diff options
Diffstat (limited to 'scripts/mysql-databases.nse')
-rw-r--r-- | scripts/mysql-databases.nse | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/scripts/mysql-databases.nse b/scripts/mysql-databases.nse new file mode 100644 index 0000000..512cf18 --- /dev/null +++ b/scripts/mysql-databases.nse @@ -0,0 +1,98 @@ +local mysql = require "mysql" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" + +local openssl = stdnse.silent_require "openssl" + +description = [[ +Attempts to list all databases on a MySQL server. +]] + +--- +-- @args mysqluser The username to use for authentication. If unset it +-- attempts to use credentials found by <code>mysql-brute</code> or +-- <code>mysql-empty-password</code>. +-- @args mysqlpass The password to use for authentication. If unset it +-- attempts to use credentials found by <code>mysql-brute</code> or +-- <code>mysql-empty-password</code>. +-- +-- @output +-- 3306/tcp open mysql +-- | mysql-databases: +-- | information_schema +-- | mysql +-- | horde +-- | album +-- | mediatomb +-- |_ squeezecenter + +author = "Patrik Karlsson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"discovery", "intrusive"} + + +dependencies = {"mysql-brute", "mysql-empty-password"} + +-- Version 0.1 +-- Created 01/23/2010 - v0.1 - created by Patrik Karlsson + +portrule = shortport.port_or_service(3306, "mysql") + +action = function( host, port ) + + local socket = nmap.new_socket() + local catch = function() socket:close() end + local try = nmap.new_try(catch) + local result, response, dbs = {}, nil, {} + local users = {} + local nmap_args = nmap.registry.args + local status, rows + + -- set a reasonable timeout value + socket:set_timeout(5000) + + -- first, let's see if the script has any credentials as arguments? + if nmap_args.mysqluser then + users[nmap_args.mysqluser] = nmap_args.mysqlpass or "" + -- next, let's see if mysql-brute or mysql-empty-password brought us anything + elseif nmap.registry.mysqlusers then + -- do we have root credentials? + if nmap.registry.mysqlusers['root'] then + users['root'] = nmap.registry.mysqlusers['root'] + else + -- we didn't have root, so let's make sure we loop over them all + users = nmap.registry.mysqlusers + end + -- last, no dice, we don't have any credentials at all + else + stdnse.debug1("No credentials supplied, aborting ...") + return + end + + -- + -- Iterates over credentials, breaks once it successfully receives results + -- + for username, password in pairs(users) do + + try( socket:connect(host, port) ) + + response = try( mysql.receiveGreeting( socket ) ) + status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) + + if status and response.errorcode == 0 then + local status, rs = mysql.sqlQuery( socket, "show databases" ) + if status then + result = mysql.formatResultset(rs, { noheaders = true }) + + -- if we got here as root, we've got them all + -- if we're here as someone else, we cant be sure + if username == 'root' then + break + end + end + end + socket:close() + end + return stdnse.format_output(true, result) +end |