MySQL Local Infile Exploit

Impersonates a MySQL server and attempts to retrieve files on the client system via LOAD DATA LOCAL INFILE.

This attack requires a client with LOCAL INFILE capabilities to connect to your server (whether via SSRF, MITM, or stupidity). The LOCAL INFILE capability is often enabled by default in older clients (especially in web applications).

I wrote this after encountering a client which could be exploited multiple times in a single session. In such an instance, this program can be used to retrieve an entire list of files.

Features

• Handles all file types
• Allows input lists and multiple files per session
• Supports Linux and Windows clients/servers (probably works on Mac too)
• Detects when clients aren't vulnerable
• Recreates target's directory tree when saving files locally
• Handles fragmented packets
• Extensive debug output allows you to see states and packets

Screenshots

Help menu

Exploiting a Debian Linux client to retrieve /etc/passwd (default)

Exploiting a Debian Linux client to retrieve a list of files

Exploiting a Windows client to retrieve win.ini

Enabling verbosity during a failed exploitation attempt

Enabling debug output during a failed exploitation attempt

Installation

git clone https://github.com/jbacco/mysql-local-infile-exploit.git

Usage

Server (attacker): python3 mysql-local-infile-exploit.py

Client (victim): mysql --host <server ip> --port 3306 --enable-local-infile=1 -u admin -padmin

Links

• Abusing MySQL LOCAL INFILE to read client files
• Security Issues with LOAD DATA LOCAL
• MySQL OOB injections
• MySQL connect file read