Add Rex Proto MySQL Client

Author: sjanusz-r7

lib/metasploit/framework/login_scanner/mysql.rb

@@ -2,6 +2,7 @@
 require 'mysql'
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
+require 'rex/proto/mysql/client'
 
 module Metasploit
   module Framework
@@ -39,7 +40,7 @@ def attempt_login(credential)
             disconnect if self.sock
             self.sock = connect
 
-            mysql_conn = ::Mysql.connect(host, credential.public, credential.private, '', port, io: self.sock)
+            mysql_conn = ::Rex::Proto::MySQL::Client.connect(host, credential.public, credential.private, '', port, io: self.sock)
 
           rescue ::SystemCallError, Rex::ConnectionError => e
             result_options.merge!({

lib/msf/core/exploit/remote/mysql.rb

@@ -12,7 +12,7 @@
 ###
 
 
-require 'mysql'
+require 'rex/proto/mysql/client'
 
 module Msf
 module Exploit::Remote::MYSQL
@@ -38,10 +38,10 @@ def initialize(info = {})
 
   def mysql_login(user='root', pass='', db=nil)
     disconnect if sock
-    connect
+    self.sock = connect
 
     begin
-      self.mysql_conn = ::Mysql.connect(rhost, user, pass, db, rport, io: sock)
+      self.mysql_conn = ::Rex::Proto::MySQL::Client.connect(rhost, user, pass, db, rport, io: self.sock)
       # Deprecating this in favor off `mysql_conn`
       @mysql_handle = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(self, :mysql_conn, :@mysql_handle, ActiveSupport::Deprecation.new)
 

lib/rex/proto/mysql/client.rb

@@ -0,0 +1,29 @@
+require 'mysql'
+
+module Rex
+  module Proto
+    module MySQL
+
+      # This is a Rex Proto wrapper around the ::Mysql client which is currently coming from the 'ruby-mysql' gem.
+      # The purpose of this wrapper is to provide 'peerhost' and 'peerport' methods to ensure the client interfaces
+      # are consistent between various SQL implementations/protocols.
+      class Client < ::Mysql
+        # @return [String] The remote IP address that the Mysql server is running on
+        def peerhost
+          io.remote_address.ip_address
+        end
+
+        # @return [Integer] The remote port that the Mysql server is running on
+        def peerport
+          io.remote_address.ip_port
+        end
+
+        # @return [String] The database this client is currently connected to
+        def current_database
+          # Current database is stored as an array under the type 1 key.
+          session_track.fetch(1, ['']).first
+        end
+      end
+    end
+  end
+end

modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb

@@ -3,6 +3,8 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+require 'rex/proto/mysql/client'
+
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MYSQL
   include Msf::Auxiliary::Report
@@ -62,7 +64,7 @@ def run_host(ip)
     begin
       socket = connect(false)
       close_required = true
-      mysql_client = ::Mysql.connect(rhost, username, password, nil, rport, io: socket)
+      mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: socket)
       results << mysql_client
       close_required = false
 
@@ -118,7 +120,7 @@ def run_host(ip)
             # Create our socket and make the connection
             close_required = true
             s = connect(false)
-            mysql_client = ::Mysql.connect(rhost, username, password, nil, rport, io: s)
+            mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: s)
 
             print_good "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"
             results << mysql_client

spec/lib/rex/proto/mysql/client_spec.rb

@@ -0,0 +1,16 @@
+# -*- coding: binary -*-
+
+require 'spec_helper'
+require 'rex/proto/mysql/client'
+
+RSpec.describe Rex::Proto::MySQL::Client do
+  it { is_expected.to be_a ::Mysql }
+
+  [
+    { method: :peerhost, return_type: String },
+    { method: :peerport, return_type: Integer },
+    { method: :database_name, return_type: String }
+  ].each do |method_hash|
+    it { is_expected.to respond_to method_hash[:method] }
+  end
+end