Based on the fingerprinting information we identified that the database server was running an old and vulnerable version of MS SQL server. Microsoft SQL Sever 2000 SP3, to be precise.
This is how our newly released Metasploit module was born. We coded an extension which can be added to Metasploit to exploit this vulnerability using a SQL injection vulnerability with no need of using credentials, as the web application will authenticate in our behalf.
<a href="http://www.secforce.co.uk/blog/wp-content/uploads/2011/01/ms09044_exploitation_small.png"></a>
Penetration testing - SQL injection exploitation
The screenshot above shows how to get meterpreter (or any other payload of your choice) exploiting the vulnerability from Metasploit.
![内網滲透1一、資訊收集二、一些概念 三、提權四、擷取目前機器下各類密碼 四、用到的工具[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)