1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
|
---
-- Simple MySQL Library supporting a very limited subset of operations.
--
-- https://dev.mysql.com/doc/internals/en/client-server-protocol.html
--
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
--
-- @author Patrik Karlsson <patrik@cqure.net>
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local math = require "math"
_ENV = stdnse.module("mysql", stdnse.seeall)
-- Version 0.3
--
-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 01/23/2010 - v0.2 - added query support, cleanup, documentation
-- Revised 08/24/2010 - v0.3 - added error handling for receiveGreeting
-- fixed a number of incorrect receives and changed
-- them to receive_bytes instead.
local tab = require('tab')
local HAVE_SSL, openssl = pcall(require,'openssl')
Capabilities =
{
LongPassword = 0x1,
FoundRows = 0x2,
LongColumnFlag = 0x4,
ConnectWithDatabase = 0x8,
DontAllowDatabaseTableColumn = 0x10,
SupportsCompression = 0x20,
ODBCClient = 0x40,
SupportsLoadDataLocal = 0x80,
IgnoreSpaceBeforeParenthesis = 0x100,
Speaks41ProtocolNew = 0x200,
InteractiveClient = 0x400,
SwitchToSSLAfterHandshake = 0x800,
IgnoreSigpipes = 0x1000,
SupportsTransactions = 0x2000,
Speaks41ProtocolOld = 0x4000,
Support41Auth = 0x8000
}
ExtCapabilities =
{
SupportsMultipleStatments = 0x1,
SupportsMultipleResults = 0x2,
SupportsAuthPlugins = 0x8,
}
Charset =
{
latin1_COLLATE_latin1_swedish_ci = 0x8
}
ServerStatus =
{
InTransaction = 0x1,
AutoCommit = 0x2,
MoreResults = 0x4,
MultiQuery = 0x8,
BadIndexUsed = 0x10,
NoIndexUsed = 0x20,
CursorExists = 0x40,
LastRowSebd = 0x80,
DatabaseDropped = 0x100,
NoBackslashEscapes = 0x200
}
Command =
{
Query = 3
}
local MAXPACKET = 16777216
local HEADER_SIZE = 4
--- Parses a MySQL header
--
-- @param data string of raw data
-- @return response table containing the fields <code>len</code> and <code>packetno</code>
local function decodeHeader( data, pos )
local response = {}
local pos, tmp = pos or 1, 0
tmp, pos = string.unpack( "<I4", data, pos )
response.len = ( tmp & 255 )
response.number = ( tmp >> 24 )
return pos, response
end
--- Receives the server greeting upon initial connection
--
-- @param socket already connected to the remote server
-- @return status true on success, false on failure
-- @return response table with the following fields <code>proto</code>, <code>version</code>,
-- <code>threadid</code>, <code>salt</code>, <code>capabilities</code>, <code>charset</code> and
-- <code>status</code> or error message on failure (status == false)
function receiveGreeting( socket )
local catch = function() socket:close() stdnse.debug1("receiveGreeting(): failed") end
local try = nmap.new_try(catch)
local data = try( socket:receive_bytes(HEADER_SIZE) )
local pos, response, tmp, _
pos, response = decodeHeader( data, 1 )
-- do we need to read the remainder
if ( #data - HEADER_SIZE < response.len ) then
local tmp = try( socket:receive_bytes( response.len - #data + HEADER_SIZE ) )
data = data .. tmp
end
local is_error
is_error, pos = string.unpack("B", data, pos)
if ( is_error == 0xff ) then
response.errorcode, pos = string.unpack( "<I2", data, pos )
response.errormsg = data:sub(pos)
return false, response.errormsg
end
response.proto = is_error
response.version, response.threadid, pos = string.unpack( "<zI4", data, pos )
if response.proto == 10 then
response.salt, response.capabilities, pos = string.unpack("<c8xI2", data, pos)
local auth_plugin_len
if pos < #data then
response.charset, response.status,
response.extcapabilities, -- capabilities, upper 2 bytes
