From 1b172768b44b4fb4580b5030d54821a9d2288fe0 Mon Sep 17 00:00:00 2001 From: Rory McKinley Date: Thu, 17 Aug 2023 19:07:28 +0200 Subject: [PATCH] Use upstream ruby-mysql in Remote::MYSQL * ... and dependents --- Gemfile.lock | 2 +- lib/msf/core/exploit/remote/mysql.rb | 12 ++++++------ .../scanner/mysql/mysql_authbypass_hashdump.rb | 10 +++++----- modules/auxiliary/scanner/mysql/mysql_file_enum.rb | 10 +++++----- .../auxiliary/scanner/mysql/mysql_writable_dirs.rb | 2 +- modules/exploits/windows/mysql/mysql_mof.rb | 8 ++++---- modules/exploits/windows/mysql/mysql_start_up.rb | 8 ++++---- 7 files changed, 26 insertions(+), 26 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ad4e0a628001..c8e73a800b27 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -468,7 +468,7 @@ GEM rubocop-ast (1.29.0) parser (>= 3.2.1.0) ruby-macho (4.0.0) - ruby-mysql (4.0.0) + ruby-mysql (4.1.0) ruby-prof (1.4.2) ruby-progressbar (1.13.0) ruby-rc4 (0.1.5) diff --git a/lib/msf/core/exploit/remote/mysql.rb b/lib/msf/core/exploit/remote/mysql.rb index 7d22616e6857..d102d93de26d 100644 --- a/lib/msf/core/exploit/remote/mysql.rb +++ b/lib/msf/core/exploit/remote/mysql.rb @@ -12,7 +12,7 @@ ### -require 'rbmysql' +require 'mysql' module Msf module Exploit::Remote::MYSQL @@ -37,21 +37,21 @@ def mysql_login(user='root', pass='', db=nil) connect begin - @mysql_handle = ::RbMysql.connect(rhost, user, pass, db, rport, sock) + @mysql_handle = ::Mysql.connect(rhost, user, pass, db, rport, io: sock) rescue Errno::ECONNREFUSED print_error("Connection refused") return false - rescue RbMysql::ClientError + rescue ::Mysql::ClientError print_error("Connection timedout") return false rescue Errno::ETIMEDOUT print_error("Operation timedout") return false - rescue RbMysql::HostNotPrivileged + rescue ::Mysql::HostNotPrivileged print_error("Unable to login from this host due to policy") return false - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError print_error("Access denied") return false end @@ -78,7 +78,7 @@ def mysql_login_datastore def mysql_query(sql) begin res = @mysql_handle.query(sql) - rescue ::RbMysql::Error => e + rescue ::Mysql::Error => e print_error("MySQL Error: #{e.class} #{e.to_s}") return nil rescue Rex::ConnectionTimeout => e diff --git a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb index 873c61d579cb..5792ca54c2f4 100644 --- a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb +++ b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb @@ -61,15 +61,15 @@ def run_host(ip) begin socket = connect(false) - mysql_client = ::RbMysql.connect(rhost, username, password, nil, rport, socket) + mysql_client = ::Mysql.connect(rhost, username, password, nil, rport, io: socket) results << mysql_client print_good "#{rhost}:#{rport} The server accepted our first login as #{username} with a bad password. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}" - rescue RbMysql::HostNotPrivileged + rescue ::Mysql::HostNotPrivileged print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)" return - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test" rescue ::Interrupt raise $! @@ -113,11 +113,11 @@ def run_host(ip) begin # Create our socket and make the connection s = connect(false) - mysql_client = ::RbMysql.connect(rhost, username, password, nil, rport, s) + mysql_client = ::Mysql.connect(rhost, username, password, nil, rport, io: s) print_good "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}" results << mysql_client - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError rescue ::Exception => e print_bad "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}" end diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index 34180940b18a..3f7a8c248b17 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -50,7 +50,7 @@ def