Metasploit MySQL Directory/File Brute Forcer
Last week Tim Tomes posted an article on the Pauldotcom blog about enumerating files and directories using MySQL. As soon as I saw it I decided it was prime for automation [1] so I wrote a Metasploit module for it [2].
Tim has done a good job of explaining how the scanning works so I'm just going to add a few of things I found while testing the module.
First, if strict mode is enabled then MySQL will throw an error about trying to squeeze to much data into a small space, or into the wrong data type, that is fine, if it manages to get the data to try to squeeze in then it means the file exists.
The only permission you need for this to work is FILE which, by MySQL rules, has to be granted as a global option, not to a single database. If you want to test this you can set up a user with the following:
mysql> grant file on *.* to filetest identified by 'xxx';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)If the file being checked does exist but isn't readable by the MySQL user, such as /etc/shadow, then MySQL reports the file as not existing, I didn't manage to find a way around this.
Finally, on Linux at least, directories do not need a trailing slash. As you can see in the example below /tmp and /tmp/ both get picked up as being a directory.
A big thanks to Juan Vazquez for helping me walk through the process of getting the file into the repo in the correct format. Using git is a lot harder than just submitting a file to the ticket system like we used to it does start to make sense after a few goes.
The module is called auxiliary/scanner/mysql/mysql_file_enum and is now in the main Metasploit repo so all you need to do is to update to get it, here it is in action:
msf auxiliary(mysql_file_enum) > show options
Module options (auxiliary/scanner/mysql/mysql_file_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE_NAME test yes Name of database to use
FILE_LIST /tmp/files yes List of directories to enumerate
PASSWORD xxx no The password for the specified username
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 3306 yes The target port
TABLE_NAME gUtLyhCi yes Name of table to use - Warning, if the table already exists its contents will be corrupted
THREADS 1 yes The number of concurrent threads
USERNAME root yes The username to authenticate as
msf auxiliary(mysql_file_enum) > run
[+] 127.0.0.1:3306 - /tmp is a directory and exists
[+] 127.0.0.1:3306 - /tmp/ is a directory and exists
[+] 127.0.0.1:3306 - /etc/ is a directory and exists
[+] 127.0.0.1:3306 - /etc/passwd is a file and exists
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed[1] As I've said before, you don't have to be able to code to be a pen-tester but in cases like this it really helps.
[2] Someone recently wrote a blog post complaining that Metasploit was taking over the exploit market and was forcing everyone to write their exploits in the framework. The reason I wrote this as a Metasploit module is not because I was forced but because it meant someone else had already done all the hard work of user input, nicely styled output and access libraries.