auth_plugin_len, tmp, pos = string.unpack( "<BI2 I2 Bc10", data, pos )
if tmp ~= "\0\0\0\0\0\0\0\0\0\0" then
stdnse.debug2("reserved bytes are not nulls")
end
if response.capabilities & Capabilities.Support41Auth > 0 then
tmp, pos = string.unpack("c" .. (math.max(13, auth_plugin_len - 8) - 1) .. "x", data, pos)
response.salt = response.salt .. tmp
end
if response.extcapabilities & ExtCapabilities.SupportsAuthPlugins > 0 then
response.auth_plugin_name = string.unpack("z", data, pos)
end
end
elseif response.proto == 9 then
response.auth_plugin_data, pos = string.unpack( "z", data, pos )
else
stdnse.debug2("Unknown MySQL protocol version: %d", response.proto)
end
response.errorcode = 0
return true, response
end
--- Creates a hashed value of the password and salt according to MySQL authentication post version 4.1
--
-- @param pass string containing the users password
-- @param salt string containing the servers salt as obtained from <code>receiveGreeting</code>
-- @return reply string containing the raw hashed value
local function createLoginHash(pass, salt)
local hash_stage1
local hash_stage2
local hash_stage3
local reply = {}
local pos, b1, b2, b3, _ = 1, 0, 0, 0
if ( not(HAVE_SSL) ) then
return nil
end
hash_stage1 = openssl.sha1( pass )
hash_stage2 = openssl.sha1( hash_stage1 )
hash_stage3 = openssl.sha1( salt .. hash_stage2 )
for pos=1, hash_stage1:len() do
b1 = string.unpack( "B", hash_stage1, pos )
b2 = string.unpack( "B", hash_stage3, pos )
reply[pos] = string.char( b2 ~ b1 )
end
return table.concat(reply)
end
--- Attempts to Login to the remote mysql server
--
-- @param socket already connected to the remote server
-- @param params table with additional options to the loginrequest
-- current supported fields are <code>charset</code> and <code>authversion</code>
-- authversion is either "pre41" or "post41" (default is post41)
-- currently only post41 authentication is supported
-- @param username string containing the username of the user that is authenticating
-- @param password string containing the users password or nil if empty
-- @param salt string containing the servers salt as received from <code>receiveGreeting</code>
-- @return status boolean
-- @return response table or error message on failure
function loginRequest( socket, params, username, password, salt )
local catch = function() socket:close() stdnse.debug1("loginRequest(): failed") end
local try = nmap.new_try(catch)
local packetno = 1
local authversion = params.authversion or "post41"
local username = username or ""
if not(HAVE_SSL) then
return false, "No OpenSSL"
end
if authversion ~= "post41" then
return false, "Unsupported authentication version: " .. authversion
end
local clicap = Capabilities.LongPassword
clicap = clicap + Capabilities.LongColumnFlag
clicap = clicap + Capabilities.SupportsLoadDataLocal
clicap = clicap + Capabilities.Speaks41ProtocolNew
clicap = clicap + Capabilities.InteractiveClient
clicap = clicap + Capabilities.SupportsTransactions
clicap = clicap + Capabilities.Support41Auth
local extcapabilities = ExtCapabilities.SupportsMultipleStatments
extcapabilities = extcapabilities + ExtCapabilities.SupportsMultipleResults
local hash = ""
if ( password ~= nil and password:len() > 0 ) then
hash = createLoginHash( password, salt )
end
local packet = string.pack( "<I2I2I4B c23 zs1",
clicap,
extcapabilities,
MAXPACKET,
Charset.latin1_COLLATE_latin1_swedish_ci,
string.rep("\0", 23),
username,
hash
)
local tmp = packet:len() + ( packetno << 24 )
packet = string.pack( "<I4", tmp ) .. packet
