2016-09-28 18:55:32 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::MYSQL
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'MYSQL Directory Write Test',
|
|
|
|
'Description' => %Q{
|
|
|
|
Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more
|
2016-09-30 18:53:15 +00:00
|
|
|
information see the URL in the references. ***Note: For every writable directory found,
|
2016-10-03 14:57:25 +00:00
|
|
|
a file with the specified FILE_NAME containing the text test will be written to the directory.***
|
2016-09-28 18:55:32 +00:00
|
|
|
},
|
|
|
|
'Author' => [ 'AverageSecurityGuy <stephen[at]averagesecurityguy.info>' ],
|
|
|
|
'References' => [
|
|
|
|
[ 'URL', 'https://dev.mysql.com/doc/refman/5.7/en/select-into.html' ]
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptPath.new('DIR_LIST', [ true, "List of directories to test", '' ]),
|
|
|
|
OptString.new('FILE_NAME', [ true, "Name of file to write", Rex::Text.rand_text_alpha(8) ]),
|
|
|
|
OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])
|
|
|
|
])
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
# This function does not handle any errors, if you use this
|
|
|
|
# make sure you handle the errors yourself
|
|
|
|
def mysql_query_no_handle(sql)
|
|
|
|
res = @mysql_handle.query(sql)
|
|
|
|
res
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
2016-10-03 14:57:25 +00:00
|
|
|
print_warning("For every writable directory found, a file called #{datastore['FILE_NAME']} with the text test will be written to the directory.")
|
2016-10-03 15:01:51 +00:00
|
|
|
print_status("Login...")
|
2016-09-28 18:55:32 +00:00
|
|
|
|
2016-10-03 14:00:56 +00:00
|
|
|
unless mysql_login_datastore
|
2016-09-30 21:09:41 +00:00
|
|
|
print_error('Unable to login to the server.')
|
2016-09-28 18:55:32 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2016-10-03 14:47:03 +00:00
|
|
|
File.read(datastore['DIR_LIST']).each_line do |dir|
|
|
|
|
check_dir(dir.chomp)
|
2016-09-28 18:55:32 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_dir(dir)
|
|
|
|
begin
|
2016-10-03 15:01:51 +00:00
|
|
|
print_status("Checking #{dir}...")
|
2016-09-28 18:55:32 +00:00
|
|
|
res = mysql_query_no_handle("SELECT _utf8'test' INTO DUMPFILE '#{dir}/" + datastore['FILE_NAME'] + "'")
|
|
|
|
rescue ::RbMysql::ServerError => e
|
2016-10-03 15:38:36 +00:00
|
|
|
print_warning(e.to_s)
|
2016-09-28 18:55:32 +00:00
|
|
|
rescue Rex::ConnectionTimeout => e
|
2016-10-03 15:01:51 +00:00
|
|
|
print_error("Timeout: #{e.message}")
|
2016-09-28 18:55:32 +00:00
|
|
|
else
|
|
|
|
print_good("#{dir} is writeable")
|
|
|
|
report_note(
|
|
|
|
:host => rhost,
|
|
|
|
:type => "filesystem.file",
|
|
|
|
:data => "#{dir} is writeable",
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:update => :unique_data
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|