hydra mysql无法_hydra-mysql.c

/* mysql 3.2x.x to 4.x support - by mcbethh (at) u-n-f (dot) com */

/* david (dot) maciejak (at) gmail (dot) com for using libmysqlclient-dev,

* adding support for mysql version 5.x */

#include "hydra-mod.h"

#ifndef HAVE_MATH_H

#include

void dummy_mysql() { printf("\n"); }

void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { printf("\n"); }

#else

#include

#define DEFAULT_DB "mysql"

#ifndef LIBMYSQLCLIENT

#else

#if defined(HAVE_MYSQL_MYSQL_H)

#include

#elif defined(HAVE_MYSQL_H)

#include

#else

#error libmysqlclient found, but no usable headers available

#endif

MYSQL *mysql = NULL;

#endif

void hydra_hash_password(unsigned long *result, const char *password);

char *hydra_scramble(char *to, const char *message, const char *password);

extern int32_t internal__hydra_recv(int32_t socket, char *buf, int32_t length);

extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);

extern char *HYDRA_EXIT;

char mysqlsalt[9];

/* modified hydra_receive_line, I've striped code which changed every 0x00 to

* 0x20 */

char *hydra_mysql_receive_line(int32_t socket) {

char buf[300], *buff, *buff2;

int32_t i = 0, j = 0, buff_size = 300;

buff = malloc(buff_size);

if (buff == NULL)

return NULL;

memset(buff, 0, sizeof(buf));

i = hydra_data_ready_timed(socket, (long)waittime, 0);

if (i > 0) {

if ((i = internal__hydra_recv(socket, buff, sizeof(buf))) < 0) {

free(buff);

return NULL;

}

}

if (i <= 0) {

if (debug)

hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END\n");

free(buff);

return NULL;

}

j = 1;

while (hydra_data_ready(socket) > 0 && j > 0) {

j = internal__hydra_recv(socket, buf, sizeof(buf));

if (j > 0) {

if (i + j > buff_size || (buff2 = realloc(buff, i + j)) == NULL) {

free(buff);

return NULL;

} else {

buff = buff2;

buff_size = i + j;

}

memcpy(buff + i, &buf, j);

i += j;

}

}

if (debug)

hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END\n", buff);

return buff;

}

/* check if valid mysql protocol, mysql version and read salt */

char hydra_mysql_init(int32_t sock) {

char *server_version, *pos, *buf;

unsigned char protocol;

buf = hydra_mysql_receive_line(sock);

if (buf == NULL)

return 1;

protocol = buf[4];

if (protocol == 0xff) {

pos = &buf[6];

// *(strchr(pos, '.')) = '\0';

hydra_report(stderr, "[ERROR] %s\n", pos);

free(buf);

return 2;

}

if (protocol <= 10) {

free(buf);

return 2;

}

if (protocol > 10) {

fprintf(stderr,

"[INFO] This is protocol version %d, only v10 is supported, not "

"sure if it will work\n",

protocol);

}

server_version = &buf[5];

pos = buf + strlen(server_version) + 10;

memcpy(mysqlsalt, pos, 9);

if (!strstr(server_version, "3.") && !strstr(server_version, "4.") && strstr(server_version, "5.")) {

#ifndef LIBMYSQLCLIENT

hydra_report(stderr, "[ERROR] Not an MySQL protocol or unsupported version,\ncheck "

"configure to see if libmysql is found\n");

#endif

free(buf);

return 2;

}

free(buf);

return 0;

}

/* prepare response to server greeting */

char *hydra_mysql_prepare_auth(char *login, char *pass) {

unsigned char *response;

unsigned long login_len = strlen(login) > 32 ? 32 : strlen(login);

unsigned long response_len = 4 /* header */ + 2 /* client flags */ + 3 /* max packet len */ + login_len + 1 + 8 /* scrambled password len */;

response = (unsigned char *)malloc(response_len + 4);

if (response == NULL) {

fprintf(stderr, "[ERROR] could not allocate memory\n");

return NULL;

}

memset(response, 0, response_len + 4);

