Add a Web Server based on Rogue Mysql Server to allow remote user get

Related tags

Security related resourcesRogue-MySql-Web-Server
Overview

介绍

对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法


Rogue-MySql-Web-Server 有两个重要文件:server.pyrogue_mysql_server.py。其中 server.py 是主脚本,用于起一个简陋的Web服务以及远程用户交互;rogue_mysql_server.py 是魔改了 Rogue Mysql Server 脚本 的产物。支持通过传参的方式来起 Rogue Mysql Server。


功能

Rogue-MySql-Web-Server 的主要功能为:使授权远程用户可通过参数拉起指定配置的 Rogue Mysql Server、获取Mysql客户端被读取文件内容。为了能够实现这些功能,Rogue-MySql-Web-Server 的基本结构如下:

  1. 鉴权,仅允许密码正确的用户访问资源,密码不正确 或 url格式不正确者 直接断开连接
  2. 根据远程用户传参确定 Code(相当于唯一id),拉起一个 Rogue Mysql Server 实例,存入 Server池中
  3. 每个新的 Rogue Mysql Server 实例都监听着不同的端口,以保证同时测试多个网站时不会冲突
  4. 若有需要,可通过远程用户传参销毁指定 Code 的 Rogue Mysql Server 实例
  5. Rogue-MySql-Web-Server 会根据远程用户传入 Code 获取对应 Rogue Mysql Server 的读取结果

项目结构如下:

使用

环境:

python 2.7 & python 3.x

ps:python2 和 python3 都要有。。。因为 rogue_mysql_server.py 是魔改别人的脚本,,懒得改成 python3了,,一般装 Linux 都会预装 python2 和 python3 的吧。。。。。


配置

需要修改的地方主要有四处:

  1. password --- 连接密码
  2. port --- Web服务监听端口
  3. pythonPath --- 服务器中 python 2 可执行文件路径
  4. for p in range(2000,3000) --- Rogue Mysql Server 实例的端口范围。指定多少端口就决定了能拉起多少个 Rogue Mysql Server实例。最好配置成没有任何一个端口占用的范围

默认值如下:


运行:

配置完毕后,使用命令 python3 server.py 运行主程序。这样就是跑起来了

注意一定要用 python 3.x 版本来运行主程序,建议使用 python 3.7。若使用 python 2 会有 Subprocess 和 Socket 连用 Socket 返回特别慢的bug。


访问格式

由于主程序实现了一个简陋的Web服务,所以我使用 url的格式 来给程序传参。格式如下:

/password/operation/code/sqlRandomString?x=file

不管是什么操作都必须按照这个格式来发送,不然无法正常与程序交互


新建Rogue Mysql Server 实例

在开始测试 Rogue Mysql Server 漏洞前,需要先从 Rogue-MySql-Web-Server 上获取一个 Rogue Mysql Server 实例。使用如下请求可让 Rogue-MySql-Web-Server 生成一个 Rogue Mysql Server 实例 并返回相关信息:

##Request:##
GET /ebf734024jto485/instantiate/202cb962ac59075b964b07152d234b70-1622045270467/x1x2x3x4?x=/etc/passwd HTTP/1.1

Host: 127.0.0.1:1921

##Response:##
HTTP/1.1 200 ok
Content-Type: application/json

{"code": "1", "msg": "2000"}

Request:

  1. operation 设置为 instantiate
  2. password 需要和 server.py 中定义的一致
  3. code 需要客户端自行生成。推荐格式:随机数的md5-微秒级时间戳。这是为每个 Rogue Mysql Server实例分配的 id
  4. sqlRandomString 虽然在这阶段没用,但仍然需要发送
  5. file 用于配置 Rogue Mysql Server,指定要读取的客户端文件路径。只能设置一个文件,不支持多个

Response:

  1. Rogue-MySql-Web-Server 将以 json 形式返回数据。字段只有两个:codemsg
  2. code 为 1 代表实例化成功,为 0 代表实例化失败
  3. msg 为该 Rogue Mysql Server实例监听的端口

读取 Rogue Mysql Server 结果

被攻击的客户端执行的 SQL Query 是有讲究的, SQL Query 中需要包含 code+sqlRandomString 以便 Rogue-MySql-Web-Server 筛选文件内容。推荐格式如下:

select/update/delete ..... where x='{code}{sqlRandomString}'

insert into x values('{code}{sqlRandomString}')

其中:

{code} 为 “新建 Rogue Mysql Server实例” 时传的 code 参数。

{sqlRandomString} 为 “新建 Rogue Mysql Server实例” 时传的 sqlRandomString 参数。


模拟场景:客户端连接 Rogue Mysql Server:

其中 连接端口 为 “新建 Rogue Mysql Server实例” 请求中响应的 msg 字段,并且Sql语句中需要存在 code+sqlRandomString 的字符串。

