# 第三十四课:攻击Sql server 服务 msf 内置关于 mssql 插件如下(部分非测试mssql 插件)\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws572bQVQ0bSp1tV%2F14d4b2ef52542a9214714790bb6814bd.jpg?generation=1551060437467337\&alt=media) 关于msf常用攻击mssql插件如下:\ 1\. auxiliary/admin/mssql/mssql\_enum\ 2\. auxiliary/admin/mssql/mssql\_enum\_sql\_logins\ 3\. auxiliary/admin/mssql/mssql\_escalate\_dbowner\ 4\. auxiliary/admin/mssql/mssql\_exec\ 5\. auxiliary/admin/mssql/mssql\_sql\ 6\. auxiliary/admin/mssql/mssql\_sql\_file\ 7\. auxiliary/scanner/mssql/mssql\_hashdump\ 8\. auxiliary/scanner/mssql/mssql\_login\ 9\. auxiliary/scanner/mssql/mssql\_ping\ 10\. exploit/windows/mssql/mssql\_payload\ 11\. post/windows/manage/mssql\_local\_auth\_bypass 本地靶机测试:\ x86 windows 2003 ip:192.168.1.115\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws59UfzftIzzvzHb%2F53d6d9288fecdd2e130300f85c918fde.jpg?generation=1551060431891701\&alt=media) ## 1. auxiliary/admin/mssql/mssql\_enum 非常详细的目标机Sql server 信息:\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5BTGkBAIrdM87f%2F811bc0093d66031f0e18375fa737a07c.jpg?generation=1551060426600298\&alt=media)\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5D39qJGu3xD01s%2F311969e0450cb1458a954f92b02d2088.jpg?generation=1551060428378078\&alt=media) ## 2.auxiliary/admin/mssql/mssql\_enum\_sql\_logins 枚举sql logins,速度较慢,不建议使用。\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5FtqgHWR3JaToL%2Fc2f4ae385eeee038db62565323c03853.jpg?generation=1551060444915923\&alt=media) ## 3.auxiliary/admin/mssql/mssql\_escalate\_dbowner 发现dbowner,当sa无法得知密码的时候,或者需要其他账号提供来支撑下一步的内网渗透。\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5H2F0Piu0S9Kn1%2F7edd4d6780a48d93d787f59296c85928.jpg?generation=1551060425899188\&alt=media) ## 4.auxiliary/admin/mssql/mssql\_exec 最常用模块之一,当没有激活xp\_cmdshell,自动激活。并且调用执行cmd命令。权限继承 Sql server。\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5JHvFeI9ImQdAR%2F3759eb9026a6b73dcd9e3a3a582cbf8b.jpg?generation=1551060438421483\&alt=media) ## 5.auxiliary/admin/mssql/mssql\_sql 最常用模块之一,如果熟悉Sql server 数据库特性,以及sql语句。建议该模块,更稳定。 ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5LVqpHzJ9qJlPU%2Fa8d69a38790844c0b37057687853064e.jpg?generation=1551060449476482\&alt=media) ## 6.auxiliary/admin/mssql/mssql\_sql\_file 当需要执行多条sql语句的时候,或者非常复杂。msf本身支持执行sql文件。授权渗透应用较少,非授权应用较多的模块。 ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5NKT7DYHLclngu%2F8cf7347d1403235e63419c9c4e461c1e.jpg?generation=1551060431279692\&alt=media) ## 7.auxiliary/scanner/mssql/mssql\_hashdump mssql的hash导出。如果熟悉sql语句。也可以用mssql\_sql模块来执行。 ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5P9R6OUjZYBpxa%2F1ac1d8066a613adab1f09e0d6d707ab6.jpg?generation=1551060454015016\&alt=media) ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5RRjtZ_WSKr8OH%2Fe2c5ee21db0a1a811c9333331312abb7.jpg?generation=1551060453859793\&alt=media) ## 8.auxiliary/scanner/mssql/mssql\_login 内网渗透中的常用模块之一,支持RHOSTS,来批量发现内网mssql主机。mssql的特性除了此种方法。还有其他方法来专门针对mssql主机发现,以后得季会提到。\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5T_8k_toDtvycM%2F6e7aaf7b86627694ee979784cc8aaa7c.jpg?generation=1551060431071877\&alt=media) ## 9.auxiliary/scanner/mssql/mssql\_ping 查询mssql 实例,实战中,应用较少。信息可能不准确。 ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5VVoJpf-65VC82%2Fcf3c52e619f19e45e2266648279a0f0d.jpg?generation=1551060449210044\&alt=media) ## 10.exploit/windows/mssql/mssql\_payload 非常好的模块之一,在实战中。针对不同时间版本的系统都有着自己独特的方式来上传payload。 ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5XcKLhfaavRL-d%2Ff38228156f2a8c7285c2bb48b6105ef0.jpg?generation=1551060428136799\&alt=media) **注:由于本季的靶机是 windows 2003,故参数set method old,如果本次的参数为cmd,那么payload将会失败。** ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws5ZgWK9i_I_fFwc%2F5826f503abb5f2108d0d392b3c6d9f6d.jpg?generation=1551060439846502\&alt=media) ## 11.post/windows/manage/mssql\_local\_auth\_bypass post模块都属于后渗透模块,不属于本季内容。未来的系列。会主讲post类模块。 > 后者的话: 在内网横向渗透中,需要大量的主机发现来保证渗透的过程。而以上的插件,在内网横向或者Sql server主机发现的过程中,尤为重要。与Mysql 不同的是,在Sql server的模块中,一定要注意参数的配备以及payload的组合。否则无法反弹payload。 > > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/31-40/34-gong-ji-sqlserver-fu-wu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.