Shulou(Shulou.com)06/01 Report--

Fast-Track is a built-in Backtrack tool, which not only shows its powerful power in modern testing, but also puts a lot of pressure on security personnel.

When it comes to Fast-Track, users are most familiar with Mssql automation, which not only automatically restores the stored procedure xp_cmdshell, but also automatically elevates rights and loads Payload. For all this, you only need to provide a URL with an injection point (of course, the permission must be sa). Fast-Track will automatically help you with all this. Even if you only need to provide an IP address, Fast-Track will automatically detect the injection point for you, and then automatically lift the weight, isn't that powerful? Let's move on to the introduction to Fast-Track:

Fast-Track is described in the Matesploit*** Test Guide as follows: FastTrack is an open source tool based on Python that implements some extended advanced technologies. It uses the MSF framework to implant * payloads, and it can also be implemented through client vectors. In addition, it adds some new features to complement MSF: MicrosoftSQL***, more * modules and automated browsers.

Next, let's enter the world of FT: start FastTrack.

It is recommended to use the command line interaction mode for testing, which is much simpler and more straightforward than the graphical interface.

Let's take a look at Fast-Track 's startup menu:

Enter the fast-track command line interface

I often use options 4 and 5; the first option, Fast-TrackUpdates, is used for upgrading; the second option, AutopwnAutomation, is the function described by the editor above to provide automatic weight for IP injection points (the more automated it is, the more error prone it is, you know); the third option is the built-in NMAP scan script, which feels that it is not very closely integrated with Fast-Track and has not been used very much. The fourth and fifth option will be introduced in a separate article, and today we are going to introduce the fourth option, the MicrosoftSQLTools function. The sixth option is that you can compile some classic exploit scripts and use them with Fast-Track (but the exploit scripts are so "classic" that even MS08_063 has ╮ (╯▽╰) ╭)

MicrosoftSQL injection

The use of Fast-track is the same as that of sqlmap, which requires the * to step on the vulnerability in advance to find the URL with possible sql vulnerabilities. In the MSSQLInjector option, we only need to provide the URL,*** with the injection point, only need to determine the query statement and POST parameters, fasttrack will help us automatically restore the xp_cmdshell, or even automatically lift the weight. Note, however, that this type of * * can only be used on MSSQL's web systems.

1. MSSQLInjector (MSSQL injection * *)

There are two options that are frequently used: SQL injection-query statement * * Select SQLInjector-QueryStringParameterAttack to enter URL: http://localhost:12345/zblog/view.asp?id='INJECTHERE to be * * when fasttrack starts the * vulnerability, it will find all fields with id fields, that is, to determine which field can be used for *. Listeningon [any] 4444... . If the * * is successful, a cmdshell will pop up to indicate that you are in control of the other person's machine. The whole process is done through SQL injection. Note: if parameterized SQL query statements or stored procedures are used in the application, our * will not succeed. SQL injection-POST parameter * * POST parameter of fasttrack * * requires less configuration than URL-based query***. As long as we input the URL of the page we want into fasttrack, it will automatically recognize the form and enter *: http://localhost:12345/zblog/view.asp if there is POST injection on this page, fastshell will directly pop back a cmdshell!

2.MSSQLBruter (MSSQL brute force cracking)

Some rookie network managers directly use the sa account of the system to build the database (now there are very few, network managers who can use mssql to build stations are generally not rookies). If the sa account password is violently cracked, it will cause the user to use the extended stored procedure xp_cmdshell to attack the entire system. (there are similar MSSQL brute force dictionary cracking methods in MSF) fasttack uses several methods to explore and discover MSSQL servers: 1) use nmap to scan the default TCP1433 port of MSSQL, but if the target host uses MSSQLserver2005 or later versions, these versions use dynamic port technology, which makes it more difficult to guess. But fasttrack can interact directly with MSF to find out the dynamic port on which the MSSQL server is running through the UDP1434 port. 2) once fasttrack identifies the service port and successfully explodes the sa account password (it is not that simple, it needs a good configuration and a good social engineering dictionary). Fasttrack will use advanced binnary-to-hex conversion methods to implant a * payload. The success rate of this * is quite high, especially in the large network environment where MSSQL is widely used. The options we often use to select MSSQLBruter brute force cracking in the previous list are: (a) ttemptSQLPingandAutoQuickBruteForce: use this option to try to scan an IP address, use the same syntax as nmap, and then use a prepared dictionary file containing 50 common passwords for quick brute force cracking (m) assscananddictionarybrute: multi-host brute force cracking, you can use your own password dictionary Fast-Track comes with a very good password dictionary, which is stored in bin/dict/wordlist.txt (s) ingletarget: a single target brute force cracking user name must be entered: sa address can be entered similar to the following: 192.168.0.103 or 192.168.0.1 fastshell 24 if the other host has a weak password, fastshell will directly pop back a cmdshell! 3.SQLPwnageSQLPwnage is a module of Fast-Track that can be used to detect SQLI vulnerabilities, scan and crawl URLs and subnets vulnerable to SQLI*** parameters. It's a way to try * on a large scale. SQLPwnage can scan port 80 of a web server segment, use crawlers to traverse your site to find URL with SQL parameter injection, and try fuzzy testing, POST injection. It supports error injection and blind injection, as well as the functions of restoring xp_cmdshell stored procedures, privilege escalation and so on.

After entering SQLPwnage, we select 2.SQLInjectionSearch/ExploitbyBinaryPayloadInjection (ERRORBASED)

You can select option 1 for any listed vulnerable URL, and select option 2 if you scan the entire subnet. Is it very simple and fast, of course, how can it be called Fast-Track if it is not fast and ruthless? You can find more details about Fast-Track 's SQLPwnage module here: http://www.offensive-security.com/metasploit-unleashed/SQL_Pwnage

Reference materials "metasploit*** testing Guide", "MSF Learning Notes", "talking about the harm and Utilization of SQLI"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.