Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::MYSQL
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10
  include Msf::OptionalSession::MySQL
11

12
  def initialize
13
    super(
14
      'Name'           => 'MYSQL Directory Write Test',
15
      'Description'    => %Q{
16
          Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more
17
        information see the URL in the references. ***Note: For every writable directory found,
18
        a file with the specified FILE_NAME containing the text test will be written to the directory.***
19
      },
20
      'Author'         => [ 'AverageSecurityGuy <stephen[at]averagesecurityguy.info>' ],
21
      'References'  => [
22
        [ 'URL', 'https://dev.mysql.com/doc/refman/5.7/en/select-into.html' ]
23
      ],
24
      'License'        => MSF_LICENSE
25
    )
26

27
    register_options([
28
      OptPath.new('DIR_LIST', [ true, "List of directories to test", '' ]),
29
      OptString.new('FILE_NAME', [ true, "Name of file to write", Rex::Text.rand_text_alpha(8) ]),
30
      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])
31
    ])
32

33
  end
34

35
  # This function does not handle any errors, if you use this
36
  # make sure you handle the errors yourself
37
  def mysql_query_no_handle(sql)
38
    res = self.mysql_conn.query(sql)
39
    res
40
  end
41

42
  def run_host(ip)
43
    print_warning("For every writable directory found, a file called #{datastore['FILE_NAME']} with the text test will be written to the directory.")
44
    print_status("Login...") unless session
45

46
    # If we have a session make use of it
47
    if session
48
      print_status("Using existing session #{session.sid}")
49
      self.mysql_conn = session.client
50
    else
51
      # otherwise fallback to attempting to login
52
      return unless mysql_login_datastore
53
    end
54

55
    File.read(datastore['DIR_LIST']).each_line do |dir|
56
      check_dir(dir.chomp)
57
    end
58

59
  end
60

61
  def check_dir(dir)
62
    begin
63
      print_status("Checking #{dir}...")
64
      res = mysql_query_no_handle("SELECT _utf8'test' INTO DUMPFILE '#{dir}/" + datastore['FILE_NAME'] + "'")
65
    rescue ::Rex::Proto::MySQL::Client::ServerError => e
66
      print_warning(e.to_s)
67
    rescue Rex::ConnectionTimeout => e
68
      print_error("Timeout: #{e.message}")
69
    else
70
      print_good("#{dir} is writeable")
71
      report_note(
72
        :host  => mysql_conn.peerhost,
73
        :type  => "filesystem.file",
74
        :data  => "#{dir} is writeable",
75
        :port  => mysql_conn.peerport,
76
        :proto => 'tcp',
77
        :update => :unique_data
78
      )
79
    end
80
  end
81
end
82

83