客户端成功连接 Rogue Mysql Server 后,我们便可获取客户端读取的文件内容了。请求如下:

##Request:##
GET /ebf734024jto485/readInfo/202cb962ac59075b964b07152d234b70-1622045270467/x1x2x3x4?x=/etc/passwd HTTP/1.1

Host: 127.0.0.1:1921


##Response:##
HTTP/1.1 200 ok
Content-Type: application/json

{"code": "1", "msg": "'xxxxx"}

Request:

  1. operation 设置为 readInfo
  2. password 需要和 server.py 中定义的一致
  3. code 需要客户端自行生成。推荐格式:随机数的md5-微秒级时间戳。用于指定读取哪个 Rogue Mysql Server 的内容
  4. sqlRandomString 用于区分同一个 Rogue Mysql Server 内容中,不同时间段读取的文件内容。会在下文详细说
  5. file 虽然在这阶段没用,但仍然需要发送

Response:

  1. Rogue-MySql-Web-Server 将以 json 形式返回数据。字段只有两个:codemsg
  2. code 为 1 代表通过 code+sqlRandomString 成功匹配到文件内容,为 0 代表没用匹配到文件内容
  3. code 为 1 时,msg 仅为匹配到的文件内容;当 code 为 2 时, msg 代表全部文件内容;当 code 为 0 时, msg 代表 读取文件时有异常

sqlRandomString 用于区分同一个 Rogue Mysql Server 内容中,不同时间段读取的文件内容。如下所示:

首先,客户端执行了如下 SQL query,code 为 202cb962ac59075b964b07152d234b70-1622045270468,sqlRandomString 为 a1a2a3

select 1 where x='202cb962ac59075b964b07152d234b70-1622045270468a1a2a3';

构造读取文件请求,如下,成功获取到客户端 /var/www/html/config.txt 文件内容


假设此时 /var/www/html/config.txt 文件内容发生了变化,想要获取最新的文件内容,需要修改 SQL query 中的 sqlRandomString 并让客户端再执行一次。下面Demo修改 sqlRandomString 为 b1b2b3

select 1 where x='202cb962ac59075b964b07152d234b70-1622045270468b1b2b3';

构造读取文件请求,修改 sqlRandomString 使之与 SQL query 对应。如下,成功获取到客户端 /var/www/html/config.txt 文件新内容


code+sqlRandomString 无法匹配到文件内容,将会返回整个文件内容,并且 code 为 2:


销毁Rogue Mysql Server 实例

当成功读取完客户端文件不需要再使用 Rogue Mysql Server时,可以将其销毁,避免占用系统资源。使用如下请求可销毁对应 code 的 Rogue Mysql Server实例:

##Request:##
GET /ebf734024jto485/destroy/202cb962ac59075b964b07152d234b70-1622045270467/x1x2x3?x=/etc/passwd HTTP/1.1

Host: 127.0.0.1:1921


##Response:##
HTTP/1.1 200 ok
Content-Type: application/json

{"code": "1", "msg": "destroied"}

Request:

  1. operation 设置为 destroy
  2. password 需要和 server.py 中定义的一致
  3. code 需要客户端自行生成。推荐格式:随机数的md5-微秒级时间戳。用于指定销毁哪个 Rogue Mysql Server
  4. sqlRandomString 虽然在这阶段没用,但仍然需要发送
  5. file 虽然在这阶段没用,但仍然需要发送

Response:

  1. Rogue-MySql-Web-Server 将以 json 形式返回数据。字段只有两个:codemsg
  2. code 为 1 代表销毁成功

Reference

https://github.com/allyshka/Rogue-MySql-Server

You might also like...
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.4k Jan 4, 2023
Remote Desktop Protocol in Twisted Python

RDPY Remote Desktop Protocol in twisted python. RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client a

Sylvain Peyrefitte 1.6k Dec 30, 2022
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

Enox 47 Nov 9, 2022
Strapi Framework Vulnerable to Remote Code Execution

CVE-2019-19609 Strapi Framework Vulnerable to Remote Code Execution well, I didnt found any exploit for CVE-2019-19609 so I wrote one. :/ Usage pytho

Dasith Vidanage 7 Mar 8, 2022
Übersicht remote command execution 0day exploit
Übersicht remote command execution 0day exploit

Übersicht RCE 0day Unauthenticated remote command execution 0day exploit for Übersicht. Description Übersicht is a desktop widget application for m

BoofGang 10 Dec 21, 2021
A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution

CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C

John Hammond 25 Dec 8, 2022
CVE-2021-26084 Remote Code Execution on Confluence Servers
CVE-2021-26084 Remote Code Execution on Confluence Servers

CVE-2021-26084 CVE-2021-26084 Remote Code Execution on Confluence Servers. Dork Fofa: app="ATLASSIAN-Confluence" Usage Show help information. python P

FQ Hsu 63 Dec 30, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

null 3 Dec 4, 2022
Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Hendrik Agung 2 Dec 30, 2021
Releases(v1.0.1)
Owner
GitHub Repository
A Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

Karim 3 Mar 24, 2022
Um keylogger que se disfarça de um app que tira print da tela.

