Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::MYSQL

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10
  include Msf::OptionalSession::MySQL

11


12
  def initialize

13
    super(

14
      'Name' => 'MYSQL Directory Write Test',

15
      'Description' => %Q{

16
          Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more

17
        information see the URL in the references. ***Note: For every writable directory found,

18
        a file with the specified FILE_NAME containing the text test will be written to the directory.***

19
      },

20
      'Author' => [ 'AverageSecurityGuy <stephen[at]averagesecurityguy.info>' ],

21
      'References' => [

22
        [ 'URL', 'https://dev.mysql.com/doc/refman/5.7/en/select-into.html' ]

23
      ],

24
      'License' => MSF_LICENSE

25
    )

26


27
    register_options([

28
      OptPath.new('DIR_LIST', [ true, "List of directories to test", '' ]),

29
      OptString.new('FILE_NAME', [ true, "Name of file to write", Rex::Text.rand_text_alpha(8) ]),

30
      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])

31
    ])

32
  end

33


34
  # This function does not handle any errors, if you use this

35
  # make sure you handle the errors yourself

36
  def mysql_query_no_handle(sql)

37
    res = self.mysql_conn.query(sql)

38
    res

39
  end

40


41
  def run_host(ip)

42
    print_warning("For every writable directory found, a file called #{datastore['FILE_NAME']} with the text test will be written to the directory.")

43
    print_status("Login...") unless session

44


45
    # If we have a session make use of it

46
    if session

47
      print_status("Using existing session #{session.sid}")

48
      self.mysql_conn = session.client

49
    else

50
      # otherwise fallback to attempting to login

51
      return unless mysql_login_datastore

52
    end

53


54
    File.read(datastore['DIR_LIST']).each_line do |dir|

55
      check_dir(dir.chomp)

56
    end

57
  end

58


59
  def check_dir(dir)

60
    begin

61
      print_status("Checking #{dir}...")

62
      res = mysql_query_no_handle("SELECT _utf8'test' INTO DUMPFILE '#{dir}/" + datastore['FILE_NAME'] + "'")

63
    rescue ::Rex::Proto::MySQL::Client::ServerError => e

64
      print_warning(e.to_s)

65
    rescue Rex::ConnectionTimeout => e

66
      print_error("Timeout: #{e.message}")

67
    else

68
      print_good("#{dir} is writeable")

69
      report_note(

70
        :host => mysql_conn.peerhost,

71
        :type => "filesystem.file",

72
        :data => {

73
          :dir => dir,

74
          :permissions => "writeable",

75
        },

76
        :port => mysql_conn.peerport,

77
        :proto => 'tcp',

78
        :update => :unique_data

79
      )

80
    end

81
  end

82
end

83


84