Metasploit MySQL Directory/File Brute Forcer

Last week Tim Tomes posted an article on the Pauldotcom blog about enumerating files and directories using MySQL. As soon as I saw it I decided it was prime for automation [1] so I wrote a Metasploit module for it [2].

Tim has done a good job of explaining how the scanning works so I'm just going to add a few of things I found while testing the module.

First, if strict mode is enabled then MySQL will throw an error about trying to squeeze to much data into a small space, or into the wrong data type, that is fine, if it manages to get the data to try to squeeze in then it means the file exists.

The only permission you need for this to work is FILE which, by MySQL rules, has to be granted as a global option, not to a single database. If you want to test this you can set up a user with the following:

mysql> grant file on *.* to filetest identified by 'xxx';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

If the file being checked does exist but isn't readable by the MySQL user, such as /etc/shadow, then MySQL reports the file as not existing, I didn't manage to find a way around this.

Finally, on Linux at least, directories do not need a trailing slash. As you can see in the example below /tmp and /tmp/ both get picked up as being a directory.

A big thanks to Juan Vazquez for helping me walk through the process of getting the file into the repo in the correct format. Using git is a lot harder than just submitting a file to the ticket system like we used to it does start to make sense after a few goes.

The module is called auxiliary/scanner/mysql/mysql_file_enum and is now in the main Metasploit repo so all you need to do is to update to get it, here it is in action:

msf  auxiliary(mysql_file_enum) > show options

Module options (auxiliary/scanner/mysql/mysql_file_enum):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   DATABASE_NAME  test             yes       Name of database to use
   FILE_LIST      /tmp/files       yes       List of directories to enumerate
   PASSWORD       xxx              no        The password for the specified username
   RHOSTS         127.0.0.1        yes       The target address range or CIDR identifier
   RPORT          3306             yes       The target port
   TABLE_NAME     gUtLyhCi         yes       Name of table to use - Warning, if the table already exists its contents will be corrupted
   THREADS        1                yes       The number of concurrent threads
   USERNAME       root             yes       The username to authenticate as

msf  auxiliary(mysql_file_enum) > run

[+] 127.0.0.1:3306 - /tmp is a directory and exists
[+] 127.0.0.1:3306 - /tmp/ is a directory and exists
[+] 127.0.0.1:3306 - /etc/ is a directory and exists
[+] 127.0.0.1:3306 - /etc/passwd is a file and exists
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[1] As I've said before, you don't have to be able to code to be a pen-tester but in cases like this it really helps.

[2] Someone recently wrote a blog post complaining that Metasploit was taking over the exploit market and was forcing everyone to write their exploits in the framework. The reason I wrote this as a Metasploit module is not because I was forced but because it meant someone else had already done all the hard work of user input, nicely styled output and access libraries.

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.