From:http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-slides.pdf

Advanced SQL injection to operating system full control
Bernardo Damele Assumpção Guimarães
bernardo.damele@gmail.com
April 10, 2009

This white paper discusses the security exposures of a server that occur due to a SQL injection flaw in a web application that communicate with a database.
Over ten years have passed since a famous hacker coined the term SQL injection and it is still considered one of the major application threats.A lot has been said on this vulnerability, but not all of the aspects and implications have been uncovered, yet.
This paper aim is to collate some of the existing knowledge, introduce new techniques and demonstrate how to get complete control over the database management system’s underlying operating system, file system and internal network through a SQL injection vulnerability in over-looked and theoretically not exploitable scenarios.

Contents
I Introduction
1 SQL injection
2 Web application scripting languages
2.1 Batched queries
3 Batched queries via SQL injection
3.1 MySQL
3.2 PostgreSQL
3.3 Microsoft SQL Server

II File system access
4 Read access
4.1 MySQL
4.2 PostgreSQL
4.3 Microsoft SQL Server
5 Write access
5.1 MySQL
5.2 PostgreSQL
5.3 Microsoft SQL Server
III Operating system access
6 User-Defined Function
7 UDF injection
7.1 MySQL
7.1.1 Shared library creation
7.1.2 SQL injection to command execution
7.2 PostgreSQL
7.2.1 Shared library creation
7.2.2 SQL injection to command execution
8 Stored procedure
8.1 Microsoft SQL Server
8.1.1 xp_cmdshell procedure
8.1.2 SQL injection to command execution

IV  Out-of-band connection
9 Stand-alone payload stager
9.1 Payload stager options
9.2 Session
10 SMB relay attack
10.1 Universal Naming Convention
10.2 Abuse UNC path requests
10.2.1 MySQL
10.2.2 PostgreSQL
10.2.3 Microsoft SQL Server

11 Stored procedure buffer overflow
11.1 Exploit
11.2 Memory protection
11.3 Bypass DEP

V Privilege escalation
VI Conclusion
12 Acknowledgments
阅读全文…

The Operation Outbreak Attack

From:http://www.exploit-db.com/papers/15833/

|=——————————————————————–=|
|=—————-=[ The Operation OutBreak Attack ]=—————–=|
|=————————–=[ 26 Dec 2010 ]=————————-=|
|=———————-=[  By CWH Underground  ]=——————–=|
|=——————————————————————–=|

######
Info
######

Title    : The Operation OutBreak Attack
Author    : ZeQ3uL  (Prathan Phongthiproek)
Retool2 (Suttapong Wara-asawapati)
Team    : CWH Underground [http://www.exploit-db.com/author/?a=1275]
Website    : www.citecclub.org
Date    : 2010-12-26

##########
Contents
##########

[0x00] – Introduction

[0x01] – OutBreak Web Application

[0x02] – OutBreak MySQL Database

[0x03] – OutBreak with Autosploit.rc

[0x04] – Outbreak to Internal Server

[0x05] – References

[0x06] – Greetz To

#######################
[0x00] – Introduction
#######################

Hi all, in this paper, we will show you my hacking method (Logs) from real world case study on some company.
Moreover, we also show the ways to use the Best Exploitation tool, Metasploit Framework (Thank HD Moore and Rapid7) that powerful than day in the past with many exploit and auxiliary (We will see it ;D)

We recommend to read previous paper “The Operation Cloudburst Attack” that guide you about methods to hacking with Metasploit Framework.

###################################
[0x01] – OutBreak Web Application
###################################

First, I use nmap for scan open port on target and found information below
阅读全文…

Metasploit with MYSQL in BackTrack 4 r2
From:http://hi.baidu.com/p3rlish/blog/item/de16d790f29e749fa977a4a3.html
Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.
root@bt:~# msfconsole

=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ —-=[635 exploits - 316 auxiliary
+ ----=[215 payloads - 27 encoders - 8 nops
=[svn r11078 updated today (2010.11.19)

msf > db_driver
[*]    Active Driver: postgresql
[*]        Available: postgresql, mysql, sqlite3

We then load the mysql driver, start the mysql service and connect to the database. If the database does not already exist, Metasploit will create it for us.
msf > db_driver mysql
[*] Using database driver mysql
msf >/etc/init.d/mysql start
[*]exec: /etc/init.d/mysql start

Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
msf > db_connect
[*]    Usage: db_connect @/
[*]       OR: db_connect -y[path/to/database.yml]
[*] Examples:
[*]        db_connect user@metasploit3
[*]        db_connect user:pass@192.168.0.2/metasploit3
[*]        db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect root:toor@127.0.0.1/msf3
阅读全文…

Metasploit出了一个新的东西，叫Metasploit Express。

以下为官方内容！

Metasploit Express is an affordable, easy-to-use penetration testing solution that provides full network penetration testing capabilities, backed by the world’s largest, fully tested and integrated public database of exploits. Built on feedback from the Metasploit user community, key security experts, and Rapid7 customers, Metasploit Express enables organizations to take the next step forward in security. 阅读全文…

Metasploit的创始人、漏洞专家H.D.Moore指出，虽然安全软件编程人员做得越来越好，所开发的应用程序bug越来越少，但是应用程序数量的持续增加却导致新型软件漏洞的数量有增无减。在2010年RSA会议的采访中，Moore解释了Metasploit怎样帮助人们测试系统、检测新的软件安全漏洞问题，以便在攻击者有机会利用这些漏洞之前搞清楚新漏洞所带来的风险。　　

您能解释一下Metasploit是如何对软件安全做出贡献的吗?