try( socket:send(packet) )
packet = try( socket:receive_bytes(HEADER_SIZE) )
local pos, response = decodeHeader( packet )
-- do we need to read the remainder
if ( #packet - HEADER_SIZE < response.len ) then
local tmp = try( socket:receive_bytes( response.len - #packet + HEADER_SIZE ) )
packet = packet .. tmp
end
local is_error
is_error, pos = string.unpack( "B", packet, pos )
if is_error > 0 then
local has_sqlstate
response.errorcode, has_sqlstate, pos = string.unpack( "<I2B", packet, pos )
if has_sqlstate == 35 then
response.sqlstate, pos = string.unpack( "c5", packet, pos )
end
response.errormessage, pos = string.unpack( "z", packet, pos )
return false, response.errormessage
else
response.errorcode = 0
response.affectedrows,
response.serverstatus,
response.warnings, pos = string.unpack( "<BI2I2", packet, pos )
end
return true, response
end
--- Decodes a single column field
--
-- http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Field_Packet
--
-- @param data string containing field packets
-- @param pos number containing position from which to start decoding
-- the position should point to the data in this buffer (ie. after the header)
-- @return pos number containing the position after the field was decoded
-- @return field table containing <code>catalog</code>, <code>database</code>, <code>table</code>,
-- <code>origt_table</code>, <code>name</code>, <code>orig_name</code>,
-- <code>length</code> and <code>type</code>
function decodeField( data, pos )
local _
local field = {}
field.catalog,
field.database,
field.table,
field.orig_table,
field.name,
field.orig_name,
_, -- should be 0x0C
_, -- charset, in my case 0x0800
field.length,
field.type, pos = string.unpack( "<s1s1s1s1s1s1BI2I4c6", data, pos )
return pos, field
end
--- Decodes the result set header packet into its sub components
--
-- ref: http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Result_Set_Header_Packet
--
-- @param socket socket already connected to MySQL server
-- @return table containing the following <code>header</code>, <code>fields</code> and <code>data</code>
function decodeQueryResponse( socket )
local catch = function() socket:close() stdnse.debug1("decodeQueryResponse(): failed") end
local try = nmap.new_try(catch)
local data, header, pos
local rs, blocks = {}, {}
local block_start, block_end
local EOF_MARKER = 254
data = try( socket:receive_bytes(HEADER_SIZE) )
pos, header = decodeHeader( data, pos )
--
-- First, Let's attempt to read the "Result Set Header Packet"
--
if data:len() < header.len then
data = data .. try( socket:receive_bytes( header.len - #data + HEADER_SIZE ) )
end
rs.header = data:sub( 1, HEADER_SIZE + header.len )
-- abort on MySQL error
if rs.header:sub(HEADER_SIZE + 1, HEADER_SIZE + 1) == "\xFF" then
-- is this a 4.0 or 4.1 error message
if rs.header:find("#") then
return false, rs.header:sub(HEADER_SIZE+10)
else
return false, rs.header:sub(HEADER_SIZE+4)
end
end
pos = HEADER_SIZE + header.len + 1
-- Second, Let's attempt to read the "Field Packets" and "Row Data Packets"
-- They're separated by an "EOF Packet"
for i=1,2 do
-- marks the start of our block
block_start = pos
while true do
if data:len() - pos < HEADER_SIZE then
data = data .. try( socket:receive_bytes( HEADER_SIZE - ( data:len() - pos ) ) )
end
pos, header = decodeHeader( data, pos )
if data:len() - pos < header.len - 1 then
data = data .. try( socket:receive_bytes( header.len - ( data:len() - pos ) ) )
end
if header.len > 0 then
local b = string.unpack("B", data, pos )
-- Is this the EOF packet?