run_host(ip) begin mysql_query_no_handle("USE " + datastore['DATABASE_NAME']) - rescue ::RbMysql::Error => e + rescue ::Mysql::Error => e vprint_error("MySQL Error: #{e.class} #{e.to_s}") return rescue Rex::ConnectionTimeout => e @@ -81,7 +81,7 @@ def run_host(ip) def check_dir dir begin res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE " + datastore['TABLE_NAME']) - rescue ::RbMysql::TextfileNotReadable + rescue ::Mysql::TextfileNotReadable print_good("#{dir} is a directory and exists") report_note( :host => rhost, @@ -91,7 +91,7 @@ def check_dir dir :proto => 'tcp', :update => :unique_data ) - rescue ::RbMysql::DataTooLong, ::RbMysql::TruncatedWrongValueForField + rescue ::Mysql::DataTooLong, ::Mysql::TruncatedWrongValueForField print_good("#{dir} is a file and exists") report_note( :host => rhost, @@ -101,9 +101,9 @@ def check_dir dir :proto => 'tcp', :update => :unique_data ) - rescue ::RbMysql::ServerError + rescue ::Mysql::ServerError vprint_warning("#{dir} does not exist") - rescue ::RbMysql::Error => e + rescue ::Mysql::Error => e vprint_error("MySQL Error: #{e.class} #{e.to_s}") return rescue Rex::ConnectionTimeout => e diff --git a/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb b/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb index 97bd77a431a1..72f18dbde533 100644 --- a/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb +++ b/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb @@ -57,7 +57,7 @@ def check_dir(dir) begin print_status("Checking #{dir}...") res = mysql_query_no_handle("SELECT _utf8'test' INTO DUMPFILE '#{dir}/" + datastore['FILE_NAME'] + "'") - rescue ::RbMysql::ServerError => e + rescue ::Mysql::ServerError => e print_warning(e.to_s) rescue Rex::ConnectionTimeout => e print_error("Timeout: #{e.message}") diff --git a/modules/exploits/windows/mysql/mysql_mof.rb b/modules/exploits/windows/mysql/mysql_mof.rb index 6d4b002cf9a2..53d4cd2ec787 100644 --- a/modules/exploits/windows/mysql/mysql_mof.rb +++ b/modules/exploits/windows/mysql/mysql_mof.rb @@ -66,7 +66,7 @@ def query(q) res.each_hash do |row| rows << row end - rescue RbMysql::ParseError + rescue ::Mysql::ParseError return rows end @@ -94,7 +94,7 @@ def exploit begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) return if not m - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError print_error("Access denied.") return end @@ -112,7 +112,7 @@ def exploit begin upload_file(exe, dest) register_file_for_cleanup("#{exe_name}") - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError print_error("No permission to write. I blame kc :-)") return end @@ -124,7 +124,7 @@ def exploit begin upload_file(mof, dest) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError print_error("No permission to write. Bail!") return end diff --git a/modules/exploits/windows/mysql/mysql_start_up.rb b/modules/exploits/windows/mysql/mysql_start_up.rb index a8b062706626..4a15759491b3 100644 --- a/modules/exploits/windows/mysql/mysql_start_up.rb +++ b/modules/exploits/windows/mysql/mysql_start_up.rb @@ -72,7 +72,7 @@ def query(q) res.each_hash do |row| rows << row end - rescue RbMysql::ParseError + rescue ::Mysql::ParseError return rows end @@ -104,7 +104,7 @@ def exploit print_status("Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError fail_with(Failure::NoAccess, "#{peer} - Access denied") end @@ -116,7 +116,7 @@ def exploit begin drive = get_drive_letter - rescue RbMysql::ParseError + rescue ::Mysql::ParseError fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") end @@ -129,7 +129,7 @@ def exploit print_status("Uploading to '#{dest}'") begin upload_file(exe, dest) - rescue RbMysql::AccessDeniedError + rescue ::Mysql::AccessDeniedError fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)") end register_file_for_cleanup("#{dest}")