Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Scanner
9
  include Msf::Auxiliary::Report
10
  include Msf::OptionalSession::MySQL
11

12
  def initialize
13
    super(
14
      'Name'        => 'MySQL Server Version Enumeration',
15
      'Description' => %q{
16
        Enumerates the version of MySQL servers.
17
      },
18
      'Author'      => 'kris katterjohn',
19
      'License'     => MSF_LICENSE
20
    )
21

22
    register_options([
23
      Opt::RPORT(3306)
24
    ])
25
  end
26

27
  # Based on my mysql-info NSE script
28
  def run_host(ip)
29
    begin
30
      if session
31
        sql_conn = session.client
32
        version = sql_conn.server_info
33
        print_good("#{sql_conn.peerhost}:#{sql_conn.peerport} is running MySQL #{version}")
34
        report_service(
35
          :host => sql_conn.peerhost,
36
          :port => sql_conn.peerport,
37
          :name => "mysql",
38
          :info => version
39
        )
40
        return
41
      else
42
        socket = connect(false)
43
        data = socket.get_once(-1, 10)
44
        disconnect(socket)
45
      end
46

47
      if data.nil?
48
        print_error "The connection to #{rhost}:#{rport} timed out"
49
        return
50
      end
51
    rescue ::Rex::ConnectionError, ::EOFError
52
      vprint_error("#{rhost}:#{rport} - Connection failed")
53
      return
54
    rescue ::Exception
55
      print_error("Error: #{$!}")
56
      return
57
    end
58

59
    offset = 0
60

61
    l0, l1, l2 = data[offset, 3].unpack('CCC')
62
    length = l0 | (l1 << 8) | (l2 << 16)
63

64
    # Read a bad amount of data
65
    return if length != (data.length - 4)
66

67
    offset += 4
68

69
    proto = data[offset, 1].unpack('C')[0]
70

71
    # Application-level error condition
72
    if proto == 255
73
      offset += 2
74
      err_msg = Rex::Text.to_hex_ascii(data[offset..-1].to_s)
75
      print_status("#{rhost}:#{rport} is running MySQL, but responds with an error: #{err_msg}")
76
      report_service(
77
        :host => rhost,
78
        :port => rport,
79
        :name => "mysql",
80
        :info => "Error: #{err_msg}"
81
      )
82
    else
83
      offset += 1
84
      version = data[offset..-1].unpack('Z*')[0]
85
      print_good("#{rhost}:#{rport} is running MySQL #{version} (protocol #{proto})")
86
      report_service(
87
        :host => rhost,
88
        :port => rport,
89
        :name => "mysql",
90
        :info => version
91
      )
92
    end
93
  end
94
end
95

96