H.D. Moore：Metasploit是一个寻找漏洞的软件框架，使你可以在渗透测试中利用这些漏洞。它是一个真正由社区主导的开源工具套件。一切始于七年前。每当一个新的漏洞被发现后，我们就会创建一个安全版本来利用它，并把它添加到Metasploit中去，让网络管理员、学生、研究人员以及政府部门都能够对他们的系统进行测试，从而确保他们的产品和系统得到妥善的修补。所以对于我们来说，这相当于一种供应商“相互检测和约束系统”(check and balance system)。如果供应商说，“我已经发布了补丁”，那么你可以用Metasploit来验证你的系统是否安装了这个补丁、补丁是否正常工作等，而不必再去做那些过去必须做的，用来确保补丁正常工作的额外工作。 阅读全文…

来源:milsec.com
作者:影子牛
转载开始。

发现这个还是蛮有用处的，如果感到蛋疼你就拍拍手，至于收集到邮箱之后做什么用途，各位就可以自己随意发挥了

[root@sms framework3]# ./msfconsole

888                           888        d8b888
888                           888        Y8P888
888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 “888 “88bd8P  Y8b888       “88b88K     888 “88b888d88″”88b888888
888  888  88888888888888   .d888888″Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 “Y8888  “Y888″Y888888 88888P’88888P” 888 “Y88P” 888 “Y888
888
888
888

=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ — –=[ 534 exploits – 252 auxiliary
+ — –=[ 259 payloads – 23 encoders – 8 nops
=[ svn r8821 updated today (2010.03.15)

msf > use auxiliary/gather/search_email_collector
ok，我们看一下描述。
msf auxiliary(search_email_collector) > info
阅读全文…

PDF版下载：MSFEXP

为了方便大家手记，以下内容有PDF转化而来，如果不方便阅读或遇错，请下载PDF版本阅读！

作者：gz1x [gz1x@tom.com]
                 
[目录]
 
目录………………………………………………………………………………………………………………………………..2
0．前言…………………………………………………………………………………………………………………………..3
1．概述…………………………………………………………………………………………………………………………..3
2．界面环境……………………………………………………………………………………………………………………3 阅读全文…

来源：http://www.milsec.net/viewtopic.php?id=42

Topic: attack oracle with metasploit有个oracle弱口令。就能搞定目标。当然这个弱口令帐户要有resource权限。
1.查询tns版本.用nmap5也可以

  阅读全文…

作为一个知名的渗透测试框架，metasploit集成了几乎所有的入侵渗透工具，其强大的功能让人叹为观止。慢慢的发掘，你会喜欢上他的

今天我要给大家演示的就是如何在metasploit做入侵渗透测试，从基本的信息收集，到入侵，到内部渗透，所有的这一切都在metasploit中完成。首先我们更新metasploit到最新版本

root@ubuntu:/pentest/exploits/framework3# svn update
A    modules/exploits/windows/browser/ibmegath_getxmlvalue.rb
版本6609。               已经是最新版本，启动framewokr3

root@ubuntu:/pentest/exploits/framework3# ./msfconsole

|                    |      _) |
__ `__ \   _ \ __| _` | __| __ \ | _ \ | __|
|   |   | __/ |   (   |\__ \ |   | | (   | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.3-dev
+ — –=[ 376 exploits – 234 payloads
+ — –=[ 20 encoders – 7 nops
=[ 153 aux

msf >

确定目标之后，首先我们要收集信息，比如DNS查询，服务器类型查询，端口开放信息查询，我们进行如下操作，至于为何这样，后面再做解释

阅读全文…

为linux520.com做了一个视频教程

Exploit iepeers vul whith ettercap and metasploit framework video

在线观看：

Exploit iepeers vul whith ettercap（上集）

http://www.linux520.com/v/l00066/l00066.html

Exploit iepeers vul whith ettercap（下集）

http://www.linux520.com/v/l00067/l00067.html

ppt传上来~~~

Exploit iepeers vul whith ettercap &&msf(ppt):

Exploit iepeers vul whith ettercap

写在前面的废话：

本教程是kindle童鞋写的，kindle教我不少东西，本来应该得到我等小菜感恩戴德，无奈这厮最近日站日多了，太累，最近发高烧，所以由偶代录，希望kindle看到本教程立马退烧继续日站 •跟大家说声抱歉，因为个人原因最近比较惆怅，对，也叫蛋疼，因此不爱说话，所以就不录语音教程了，见谅！请忽略白字谢谢！

视频地址稍后补上~~~

请访问linux520.com