CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::MYSQL

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10
  include Msf::OptionalSession::MySQL

11


12
  def initialize

13
    super(

14
      'Name'           => 'MYSQL Directory Write Test',

15
      'Description'    => %Q{

16
          Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more

17
        information see the URL in the references. ***Note: For every writable directory found,

18
        a file with the specified FILE_NAME containing the text test will be written to the directory.***

19
      },

20
      'Author'         => [ 'AverageSecurityGuy <stephen[at]averagesecurityguy.info>' ],

21
      'References'  => [

22
        [ 'URL', 'https://dev.mysql.com/doc/refman/5.7/en/select-into.html' ]

23
      ],

24
      'License'        => MSF_LICENSE

25
    )

26


27
    register_options([

28
      OptPath.new('DIR_LIST', [ true, "List of directories to test", '' ]),

29
      OptString.new('FILE_NAME', [ true, "Name of file to write", Rex::Text.rand_text_alpha(8) ]),

30
      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])

31
    ])

32


33
  end

34


35
  # This function does not handle any errors, if you use this

36
  # make sure you handle the errors yourself

37
  def mysql_query_no_handle(sql)

38
    res = self.mysql_conn.query(sql)

39
    res

40
  end

41


42
  def run_host(ip)

43
    print_warning("For every writable directory found, a file called #{datastore['FILE_NAME']} with the text test will be written to the directory.")

44
    print_status("Login...") unless session

45


46
    # If we have a session make use of it

47
    if session

48
      print_status("Using existing session #{session.sid}")

49
      self.mysql_conn = session.client

50
    else

51
      # otherwise fallback to attempting to login

52
      return unless mysql_login_datastore

53
    end

54


55
    File.read(datastore['DIR_LIST']).each_line do |dir|

56
      check_dir(dir.chomp)

57
    end

58


59
  end

60


61
  def check_dir(dir)

62
    begin

63
      print_status("Checking #{dir}...")

64
      res = mysql_query_no_handle("SELECT _utf8'test' INTO DUMPFILE '#{dir}/" + datastore['FILE_NAME'] + "'")

65
    rescue ::Rex::Proto::MySQL::Client::ServerError => e

66
      print_warning(e.to_s)

67
    rescue Rex::ConnectionTimeout => e

68
      print_error("Timeout: #{e.message}")

69
    else

70
      print_good("#{dir} is writeable")

71
      report_note(

72
        :host  => mysql_conn.peerhost,

73
        :type  => "filesystem.file",

74
        :data  => "#{dir} is writeable",

75
        :port  => mysql_conn.peerport,

76
        :proto => 'tcp',

77
        :update => :unique_data

78
      )

79
    end

80
  end

81
end

82


83