module

Pimcore Gather Credentials via SQL Injection

Disclosed
Aug 13, 2018
Created
Mar 19, 2019

Description

This module extracts the usernames and hashed passwords of all users of
the Pimcore web service by exploiting a SQL injection vulnerability in
Pimcore's REST API.

Pimcore begins to create password hashes by concatenating a user's
username, the name of the application, and the user's password in the
format USERNAME:pimcore:PASSWORD.

The resulting string is then used to generate an MD5 hash, and then that
MD5 hash is used to create the final hash, which is generated using
PHP's built-in password_hash function.

Authors

Thongchai Silpavarangkura
N. Rai-Ngoen
Shelby Pace

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use auxiliary/gather/pimcore_creds_sqli
msf auxiliary(pimcore_creds_sqli) > show actions
...actions...
msf auxiliary(pimcore_creds_sqli) > set ACTION < action-name >
msf auxiliary(pimcore_creds_sqli) > show options
...show and set options...
msf auxiliary(pimcore_creds_sqli) > run

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.