summaryrefslogtreecommitdiffstats
path: root/scripts/mysql-databases.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/mysql-databases.nse')
-rw-r--r--scripts/mysql-databases.nse98
1 files changed, 98 insertions, 0 deletions
diff --git a/scripts/mysql-databases.nse b/scripts/mysql-databases.nse
new file mode 100644
index 0000000..512cf18
--- /dev/null
+++ b/scripts/mysql-databases.nse
@@ -0,0 +1,98 @@
+local mysql = require "mysql"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+
+local openssl = stdnse.silent_require "openssl"
+
+description = [[
+Attempts to list all databases on a MySQL server.
+]]
+
+---
+-- @args mysqluser The username to use for authentication. If unset it
+-- attempts to use credentials found by <code>mysql-brute</code> or
+-- <code>mysql-empty-password</code>.
+-- @args mysqlpass The password to use for authentication. If unset it
+-- attempts to use credentials found by <code>mysql-brute</code> or
+-- <code>mysql-empty-password</code>.
+--
+-- @output
+-- 3306/tcp open mysql
+-- | mysql-databases:
+-- | information_schema
+-- | mysql
+-- | horde
+-- | album
+-- | mediatomb
+-- |_ squeezecenter
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery", "intrusive"}
+
+
+dependencies = {"mysql-brute", "mysql-empty-password"}
+
+-- Version 0.1
+-- Created 01/23/2010 - v0.1 - created by Patrik Karlsson
+
+portrule = shortport.port_or_service(3306, "mysql")
+
+action = function( host, port )
+
+ local socket = nmap.new_socket()
+ local catch = function() socket:close() end
+ local try = nmap.new_try(catch)
+ local result, response, dbs = {}, nil, {}
+ local users = {}
+ local nmap_args = nmap.registry.args
+ local status, rows
+
+ -- set a reasonable timeout value
+ socket:set_timeout(5000)
+
+ -- first, let's see if the script has any credentials as arguments?
+ if nmap_args.mysqluser then
+ users[nmap_args.mysqluser] = nmap_args.mysqlpass or ""
+ -- next, let's see if mysql-brute or mysql-empty-password brought us anything
+ elseif nmap.registry.mysqlusers then
+ -- do we have root credentials?
+ if nmap.registry.mysqlusers['root'] then
+ users['root'] = nmap.registry.mysqlusers['root']
+ else
+ -- we didn't have root, so let's make sure we loop over them all
+ users = nmap.registry.mysqlusers
+ end
+ -- last, no dice, we don't have any credentials at all
+ else
+ stdnse.debug1("No credentials supplied, aborting ...")
+ return
+ end
+
+ --
+ -- Iterates over credentials, breaks once it successfully receives results
+ --
+ for username, password in pairs(users) do
+
+ try( socket:connect(host, port) )
+
+ response = try( mysql.receiveGreeting( socket ) )
+ status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
+
+ if status and response.errorcode == 0 then
+ local status, rs = mysql.sqlQuery( socket, "show databases" )
+ if status then
+ result = mysql.formatResultset(rs, { noheaders = true })
+
+ -- if we got here as root, we've got them all
+ -- if we're here as someone else, we cant be sure
+ if username == 'root' then
+ break
+ end
+ end
+ end
+ socket:close()
+ end
+ return stdnse.format_output(true, result)
+end