and cruel, how can it be called Fast-Track? Here we can find more details about the SQLPwnage module of Fast-Track: Http://www.offensive-security.com/metasploit-unleashed/ SQL _Pwnage
References: metasploit penetration test guide and MSF Study Notes: Hazards and use of SQLI

This article is from the "no trace" blog, please be sure to keep this source http://hucwuhen.blog.51cto.com/6253667/1298157