Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MySQL Arch & Platform detection by query #19022

Merged
merged 1 commit into from
Apr 10, 2024
Merged

Add MySQL Arch & Platform detection by query #19022

merged 1 commit into from
Apr 10, 2024

Conversation

sjanusz-r7
Copy link
Contributor

@sjanusz-r7 sjanusz-r7 commented Mar 28, 2024
edited by cgranleese-r7
Loading

This PR adds in the ability to detect the MySQL server's host's platform and arch by running a query.

In the future, this should instead be gathered from the initial server connection info similar to MSSQL's ENVCHANGE and initial_connection_info. However I wasn't able to verify this information in WireShark as the data is encrypted, even if the SSL option is set to false:
image
In the above image, the initial MySQL connection receives an error 1158, Got an error reading communication packets. The second connection request is successful, but encrypted using TLS.

Before

msf6 auxiliary(scanner/mysql/mysql_login) > sessions

Active sessions
===============

  Id  Name  Type   Information                  Connection
  --  ----  ----   -----------                  ----------
  1         mysql  MySQL root @ 127.0.0.1:3306  127.0.0.1:64696 -> 127.0.0.1:3306 (127.0.0.1)
  2         mysql  MySQL root @ 127.0.0.1:4306  127.0.0.1:64698 -> 127.0.0.1:4306 (127.0.0.1)

After

msf6 auxiliary(scanner/mysql/mysql_login) > sessions

Active sessions
===============

  Id  Name  Type                           Information                  Connection
  --  ----  ----                           -----------                  ----------
  8         mysql x86_64/Linux             MySQL root @ 127.0.0.1:3306  127.0.0.1:64569 -> 127.0.0.1:3306 (127.0.0.1)
  9         mysql x86_64/debian-linux-gnu  MySQL root @ 127.0.0.1:4306  127.0.0.1:64631 -> 127.0.0.1:4306 (127.0.0.1)

Confirming we get the correct platform from the string:

>> framework.sessions[1].platform
=> "debian-linux-gnu"
>> Msf::Platform.find_platform(framework.sessions[1].platform)
=> Msf::Module::Platform::Linux

Verification

Get yourself a MySQL Docker container:

docker run -it --rm -e MYSQL_ROOT_PASSWORD='password' -p 3306:3306 mysql:8.3.0

and MariaDB:

docker run -it --rm -e MYSQL_ROOT_PASSWORD='password' -p 4306:3306 mariadb:11.2.2
  • Start msfconsole
  • use mysql_login
  • run rhost={...} etc.
  • Verify that sessions returns you a MySQL Linux x86_64 session.
  • Verify that targeting a MariaDB server results in an x86_64 debian-linux-gnu platform, but you can call Msf::Module::Platform.find_platform(framework.sessions[session_id_here].platform) and that it returns Linux.

@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch 2 times, most recently from 57ffda4 to 1991a4c Compare March 28, 2024 14:53
@cgranleese-r7
Copy link
Contributor

Worked as expected 👍

Before

image

After

image

adfoster-r7
adfoster-r7 previously requested changes Mar 28, 2024
View reviewed changes
lib/msf/base/sessions/mysql.rb Outdated Show resolved Hide resolved
@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch from 1991a4c to d76d12d Compare March 28, 2024 17:17
@sjanusz-r7 sjanusz-r7 marked this pull request as draft March 28, 2024 17:25
@sjanusz-r7
Copy link
Contributor Author

turning this into draft until I fix the MySQL acceptance tests & convert the mysql_enum module to use the server variables if present.

@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch from d76d12d to df2f866 Compare March 28, 2024 17:35
@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch 2 times, most recently from 3c4e39e to 8aa2eb6 Compare April 2, 2024 09:44
@sjanusz-r7 sjanusz-r7 marked this pull request as ready for review April 2, 2024 10:07
adfoster-r7
adfoster-r7 reviewed Apr 3, 2024
View reviewed changes
lib/rex/proto/mysql/client.rb Outdated
# @return [Hash] Server version variables:
# * :arch [String] The server architecture.
# * :platform [String] The server platform.
def query_server_vars
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are your thoughts on naming this something more granular, since this is a very specific implementation that handles trying to detect the target's platform+arch, and in the future it might not even query the remote server - it might use the original server version connection string that it was greeted with

Maybe one of:

  • def platform_and_arch
  • def detect_platform_and_arch - similar to the jboss mixin, and a bunch of other modules that use the def detect_* convention
  • def get_platform_and_arch - similar to the mssql_clr_payload module

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or I guess an explicit def query_platform_and_arch style method works too, as in the future we could provide a different implementation that does it based the connection details - your call 👍

adfoster-r7
adfoster-r7 reviewed Apr 3, 2024
View reviewed changes
lib/msf/core/module/platform.rb Outdated
@@ -383,7 +383,7 @@ class Ruby < Msf::Module::Platform
#
class Linux < Msf::Module::Platform
Rank = 100
Alias = "linux"
Aliases = [ 'linux', 'debian-linux-gnu', 'linux2.6' ]
Copy link
Contributor

@adfoster-r7 adfoster-r7 Apr 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any extra details here? Is this for this part:

Verify that targeting a MariaDB server results in an x86_64 debian-linux-gnu platform, but you can call Msf::Module::Platform.find_platform(framework.sessions[session_id_here].platform) and that it returns Linux.

If so, I'm guessing we'd need a lot of new aliases for all of the possibilities that mysql will return? Or do the docs say the server will only return these values? Or does the mysql client need to normalize the platform value a bit more for the different possibilities that could be returned - presumably windows would need to be handled differently too?

@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch from 8aa2eb6 to 733f42b Compare April 5, 2024 13:16
@cgranleese-r7 cgranleese-r7 self-assigned this Apr 8, 2024
@cgranleese-r7 cgranleese-r7 added the rn-enhancement release notes enhancement label Apr 8, 2024
@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch from 733f42b to d318b9f Compare April 8, 2024 12:05
@cgranleese-r7
Copy link
Contributor

Updated testing, seems to be working as intended 👍

Note

Output has been updated to now return mysql x86_64/Linux for both

image

@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch from d318b9f to a757831 Compare April 8, 2024 15:02
@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch 2 times, most recently from edd63ca to d428737 Compare April 8, 2024 16:03
adfoster-r7
adfoster-r7 reviewed Apr 8, 2024
View reviewed changes
spec/lib/msf/base/sessions/mysql_spec.rb Outdated
@@ -5,7 +5,7 @@

RSpec.describe Msf::Sessions::MySQL do
let(:client) { instance_double(::Rex::Proto::MySQL::Client) }
let(:opts) { { client: client } }
let(:opts) { { client: client, platform: 'Linux', arch: 'x86_64' } }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm; should this be Msf::Platform::Linux or Linux ? 👀

@sjanusz-r7 sjanusz-r7 force-pushed the add-mysql-arch-platform-detection-by-query branch from d428737 to a862b16 Compare April 9, 2024 12:38
@cgranleese-r7
Copy link
Contributor

Retested and everything looks good 👍
image

@cgranleese-r7 cgranleese-r7 merged commit 53efed1 into rapid7:master Apr 10, 2024
39 checks passed
@cgranleese-r7
Copy link
Contributor

Release Notes

This PR adds support to detect the MySQL server's host's platform and arch by running a query.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgranleese-r7 cgranleese-r7 cgranleese-r7 left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

Assignees

@cgranleese-r7 cgranleese-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sjanusz-r7 @cgranleese-r7 @adfoster-r7