Keylogger_ Um keylogger que se disfarça de um app que tira print da tela. Este programa captura o print da tela e salva ,normalmente, na pasta Picture

Marcus Vinícius Ribeiro Andrade 1 Dec 03, 2021
RedTeam-Security - In this repo you will get the information of Red Team Security related links

OSINT Passive Discovery Amass - https://github.com/OWASP/Amass (Attack Surface M

Abhinav Pathak 5 May 18, 2022
阿里云accesskey利用工具

aliyun-accesskey-Tools 此工具用于查询ALIYUN_ACCESSKEY的主机,并且远程执行命令。 对于ALIYUN_ACCESSKEY利用方式可参考文章:记一次阿里云主机泄露Access Key到Getshell 工具截图 安装模块 pip install -r require

一灯老和尚 826 Jan 01, 2023
Docker is an open platform for developing, shipping, and running applications OS-level virtualization to deliver software in packages called containers However, 'security' is a top request on Docker's public roadmap This project aims at vulnerability check for such docker containers. New contributions are accepted

Docker-Vulnerability-Check Docker is an open platform for developing, shipping, and running applications OS-level virtualization to deliver software i

Team Spark 103 Aug 20, 2022
Ini membuat tema berbasis bendera Indonesia with Python + Linux.py

tema Ubah Tema Termux Menjadi Linux Ubah Font Termux Jadi Linux dibuat oleh wahyudioputra INSTALL pkg update && pkg upgrade pkg install python pkg ins

wahyudioputra 2 Nov 30, 2021
To explore creating an application that detects available connections at once from wifi and bluetooth

Signalum A Linux Package to detect and analyze existing connections from wifi and bluetooth. Also checkout the Desktop Application. Signalum Installat

BISOHNS 56 Mar 03, 2021
OSINT Cybersecurity Tools

OSINT Cybersecurity Tools Welcome to the World of OSINT: An ongoing collection of awesome tools and frameworks, best security software practices, libr

Paul Veillard, P. Eng 7 Jul 01, 2022
Automatically download all 10,000 CryptoPunk NFTs.

CryptoPunk Stealer The sole purpose of this script is to download the entire CryptoPunk NFT collection. How does it work? Basically, the website where

Dan 7 Oct 22, 2022
Valeria stealer- - (4Feb 2022) program detects wifi saved passwords in your ROM

Valeria_stealer- Requirements : python 3.9.2 and higher (4Feb 2022) program dete

Mikhail Yolkin 3 May 05, 2022
⛤Keylogger Generator for Windows written in Python⛤

⛤Keylogger Generator for Windows written in Python⛤

FZGbzuw412 33 Nov 24, 2022
Backdoor is a term that refers to the access of the software or hardware of a computer system without being detected.

This program is an non-object oriented opensource, hidden and undetectable backdoor/reverse shell/RAT for Windows made in Python 3 which contains many features such as multi-client support and cross-

35 Apr 17, 2022
Python DNS Lookup: The Domain Name System (DNS) is basically the phonebook of the Internet

-Python-DNS-Lookup- ✨ 🌟 Python DNS Lookup ✨ 🌟 The Domain Name System (DNS) is

Ronnie Atuhaire 2 Feb 14, 2022
IPscan - This Script is Framework To automate IP process large scope For Bug Hunting

IPscan This Script is Framework To automate IP process large scope For Bug Hunti

0xd2rdir 8 Mar 12, 2022
Downloads SEP, Baseband and BuildManifest automatically for signed iOS version's for connected iDevice

FutureHelper Supports macOS and Windows Downloads SEP, Baseband and BuildManifest automatically for signed iOS version's (including beta firmwares) fo

Kasim Hussain 7 Jan 05, 2023
Time Discretization-Invariant Safe Action Repetition for Policy Gradient Methods

Time Discretization-Invariant Safe Action Repetition for Policy Gradient Methods This repository is the official implementation of Seohong Park, Jaeky

Seohong Park 6 Aug 02, 2022
Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

dns-mf-hazard Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions How to use it? Installation You need python

Marek Wajdzik 2 Jan 01, 2022
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Cod

Axel Souchet 820 Dec 18, 2022
This repo explains in details about buffer overflow exploit development for windows executable.

Buffer Overflow Exploit Development For Beginner Introduction I am beginner in security community and as my fellow beginner, I spend some of my time a

cris_0xC0 11 Dec 17, 2022
Log4j rce test environment and poc

log4jpwn log4j rce test environment See: https://www.lunasec.io/docs/blog/log4j-zero-day/ Experiments to trigger in various software products mentione

Leon Jacobs 307 Dec 24, 2022