Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mysql lua scripts throw mysql.lua:93: bad argument #2 to 'unpack' (data string too short) error #2128

Closed
bstrobel opened this issue Sep 22, 2020 · 5 comments
Assignees
Labels

Comments

@bstrobel
Copy link

@bstrobel bstrobel commented Sep 22, 2020

Describe the bug

I'm running nmap 7.80 from the latest Kali distribution (2020.3).

As a target I'm using the Metasploitable-Linux-2.0.0 VM which runs a mysql 5.0.51a-3ubuntu5 on 192.168.56.103:3306 and has a root account without a password.

Running nmap mysql scripts against it results in this output:

nmap -n -Pn --script mysql-\*  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 10:03 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00026s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|_  Statistics: Performed 40013 guesses in 19 seconds, average tps: 2105.9
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 123125
|   Capabilities flags: 43564
|   Some Capabilities: LongColumnFlag, SwitchToSSLAfterHandshake, SupportsTransactions, Support41Auth, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: gCXoHXcfYh#q4Md3lIeC
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 18.81 seconds

Debug output (-d) for one of the failed scripts as an example (it seems to be the same for all of them):

nmap -n -Pn --script mysql-empty-password,mysql-databases -d  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 10:04 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 2 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Initiating Connect Scan at 10:04
Scanning 192.168.56.103 [1 port]
Discovered open port 3306/tcp on 192.168.56.103
Completed Connect Scan at 10:04, 0.00s elapsed (1 total ports)
Overall sending rates: 2923.98 packets / s.
NSE: Script scanning 192.168.56.103.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
NSE: Starting mysql-empty-password against 192.168.56.103:3306.
NSE: Finished mysql-empty-password against 192.168.56.103:3306.
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
NSE: Starting mysql-databases against 192.168.56.103:3306.
NSE: mysql-databases against 192.168.56.103:3306 threw an error!
/usr/bin/../share/nmap/nselib/mysql.lua:93: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/mysql.lua:93: in upvalue 'decodeHeader'
        /usr/bin/../share/nmap/nselib/mysql.lua:469: in function 'mysql.decodeDataPackets'
        /usr/bin/../share/nmap/nselib/mysql.lua:532: in function 'mysql.sqlQuery'
        /usr/bin/../share/nmap/scripts/mysql-databases.nse:84: in function </usr/bin/../share/nmap/scripts/mysql-databases.nse:42>
        (...tail calls...)

Completed NSE at 10:04, 0.00s elapsed
Nmap scan report for 192.168.56.103
Host is up, received user-set (0.00027s latency).
Scanned at 2020-09-22 10:04:57 CEST for 0s

PORT     STATE SERVICE REASON
3306/tcp open  mysql   syn-ack
| mysql-empty-password: 
|_  root account has empty password
Final times for host: srtt: 268 rttvar: 5000  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

To Reproduce
See above discription

Expected behavior
Scripts to retrieve and display the information successfully.

Version info (please complete the following information):

  • OS:
uname -a
Linux kaliacer 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64 GNU/Linux

cat /etc/*-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2020.3"
VERSION_ID="2020.3"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
  • Output of nmap --version:
nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1g libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
@bstrobel bstrobel added the Nmap label Sep 22, 2020
@bstrobel
Copy link
Author

@bstrobel bstrobel commented Sep 22, 2020

PS: The same error is raised when I run the mysql-* nmap scripts against the local MariaDB 10.3.24-MariaDB-2 Debian buildd-unstable on my kali. In contrary to the Metasploitable VM above this also requires a password (which I provided using --script-args). So it seems the empty password is not the cause of problem.

@nnposter
Copy link

@nnposter nnposter commented Oct 8, 2020

Please test updated nselib/mysql.lua from 932901e and report back.

@bstrobel
Copy link
Author

@bstrobel bstrobel commented Oct 8, 2020

Hi, it works now. See below. Thanks for fixing it!