*((unsigned long *)response) = response_len - 4;

response[3] = 0x01; /* packet number */

response[4] = 0x85;

response[5] = 0x24; /* client flags */

response[6] = response[7] = response[8] = 0x00; /* max packet */

memcpy(&response[9], login, login_len); /* login */

response[9 + login_len] = '\0'; /* null terminate login */

hydra_scramble((char *)&response[9 + login_len + 1], mysqlsalt, pass);

return (char *)response;

}

/* returns 0 if authentication succeed */

/* and 1 if failed */

char hydra_mysql_parse_response(unsigned char *response) {

unsigned long response_len = *((unsigned long *)response) & 0xffffff;

if (response_len < 4)

return 0;

if (response[4] == 0xff)

return 1;

return 0;

}

char hydra_mysql_send_com_quit(int32_t sock) {

char com_quit_packet[5] = {0x01, 0x00, 0x00, 0x00, 0x01};

hydra_send(sock, com_quit_packet, 5, 0);

return 0;

}

int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {

char *response = NULL, *login = NULL, *pass = NULL;

unsigned long response_len;

char res = 0;

char *database = NULL;

login = hydra_get_next_login();

pass = hydra_get_next_password();

if (miscptr)

database = miscptr;

/* read server greeting */

res = hydra_mysql_init(sock);

if (res == 2) {

/* old reversing protocol trick did not work */

/* try using the libmysql client if available */

hydra_mysql_send_com_quit(sock);

sock = hydra_disconnect(sock);

#ifdef LIBMYSQLCLIENT

if (mysql == NULL) {

mysql = mysql_init(NULL);

if (mysql == NULL) {

hydra_report(stderr, "[ERROR] Insufficient memory to allocate new mysql object\n");

return 1;

}

}

/*mysql_options(&mysql,MYSQL_OPT_COMPRESS,0); */

if (!mysql_real_connect(mysql, hydra_address2string(ip), login, pass, database, port, NULL, 0)) {

int32_t my_errno = mysql_errno(mysql);

if (debug)

hydra_report(stderr, "[ERROR] Failed to connect to database: %s\n", mysql_error(mysql));

/*

Error: 1049 SQLSTATE: 42000 (ER_BAD_DB_ERROR)

Message: Unknown database '%s'

*/

if (my_errno == 1049) {

hydra_report(stderr, "[ERROR] Unknown database: %s\n", database);

}

if (my_errno == 1251) {

hydra_report(stderr, "[ERROR] Client does not support authentication "

"protocol requested by server\n");

}

/*

http://dev.mysql.com/doc/refman/5.0/en/error-messages-server.html

Error: 1044 SQLSTATE: 42000 (ER_DBACCESS_DENIED_ERROR)

Message: Access denied for user '%s'@'%s' to database '%s'

Error: 1045 SQLSTATE: 28000 (ER_ACCESS_DENIED_ERROR)

Message: Access denied for user '%s'@'%s' (using password: %s)

*/

// if the error is more critical, we just try to reconnect

// to the db later with the mysql_init

if ((my_errno != 1044) && (my_errno != 1045)) {

mysql_close(mysql);

mysql = NULL;

}

return 3;

}

hydra_report_found_host(port, ip, "mysql", fp);

hydra_completed_pair_found();

if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {

mysql_close(mysql);

mysql = NULL;

return 3;

}

return 1;

#else

hydra_child_exit(2);

#endif

}

if (res == 1)

return 1;

/* prepare client authentication packet */

response = hydra_mysql_prepare_auth(login, pass);

if (response == NULL)

return 3;

response_len = *((unsigned long *)response) & 0xffffff;

/* send client auth packet */

/* dunny why, mysql IO code had problem reading my response. */

/* When I send response_len bytes, it always read response_len-4 bytes */

/* I fixed it just by sending 4 characters more. It is maybe not good */

/* coding style, but working :) */

if (hydra_send(sock, response, response_len + 4, 0) < 0) {

free(response);

return 1;

}

free(response);

/* read authentication response */

if ((response = hydra_mysql_receive_line(sock)) == NULL)

return 1;

res = hydra_mysql_parse_response((unsigned char *)response);

if (!res) {

hydra_mysql_send_com_quit(sock);

sock = hydra_disconnect(sock);

hydra_report_found_host(port, ip, "mysql", fp);

hydra_completed_pair_found();

free(response);

if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)

return 3;

return 1;