if b == EOF_MARKER then
-- we don't want the EOF Packet included
block_end = pos - HEADER_SIZE - 1
pos = pos + header.len
break
end
end
pos = pos + header.len
end
blocks[i] = data:sub( block_start, block_end )
end
rs.fields = blocks[1]
rs.data = blocks[2]
return true, rs
end
--- Decodes as field packet and returns a table of field tables
--
-- ref: http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Field_Packet
--
-- @param data string containing field packets
-- @param count number containing the amount of fields to decode
-- @return status boolean (true on success, false on failure)
-- @return fields table containing field tables as returned by <code>decodeField</code>
-- or string containing error message if status is false
function decodeFieldPackets( data, count )
local pos, header
local field, fields = {}, {}
if count < 1 then
return false, "Field count was less than one, aborting"
end
for i=1, count do
pos, header = decodeHeader( data, pos )
pos, field = decodeField( data, pos )
table.insert( fields, field )
end
return true, fields
end
-- Decodes the result set header
--
-- ref: http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Result_Set_Header_Packet
--
-- @param data string containing the result set header packet
-- @return number containing the amount of fields
function decodeResultSetHeader( data )
if data:len() ~= HEADER_SIZE + 1 then
return false, "Result set header was incorrect"
end
local fields = string.unpack( "B", data, HEADER_SIZE + 1 )
return true, fields
end
--- Decodes the row data
--
-- ref: http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Row_Data_Packet
--
-- @param data string containing the row data packet
-- @param count number containing the number of fields to decode
-- @return status true on success, false on failure
-- @return rows table containing row tables
function decodeDataPackets( data, count )
local pos = 1
local rows = {}
while pos <= data:len() do
local row = {}
local header
pos, header = decodeHeader( data, pos )
for i=1, count do
row[i], pos = string.unpack("s1", data, pos)
end
table.insert( rows, row )
end
return true, rows
end
--- Sends the query to the MySQL server and then attempts to decode the response
--
-- @param socket socket already connected to mysql
-- @param query string containing the sql query
-- @return status true on success, false on failure
-- @return rows table containing row tables as decoded by <code>decodeDataPackets</code>
function sqlQuery( socket, query )
local catch = function() socket:close() stdnse.debug1("sqlQuery(): failed") end
local try = nmap.new_try(catch)
local packetno = 0
local querylen = query:len() + 1
local packet, packet_len, pos, header
local status, fields, field_count, rows, rs
packet = string.pack("<I4B", querylen, Command.Query) .. query
--
-- http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Result_Set_Header_Packet
--
-- (Result Set Header Packet) the number of columns
-- (Field Packets) column descriptors
-- (EOF Packet) marker: end of Field Packets
-- (Row Data Packets) row contents
-- (EOF Packet) marker: end of Data Packets
try( socket:send(packet) )
--
-- Let's read all the data into a table
-- This way we avoid the hustle with reading from the socket
status, rs = decodeQueryResponse( socket )
if not status then
return false, rs
end
status, field_count = decodeResultSetHeader(rs.header)
if not status then
return false, field_count
end
status, fields = decodeFieldPackets(rs.fields, field_count)
if not status then
return false, fields
end
status, rows = decodeDataPackets(rs.data, field_count)
if not status then
return false, rows
end
return true, { cols = fields, rows = rows }
end
---
-- Formats the resultset returned from <code>sqlQuery</code>
--
-- @param rs table as returned from <code>sqlQuery</code>
-- @param options table containing additional options, currently:
-- - <code>noheaders</code> - does not include column names in result
-- @return string containing the formatted resultset table
function formatResultset(rs, options)
options = options or {}
if ( not(rs) or not(rs.cols) or not(rs.rows) ) then
return
end
local restab = tab.new(#rs.cols)
local colnames = {}
if ( not(options.noheaders) ) then
for _, col in ipairs(rs.cols) do table.insert(colnames, col.name) end
tab.addrow(restab, table.unpack(colnames))
end
for _, row in ipairs(rs.rows) do
tab.addrow(restab, table.unpack(row))
end
return tab.dump(restab)
end
return _ENV;
|
