If i were to look for web-app related files on a server that might contain cleartext credentials...

1. 2017-02-01 at 4:58 PM UTC

   #1
   

   Sophie Pedophile Tech Support
   Which type of files would i look for? Obviously PHP comes to mind, perhaps python files as well. Ruby too? For Ruby on Rails of course. The way i am looking for them is with this command:
   
   

   
   find . -name "*.php" -print0 |  xargs -0 grep -i -n "var $password"
   

   
   
   Any other type of files i would be interested in?
2. 2017-02-02 at 6:39 AM UTC

   #2
   

   Lanny Bird of Courage
   You have to be on a pretty ghetto service to have passwords actually stored in source. I'd suggest listing the running processes and looking for a database process or looking at netstat for outgoing conns on common DB ports, that's typically where your data's going to be. Getting a sql shell up from there should be trivial, although exact steps are dependant what database the target is running. Look around for a users or similar table, authentication data has to live somewhere.
   The following users say it would be alright if the author of this post didn't die in a fire!

   • Sophie
3. 2017-02-02 at 6:41 AM UTC

   #3
   

   Lanny Bird of Courage
   Also `var` isn't used on every variable declaration in PHP, in many cases it's not used at all (new in 5 I think) so you probably shouldn't include it in your search if you're set on searching source files.
   The following users say it would be alright if the author of this post didn't die in a fire!

   • Sophie
4. 2017-02-02 at 7:02 AM UTC

   #4
   

   Sophie Pedophile Tech Support

   Originally posted by Lanny You have to be on a pretty ghetto service to have passwords actually stored in source. I'd suggest listing the running processes and looking for a database process or looking at netstat for outgoing conns on common DB ports, that's typically where your data's going to be. Getting a sql shell up from there should be trivial, although exact steps are dependant what database the target is running. Look around for a users or similar table, authentication data has to live somewhere.

   
   I think this is the best way to go about it in this specific scenario yeah.
5. 2017-02-03 at 3:06 AM UTC

   #5
   

   TreyGowdy Houston
   Is getting an sql shell really trivial (without root)?
   
   I would dump the environmental vars as these would likely contain db credentials.
   The following users say it would be alright if the author of this post didn't die in a fire!

   • Sophie
6. 2017-02-03 at 12:15 PM UTC

   #6
   

   Sophie Pedophile Tech Support

   Originally posted by TreyGowdy Is getting an sql shell really trivial (without root)?
   
   I would dump the environmental vars as these would likely contain db credentials.

   
   Also a good idea.
7. 2017-02-03 at 9:52 PM UTC

   #7
   The Self Taught Man Black Hole
   Why not just go to root, and zip all the files and download?
8. 2017-02-04 at 1:19 AM UTC

   #8
   

   Lanny Bird of Courage

   Originally posted by TreyGowdy Is getting an sql shell really trivial (without root)?
   
   I would dump the environmental vars as these would likely contain db credentials.

   
   If you're a user and a process that can connect to a DB is running under you credentials have to be somewhere. Trust auth is not uncommon if your DB is running on the same machine as the web server, if it's a key or a password just poke at the source to see where it's coming from which is a better approach than trying to squint at env vars or config files. I guess source isn't useless after you have a shell, but it's more of an analysis task than automated search.
9. 2017-02-10 at 4:03 AM UTC

   #9
   

   0Death Yung Blood
   Don't mind my long post, just posting cool suggestions!
   Maybe you could add a wildcard to the end of "php" as well, so it becomes "*.php*" since there's always the possibility of them using older versions. I've seen sites myself that use extensions like ".php3" and ".php5". Other cool extensions other interesting extensions might be: ".shtml" (server side html), cfm (coldfusion) and yeah like you said maybe perl, ruby or other scripting languages.
   
   You could make some sort of array with extensions like that and look for files with names like: (conf, config, global, db, database).extension in the webserver root directories such as /var/www and /home/user/public_html.
   
   For more fulltext search after database credentials in php, you could maybe try to search for php PDO instances through regex or something. For example: "${variable} = new PDO (${variables here}...);".
   
   Also if the user have automated backups via cronjobs or something and doesn't want to store his password directly in the .sh file, there might be a possibility that he has stored the mysql credentials in his my.cnf file in any of these locations (Might be worth looking into).
   
   If they have MySQL safemode enabled there might be a possibility that the credentials is stored in the php.ini file instead of in the php source code of the application. Like this: http://webmasters.stackexchange.com/a/72124 .
   The following users say it would be alright if the author of this post didn't die in a fire!

   • Sophie
10. 2017-02-10 at 4:53 AM UTC

    #10
    

    TreyGowdy Houston
    For searching code "ack" is preferred, it will skip binary files which makes it faster than grep. Then you don't have to mess around with the file type pattern matching. Just "ack '$pasword'", it will search more than php, but who knows maybe there's a bash script with some nice passwords somewhere.
    
    I think it goes by extension so a script with no extension might be excluded, not 100% on that though.
    
    Post last edited by TreyGowdy at 2017-02-10T04:57:29.768145+00:00
    The following users say it would be alright if the author of this post didn't die in a fire!

    • 0Death, 
    • Sophie
11. 2017-02-10 at 4:51 PM UTC

    #11
    

    Sophie Pedophile Tech Support
    Thank you guys for your input, it's been illuminating.