Class: Metasploit::Framework::LoginScanner::PhpMyAdmin

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/phpmyadmin.rb

Constant Summary collapse

PRIVATE_TYPES =
[ :password ]
LOGIN_STATUS =
Metasploit::Model::Login::Status

Constants inherited from HTTP

HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_PORT, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Methods inherited from HTTP

#send_request

Instance Method Details

#attempt_login(credential) ⇒ Object



70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/metasploit/framework/login_scanner/phpmyadmin.rb', line 70

def (credential)
  result_opts = {
    credential: credential,
    status: LOGIN_STATUS::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  result_opts.merge!((credential.public, credential.private))

  Result.new(result_opts)
end

#check_setupObject



11
12
13
14
15
16
17
18
19
20
21
22
23
# File 'lib/metasploit/framework/login_scanner/phpmyadmin.rb', line 11

def check_setup
  version = "Not Detected"
  res = send_request({ 'uri' => uri })

  if res && res.body.include?('phpMyAdmin')
    if res.body =~ /PMA_VERSION:"(\d+\.\d+\.\d+)"/
      version = Rex::Version.new($1)
    end
    return version.to_s
  end

  false
end

#do_login(username, password) ⇒ Object



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/metasploit/framework/login_scanner/phpmyadmin.rb', line 41

def (username, password)
  session_info = get_session_info
  # Failed to retrieve session info
  return session_info if session_info.is_a?(Hash)

  protocol  = ssl ? 'https' : 'http'
  peer      = "#{host}:#{port}"

  res = send_request(
    'uri'     => uri,
    'method'  => 'POST',
    'cookie'  => session_info.last,
    'vars_post' => {
      'set_session'   => session_info[0],
      'pma_username'  => username,
      'pma_password'  => password,
      'target'        => 'index.php',
      'server'        => 1,
      'token'         => session_info[1]
    }
  )

  if res && res.code == 302 && res.headers['Location'].to_s.include?('index.php')
    return { :status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s }
  end

  {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s}
end

#get_session_infoObject



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# File 'lib/metasploit/framework/login_scanner/phpmyadmin.rb', line 25

def get_session_info
  res = send_request({'uri' => uri})
  no_connect = { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: 'Cannot retrieve session info' }
  return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: 'Unable to access PhpMyAdmin login page' } unless res

  return no_connect if (res.get_cookies.scan(/phpMyAdmin=(\w+);*/).flatten[0].nil? || res.body.scan(/token"\s*value="(.*?)"/).flatten[0].nil? || res.get_cookies.split[-2..-1].nil?)
  session_id = res.get_cookies.scan(/phpMyAdmin=(\w+);*/).flatten[0]
  token = Rex::Text.html_decode(res.body.scan(/token"\s*value="(.*?)"/).flatten[0])
  cookies = res.get_cookies.split[-2..-1].join(' ')

  info = [session_id, token, cookies]
  return no_connect if (info.empty? || session_id.empty? || token.empty? || cookies.empty?)

  return info
end