CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/login_scanner/phpmyadmin.rb
Views: 1904
require 'metasploit/framework/login_scanner/http'12module Metasploit3module Framework4module LoginScanner5class PhpMyAdmin < HTTP67PRIVATE_TYPES = [ :password ]8LOGIN_STATUS = Metasploit::Model::Login::Status910def check_setup11version = "Not Detected"12res = send_request({ 'uri' => uri })1314if res && res.body.include?('phpMyAdmin')15if res.body =~ /PMA_VERSION:"(\d+\.\d+\.\d+)"/16version = Rex::Version.new($1)17end18return version.to_s19end2021false22end2324def get_session_info25res = send_request({'uri' => uri})26no_connect = { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: 'Cannot retrieve session info' }27return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: 'Unable to access PhpMyAdmin login page' } unless res2829return no_connect if (res.get_cookies.scan(/phpMyAdmin=(\w+);*/).flatten[0].nil? || res.body.scan(/token"\s*value="(.*?)"/).flatten[0].nil? || res.get_cookies.split[-2..-1].nil?)30session_id = res.get_cookies.scan(/phpMyAdmin=(\w+);*/).flatten[0]31token = Rex::Text.html_decode(res.body.scan(/token"\s*value="(.*?)"/).flatten[0])32cookies = res.get_cookies.split[-2..-1].join(' ')3334info = [session_id, token, cookies]35return no_connect if (info.empty? || session_id.empty? || token.empty? || cookies.empty?)3637return info38end3940def do_login(username, password)41session_info = get_session_info42# Failed to retrieve session info43return session_info if session_info.is_a?(Hash)4445protocol = ssl ? 'https' : 'http'46peer = "#{host}:#{port}"4748res = send_request(49'uri' => uri,50'method' => 'POST',51'cookie' => session_info.last,52'vars_post' => {53'set_session' => session_info[0],54'pma_username' => username,55'pma_password' => password,56'target' => 'index.php',57'server' => 1,58'token' => session_info[1]59}60)6162if res && res.code == 302 && res.headers['Location'].to_s.include?('index.php')63return { :status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s }64end6566{:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s}67end6869def attempt_login(credential)70result_opts = {71credential: credential,72status: LOGIN_STATUS::INCORRECT,73proof: nil,74host: host,75port: port,76protocol: 'tcp'77}7879result_opts.merge!(do_login(credential.public, credential.private))8081Result.new(result_opts)82end83end84end85end86end878889