CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/mysql/mysql_file_enum.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'yaml'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::MYSQL

10
  include Msf::Auxiliary::Report

11
  include Msf::Auxiliary::Scanner

12
  include Msf::OptionalSession::MySQL

13


14
  def initialize

15
    super(

16
      'Name'           => 'MYSQL File/Directory Enumerator',

17
      'Description'    => %Q{

18
          Enumerate files and directories using the MySQL load_file feature, for more

19
        information see the URL in the references.

20
      },

21
      'Author'         => [ 'Robin Wood <robin[at]digininja.org>' ],

22
      'References'  => [

23
        [ 'URL', 'http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html' ],

24
        [ 'URL', 'http://www.digininja.org/projects/mysql_file_enum.php' ]

25
      ],

26
      'License'        => MSF_LICENSE

27
    )

28


29
    register_options([

30
      OptPath.new('FILE_LIST', [ true, "List of directories to enumerate", '' ]),

31
      OptString.new('DATABASE_NAME', [ true, "Name of database to use", 'mysql' ]),

32
      OptString.new('TABLE_NAME', [ true, "Name of table to use - Warning, if the table already exists its contents will be corrupted", Rex::Text.rand_text_alpha(8) ]),

33
      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])

34
    ])

35


36
  end

37


38
  # This function does not handle any errors, if you use this

39
  # make sure you handle the errors yourself

40
  def mysql_query_no_handle(sql)

41
    res = self.mysql_conn.query(sql)

42
    res

43
  end

44


45
  def run_host(ip)

46
    vprint_status("Login...") unless session

47


48
    # If we have a session make use of it

49
    if session

50
      print_status("Using existing session #{session.sid}")

51
      self.mysql_conn = session.client

52
    else

53
      # otherwise fallback to attempting to login

54
      return unless mysql_login_datastore

55
    end

56


57
    begin

58
      mysql_query_no_handle("USE " + datastore['DATABASE_NAME'])

59
    rescue ::Rex::Proto::MySQL::Client::Error => e

60
      vprint_error("MySQL Error: #{e.class} #{e.to_s}")

61
      return

62
    rescue Rex::ConnectionTimeout => e

63
      vprint_error("Timeout: #{e.message}")

64
      return

65
    end

66


67
    res = mysql_query("SELECT * FROM information_schema.TABLES WHERE TABLE_SCHEMA = '" + datastore['DATABASE_NAME'] + "' AND TABLE_NAME = '" + datastore['TABLE_NAME'] + "';")

68
    table_exists = (res.size == 1)

69


70
    if !table_exists

71
      vprint_status("Table doesn't exist so creating it")

72
      mysql_query("CREATE TABLE " + datastore['TABLE_NAME'] + " (brute int);")

73
    end

74


75
    file = File.new(datastore['FILE_LIST'], "r")

76
    file.each_line do |line|

77
      check_dir(line.chomp)

78
    end

79
    file.close

80


81
    if !table_exists

82
      vprint_status("Cleaning up the temp table")

83
      mysql_query("DROP TABLE " + datastore['TABLE_NAME'])

84
    end

85
  end

86


87
  def check_dir dir

88
    begin

89
      res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE " + datastore['TABLE_NAME'])

90
    rescue ::Rex::Proto::MySQL::Client::TextfileNotReadable

91
      print_good("#{dir} is a directory and exists")

92
      report_note(

93
        :host  => mysql_conn.peerhost,

94
        :type  => "filesystem.dir",

95
        :data  => "#{dir} is a directory and exists",

96
        :port  => mysql_conn.peerport,

97
        :proto => 'tcp',

98
        :update => :unique_data

99
      )

100
    rescue ::Rex::Proto::MySQL::Client::DataTooLong, ::Rex::Proto::MySQL::Client::TruncatedWrongValueForField

101
      print_good("#{dir} is a file and exists")

102
      report_note(

103
        :host  => mysql_conn.peerhost,

104
        :type  => "filesystem.file",

105
        :data  => "#{dir} is a file and exists",

106
        :port  => mysql_conn.peerport,

107
        :proto => 'tcp',

108
        :update => :unique_data

109
      )

110
    rescue ::Rex::Proto::MySQL::Client::ServerError

111
      vprint_warning("#{dir} does not exist")

112
    rescue ::Rex::Proto::MySQL::Client::Error => e

113
      vprint_error("MySQL Error: #{e.class} #{e.to_s}")

114
      return

115
    rescue Rex::ConnectionTimeout => e

116
      vprint_error("Timeout: #{e.message}")

117
      return

118
    else

119
      print_good("#{dir} is a file and exists")

120
      report_note(

121
        :host  => mysql_conn.peerhost,

122
        :type  => "filesystem.file",

123
        :data  => "#{dir} is a file and exists",

124
        :port  => mysql_conn.peerport,

125
        :proto => 'tcp',

126
        :update => :unique_data

127
      )

128
    end

129


130
    return

131
  end

132
end

133


134