metasploit autopwn with mysql 简单版

作者:Sh@dow

之前按照国外的方法,虽然能够成功的运行autopwn,但是设置起来灰常麻烦,现在按照自己总结的简单的方法,贴出来详细的设置步骤。
首先我们找到创建数据表的sql文件

root@ubuntu:/pentest/exploits/framework3/data# cd sql
root@ubuntu:/pentest/exploits/framework3/data/sql# ls
mysql.sql postgres.sql sqlite.sql

在这里有三个,分别是mysql,postgres,sqlite,这里我们只讲解mysql数据库版的设置,首先查看mysql.sql的内容

root@ubuntu:/pentest/exploits/framework3/data/sql# cat mysql.sql

create table hosts (
id SERIAL PRIMARY KEY,
created TIMESTAMP,
address VARCHAR(16) UNIQUE,
comm VARCHAR(255),
name VARCHAR(255),
state VARCHAR(255),
info VARCHAR(1024),
os_name VARCHAR(255),
os_flavor VARCHAR(255),
os_sp VARCHAR(255),
os_lang VARCHAR(255),
arch VARCHAR(255)
);

create table services (
id SERIAL PRIMARY KEY,
host_id INTEGER,
created TIMESTAMP,
port INTEGER NOT NULL,
proto VARCHAR(16) NOT NULL,
state VARCHAR(255),
name VARCHAR(255),
info VARCHAR(1024)
);

create table vulns (
id SERIAL PRIMARY KEY,
service_id INTEGER,
created TIMESTAMP,
name VARCHAR(255),
data TEXT
);

create table refs (
id SERIAL PRIMARY KEY,
ref_id INTEGER,
created TIMESTAMP,
name VARCHAR(512)
);

create table vulns_refs (
ref_id INTEGER,
vuln_id INTEGER
);

create table notes (
id SERIAL PRIMARY KEY,
host_id INTEGER,
created TIMESTAMP,
ntype VARCHAR(512),
data TEXT
);

ok,接下来,我们我们连接到mysql数据库

root@ubuntu:/pentest/exploits/framework3/data/sql# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 5.0.67-0ubuntu6 (Ubuntu)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| metasploit |
| mysql |
+——————–+
3 rows in set (0.00 sec)

因为之前我们已经创建了名称为metasploit的空数据库,现在我们创建表,当然,你可以直接复制mysql.sql内容到mysql管理器里面。

mysql> use metasploit;
Database changed
mysql> create table hosts (
-> id SERIAL PRIMARY KEY,
-> created TIMESTAMP,
-> address VARCHAR(16) UNIQUE,
-> comm VARCHAR(255),
-> name VARCHAR(255),
-> state VARCHAR(255),
-> info VARCHAR(1024),
-> os_name VARCHAR(255),
-> os_flavor VARCHAR(255),
-> os_sp VARCHAR(255),
-> os_lang VARCHAR(255),
-> arch VARCHAR(255)
-> );
Query OK, 0 rows affected (0.08 sec)

mysql>
mysql>
mysql> create table services (
-> id SERIAL PRIMARY KEY,
-> host_id INTEGER,
-> created TIMESTAMP,
-> port INTEGER NOT NULL,
-> proto VARCHAR(16) NOT NULL,
-> state VARCHAR(255),
-> name VARCHAR(255),
-> info VARCHAR(1024)
-> );
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql>
mysql> create table vulns (
-> id SERIAL PRIMARY KEY,
-> service_id INTEGER,
-> created TIMESTAMP,
-> name VARCHAR(255),
-> data TEXT
-> );
Query OK, 0 rows affected (0.02 sec)

mysql>
mysql>
mysql> create table refs (
-> id SERIAL PRIMARY KEY,
-> ref_id INTEGER,
-> created TIMESTAMP,
-> name VARCHAR(512)
-> );
Query OK, 0 rows affected (0.01 sec)

mysql>
mysql>
mysql> create table vulns_refs (
-> ref_id INTEGER,
-> vuln_id INTEGER
-> );
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql>
mysql> create table notes (
-> id SERIAL PRIMARY KEY,
-> host_id INTEGER,
-> created TIMESTAMP,
-> ntype VARCHAR(512),
-> data TEXT
-> );
Query OK, 0 rows affected (0.01 sec)

让我们查看数据表是否已经创建成功

mysql> show tables;
+———————-+
| Tables_in_metasploit |
+———————-+
| hosts |
| notes |
| refs |
| services |
| vulns |
| vulns_refs |
+———————-+
6 rows in set (0.00 sec)

ok,数据表已经创建成功。

root@ubuntu:/pentest/exploits/framework3# ./msfconsole

_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|

=[ msf v3.3-dev
+ — –=[ 363 exploits – 233 payloads
+ — –=[ 20 encoders – 7 nops
=[ 134 aux

msf > load db_mysql
[*] Successfully loaded plugin: db_mysql
msf > db_connect root:fuckyou@localhost/metasploit

连接成功,执行db_hosts

msf > db_hosts
DEPRECATION WARNING: You’re using the Ruby-based MySQL library that ships with Rails. This library will be REMOVED FROM RAILS 2.2. Please switch to the offical mysql gem: `gem install mysql` See http://www.rubyonrails.org/deprecation for details. (called from mysql_connection at /pentest/exploits/framework3/data/msfweb/vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb:81)

很遗憾,出错了,看来是gem的mysql以来的库没有,我们安装一下
root@ubuntu: gem install mysql

然在后再执行db_hosts
msf > db_hosts
没有返回错误,接下来我们执行db_nmap

msf > db_nmap 192.168.1.2
[*] exec: “/usr/local/bin/nmap” “192.168.1.2” “-oX” “/tmp/dbnmap20090328-12800-j8o2lj-0”
NMAP:
NMAP: Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-28 23:02 CST
NMAP: Interesting ports on 192.168.1.2:
NMAP: Not shown: 998 filtered ports
NMAP: PORT STATE SERVICE
NMAP: 80/tcp open http
NMAP: 8031/tcp open unknown
NMAP: MAC Address: 00:1A:73:FF:A2:F5 (Gemtek Technology Co.)
NMAP:
NMAP: Nmap done: 1 IP address (1 host up) scanned in 12.43 seconds

继续执行db_hosts

msf > db_hosts
[*] Time: Sat Mar 28 23:02:21 +0800 2009 Host: 192.168.1.2 Status: alive OS:

ok,已经写到数据库里面了,接下来执行autopwn,让metasploit自动检测漏洞并且溢出。

msf > db_autopwn -t -p -e -s -b
[*] Analysis completed in 4.92117190361023 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/scanner/http/wmap_generic_email_extract against 192.168.1.2:80…

省略若干,由于测试系统的补丁打的比较全,所以没有溢出成功,不过,详细的操作步骤就是上面这些了,记上一笔,备忘……

相关日志

楼被抢了 2 层了... 抢座Rss 2.0或者 Trackback

  • 闲云无心

    抓到一个用root和ruby的。。拖出去给白咬死。。。

  • chong

    好像很强大的样子

发表评论