From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 09:42:04 +0200 Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg. Signed-off-by: Daniel Baumann --- scripts/mysql-variables.nse | 109 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 scripts/mysql-variables.nse (limited to 'scripts/mysql-variables.nse') diff --git a/scripts/mysql-variables.nse b/scripts/mysql-variables.nse new file mode 100644 index 0000000..6f9b772 --- /dev/null +++ b/scripts/mysql-variables.nse @@ -0,0 +1,109 @@ +local mysql = require "mysql" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local table = require "table" + +local openssl = stdnse.silent_require "openssl" + +description = [[ +Attempts to show all variables on a MySQL server. +]] + +--- +-- @args mysqluser The username to use for authentication. If unset it +-- attempts to use credentials found by mysql-brute or +-- mysql-empty-password. +-- @args mysqlpass The password to use for authentication. If unset it +-- attempts to use credentials found by mysql-brute or +-- mysql-empty-password. +-- +-- @output +-- 3306/tcp open mysql +-- | mysql-variables: +-- | auto_increment_increment: 1 +-- | auto_increment_offset: 1 +-- | automatic_sp_privileges: ON +-- | back_log: 50 +-- | basedir: /usr/ +-- | binlog_cache_size: 32768 +-- | bulk_insert_buffer_size: 8388608 +-- | character_set_client: latin1 +-- | character_set_connection: latin1 +-- | character_set_database: latin1 +-- | . +-- | . +-- | . +-- | version_comment: (Debian) +-- | version_compile_machine: powerpc +-- | version_compile_os: debian-linux-gnu +-- |_ wait_timeout: 28800 + +author = "Patrik Karlsson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"discovery", "intrusive"} + + +dependencies = {"mysql-brute", "mysql-empty-password"} + +-- Version 0.1 +-- Created 01/23/2010 - v0.1 - created by Patrik Karlsson + +portrule = shortport.port_or_service(3306, "mysql") + +action = function( host, port ) + + local socket = nmap.new_socket() + local catch = function() socket:close() end + local try = nmap.new_try(catch) + local result, response = {}, nil + local users = {} + local nmap_args = nmap.registry.args + local status, rows + + -- set a reasonable timeout value + socket:set_timeout(5000) + + -- first, let's see if the script has any credentials as arguments? + if nmap_args.mysqluser then + users[nmap_args.mysqluser] = nmap_args.mysqlpass or "" + -- next, let's see if mysql-brute or mysql-empty-password brought us anything + elseif nmap.registry.mysqlusers then + -- do we have root credentials? + if nmap.registry.mysqlusers['root'] then + users['root'] = nmap.registry.mysqlusers['root'] + else + -- we didn't have root, so let's make sure we loop over them all + users = nmap.registry.mysqlusers + end + -- last, no dice, we don't have any credentials at all + else + stdnse.debug1("No credentials supplied, aborting ...") + return + end + + -- + -- Iterates over credentials, breaks once it successfully receives results + -- + for username, password in pairs(users) do + + try( socket:connect(host, port) ) + + response = try( mysql.receiveGreeting( socket ) ) + status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) + + if status and response.errorcode == 0 then + local status, rs = mysql.sqlQuery( socket, "show variables" ) + if status then + for _, row in ipairs(rs.rows) do + table.insert(result, ("%s: %s"):format(row[1], row[2]) ) + end + end + end + + socket:close() + end + + return stdnse.format_output(true, result) + +end -- cgit v1.2.3