File/dir brute forcer using MySQL

2013-01-19 22:48:00 +00:00 · 2013-01-19 22:48:00 +00:00 · 23d1eb7a80
parent 967c04e727
commit 23d1eb7a80
2 changed files with 102 additions and 0 deletions
--- a/lib/msf/core/exploit/mysql.rb
+++ b/lib/msf/core/exploit/mysql.rb
@ -87,6 +87,13 @@ module Exploit::Remote::MYSQL
 		return res
 	end

+	# This function does not handle any errors, if you use this
+	# make sure you handle the errors yourself
+	def mysql_query_no_handle(sql)
+		res = @mysql_handle.query(sql)
+		res
+	end
+
 	def mysql_query(sql)
 		begin
 			res = @mysql_handle.query(sql)
--- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb
+++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb
@ -0,0 +1,95 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'yaml'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::MYSQL
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'           => 'MYSQL File/Directory Enumerator',
+			'Description'    => %Q{
+					Enumerate files and directories using the MySQL load_file feature, for more information see the URL in the references.
+			},
+			'Version'     => '$Revision $', 
+			'Author'         => [ 'Robin Wood <robin[at]digininja.org>' ],
+			'References'  => [
+								[ 'URL', 'http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html' ],
+								[ 'URL', 'http://www.digininja.org/projects/mysql_file_enum.php' ]
+							],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options([
+			OptString.new('FILE_LIST', [ true, "List of directories to enumerate", '' ]),
+			OptString.new('DATABASE_NAME', [ true, "Name of database to use", 'test' ]),
+			OptString.new('TABLE_NAME', [ true, "Name of table to use", Rex::Text.rand_text_alpha(8) ]),
+			OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])
+			])
+
+	end
+
+	def run_host(ip)
+		print_status("Checking " + ip)
+		# Should check this before running at all, this is run on a
+		# per-host level
+		if not ::File.exists?(datastore['FILE_LIST'])
+			print_error "File list does not exist!"
+			return
+		end
+
+		if (not mysql_login_datastore)
+			return
+		end
+
+		mysql_query("USE " + datastore['DATABASE_NAME'])
+		res = mysql_query("SELECT * FROM information_schema.TABLES WHERE TABLE_SCHEMA = '" + datastore['DATABASE_NAME'] + "' AND TABLE_NAME = '" + datastore['TABLE_NAME'] + "';")
+		table_exists = (res.size == 1)
+
+		if !table_exists
+			print_status("Table doesn't exist so creating it")
+			mysql_query("CREATE TABLE " + datastore['TABLE_NAME'] + " (brute int);")
+		end
+
+		file = File.new(datastore['FILE_LIST'], "r")
+		file.each_line do |line|
+			check_dir(line.chomp)
+		end
+
+		if !table_exists
+			print_status("Cleaning up the temp table")
+			mysql_query("DROP TABLE " + datastore['TABLE_NAME'])
+		end
+	end
+
+	def check_dir dir
+		begin
+			res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE brute")
+		rescue ::RbMysql::TextfileNotReadable
+			print_good(dir + " is a directory and exists")
+		rescue ::RbMysql::ServerError
+			print_warning(dir + " does not exist")
+		rescue ::RbMysql::Error => e
+			print_error("MySQL Error: #{e.class} #{e.to_s}")
+			return
+		rescue Rex::ConnectionTimeout => e
+			print_error("Timeout: #{e.message}")
+			return
+		else
+			print_good(dir + " is a file and exists")
+		end
+		#puts res.inspect
+
+		return
+	end
+
+end