}

free(response);

hydra_completed_pair();

if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)

return 3;

/* each try requires new connection */

return 1;

}

void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {

int32_t run = 1, next_run = 1, sock = -1;

int32_t myport = PORT_MYSQL;

hydra_register_socket(sp);

if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)

return;

while (1) {

switch (run) {

case 1: /* connect and service init function */

if (sock >= 0) {

hydra_mysql_send_com_quit(sock);

sock = hydra_disconnect(sock);

}

// usleepn(300);

if ((options & OPTION_SSL) == 0) {

if (port != 0)

myport = port;

sock = hydra_connect_tcp(ip, myport);

port = myport;

}

if (sock < 0) {

if (quiet != 1)

fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());

hydra_child_exit(1);

}

next_run = 2;

break;

case 2: /* run the cracking function */

next_run = start_mysql(sock, ip, port, options, miscptr, fp);

break;

case 3: /* clean exit */

if (sock >= 0) {

hydra_mysql_send_com_quit(sock);

sock = hydra_disconnect(sock);

}

hydra_child_exit(0);

return;

default:

fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n");

hydra_child_exit(2);

}

run = next_run;

}

}

#ifndef LIBMYSQLCLIENT

#endif

/************************************************************************/

/* code belowe is copied from mysql 3.23.57 source code (www.mysql.com) */

/* and slightly modified (removed not needed parts of code, changed */

/* data types) */

/************************************************************************/

struct hydra_rand_struct {

unsigned long seed1, seed2, max_value;

double max_value_dbl;

};

void hydra_randominit(struct hydra_rand_struct *rand_st, unsigned long seed1, unsigned long seed2) { /* For mysql 3.21.# */

rand_st->max_value = 0x3FFFFFFFL;

rand_st->max_value_dbl = (double)rand_st->max_value;

rand_st->seed1 = seed1 % rand_st->max_value;

rand_st->seed2 = seed2 % rand_st->max_value;

}

double hydra_rnd(struct hydra_rand_struct *rand_st) {

rand_st->seed1 = (rand_st->seed1 * 3 + rand_st->seed2) % rand_st->max_value;

rand_st->seed2 = (rand_st->seed1 + rand_st->seed2 + 33) % rand_st->max_value;

return (((double)rand_st->seed1) / rand_st->max_value_dbl);

}

void hydra_hash_password(unsigned long *result, const char *password) {

register unsigned long nr = 1345345333L, add = 7, nr2 = 0x12345671L;

unsigned long tmp;

for (; *password; password++) {

if (*password == ' ' || *password == '\t')

continue; /* skipp space in password */

tmp = (unsigned long)(unsigned char)*password;

nr ^= (((nr & 63) + add) * tmp) + (nr << 8);

nr2 += (nr2 << 8) ^ nr;

add += tmp;

}

result[0] = nr & (((unsigned long)1L << 31) - 1L); /* Don't use sign bit (str2int) */

;

result[1] = nr2 & (((unsigned long)1L << 31) - 1L);

return;

}

char *hydra_scramble(char *to, const char *message, const char *password) {

struct hydra_rand_struct rand_st;

unsigned long hash_pass[2], hash_message[2];

char extra;

if (password && password[0]) {

char *to_start = to;

hydra_hash_password(hash_pass, password);

hydra_hash_password(hash_message, message);

hydra_randominit(&rand_st, hash_pass[0] ^ hash_message[0], hash_pass[1] ^ hash_message[1]);

while (*message++)

*to++ = (char)(floor(hydra_rnd(&rand_st) * 31) + 64);

extra = (char)(floor(hydra_rnd(&rand_st) * 31));

while (to_start != to)

*(to_start++) ^= extra;

}

*to = 0;

return to;

}

#endif

int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {

// called before the childrens are forked off, so this is the function

// which should be filled if initial connections and service setup has to be

// performed once only.

//

// fill if needed.

//

// return codes:

// 0 all OK

// -1 error, hydra will exit, so print a good error message here

return 0;

}

void usage_mysql(const char *service) {

printf("Module mysql is optionally taking the database to attack, default is "

"\"mysql\"\n\n");

}

一键复制

编辑

Web IDE

原始数据

按行查看

历史