nmap -n -Pn --script mysql-\*  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 11:53 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00048s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|_  Statistics: Performed 40012 guesses in 19 seconds, average tps: 2105.9
| mysql-databases: 
|   information_schema
|   dvwa
|   metasploit
|   mysql
|   owasp10
|   tikiwiki
|_  tikiwiki195
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: Speaks41ProtocolNew, SupportsCompression, Support41Auth, SupportsTransactions, LongColumnFlag, ConnectWithDatabase, SwitchToSSLAfterHandshake
|   Status: Autocommit
|_  Salt: _{p@,X[?hosvuh+:$A[)
| mysql-users: 
|   debian-sys-maint
|   guest
|_  root
| mysql-variables: 
|   auto_increment_increment: 1
|   auto_increment_offset: 1
|   automatic_sp_privileges: ON
|   back_log: 50
|   basedir: /usr/
|   binlog_cache_size: 32768
|   bulk_insert_buffer_size: 8388608
|   character_set_client: latin1
|   character_set_connection: latin1
|   character_set_database: latin1
|   character_set_filesystem: binary
|   character_set_results: latin1
|   character_set_server: latin1
|   character_set_system: utf8
|   character_sets_dir: /usr/share/mysql/charsets/
|   collation_connection: latin1_swedish_ci
|   collation_database: latin1_swedish_ci
|   collation_server: latin1_swedish_ci
|   completion_type: 0
|   concurrent_insert: 1
|   connect_timeout: 5
|   datadir: /var/lib/mysql/
|   date_format: %Y-%m-%d
|   datetime_format: %Y-%m-%d %H:%i:%s
|   default_week_format: 0
|   delay_key_write: ON
|   delayed_insert_limit: 100
|   delayed_insert_timeout: 300
|   delayed_queue_size: 1000
|   div_precision_increment: 4
|   keep_files_on_create: OFF
|   engine_condition_pushdown: OFF
|   expire_logs_days: 10
|   flush: OFF
|   flush_time: 0
|   ft_boolean_syntax: + -><()~*:""&|
|   ft_max_word_len: 84
|   ft_min_word_len: 4
|   ft_query_expansion_limit: 20
|   ft_stopword_file: (built-in)
|   group_concat_max_len: 1024
|   have_archive: YES
|   have_bdb: NO
|   have_blackhole_engine: YES
|   have_compress: YES
|   have_crypt: YES
|   have_csv: YES
|   have_dynamic_loading: YES
|   have_example_engine: NO
|   have_federated_engine: YES
|   have_geometry: YES
|   have_innodb: YES
|   have_isam: NO
|   have_merge_engine: YES
|   have_ndbcluster: DISABLED
|   have_openssl: YES
|   have_ssl: YES
|   have_query_cache: YES
|   have_raid: NO
|   have_rtree_keys: YES
|   have_symlink: YES
|   hostname: metasploitable
|   init_connect: 
|   init_file: 
|   init_slave: 
|   innodb_additional_mem_pool_size: 1048576
|   innodb_autoextend_increment: 8
|   innodb_buffer_pool_awe_mem_mb: 0
|   innodb_buffer_pool_size: 8388608
|   innodb_checksums: ON
|   innodb_commit_concurrency: 0
|   innodb_concurrency_tickets: 500
|   innodb_data_file_path: ibdata1:10M:autoextend
|   innodb_data_home_dir: 
|   innodb_doublewrite: ON
|   innodb_fast_shutdown: 1
|   innodb_file_io_threads: 4
|   innodb_file_per_table: OFF
|   innodb_flush_log_at_trx_commit: 1
|   innodb_flush_method: 
|   innodb_force_recovery: 0
|   innodb_lock_wait_timeout: 50
|   innodb_locks_unsafe_for_binlog: OFF
|   innodb_log_arch_dir: 
|   innodb_log_archive: OFF
|   innodb_log_buffer_size: 1048576
|   innodb_log_file_size: 5242880
|   innodb_log_files_in_group: 2
|   innodb_log_group_home_dir: ./
|   innodb_max_dirty_pages_pct: 90
|   innodb_max_purge_lag: 0
|   innodb_mirrored_log_groups: 1
|   innodb_open_files: 300
|   innodb_rollback_on_timeout: OFF
|   innodb_support_xa: ON
|   innodb_sync_spin_loops: 20
|   innodb_table_locks: ON
|   innodb_thread_concurrency: 8
|   innodb_thread_sleep_delay: 10000
|   interactive_timeout: 28800
|   join_buffer_size: 131072
|   key_buffer_size: 16777216
|   key_cache_age_threshold: 300
|   key_cache_block_size: 1024
|   key_cache_division_limit: 100
|   language: /usr/share/mysql/english/
|   large_files_support: ON
|   large_page_size: 0
|   large_pages: OFF
|   lc_time_names: en_US
|   license: GPL
|   local_infile: ON
|   locked_in_memory: OFF
|   log: OFF
|   log_bin: OFF
|   log_bin_trust_function_creators: OFF
|   log_error: 
|   log_queries_not_using_indexes: OFF
|   log_slave_updates: OFF
|   log_slow_queries: OFF
|   log_warnings: 1
|   long_query_time: 10
|   low_priority_updates: OFF
|   lower_case_file_system: OFF
|   lower_case_table_names: 0
|   max_allowed_packet: 16776192
|   max_binlog_cache_size: 4294967295
|   max_binlog_size: 104857600
|   max_connect_errors: 10
|   max_connections: 100
|   max_delayed_threads: 20
|   max_error_count: 64
|   max_heap_table_size: 16777216
|   max_insert_delayed_threads: 20
|   max_join_size: 18446744073709551615
|   max_length_for_sort_data: 1024
|   max_prepared_stmt_count: 16382
|   max_relay_log_size: 0
|   max_seeks_for_key: 4294967295
|   max_sort_length: 1024
|   max_sp_recursion_depth: 0
|   max_tmp_tables: 32
|   max_user_connections: 0
|   max_write_lock_count: 4294967295
|   multi_range_count: 256
|   myisam_data_pointer_size: 6
|   myisam_max_sort_file_size: 2147483647
|   myisam_recover_options: OFF
|   myisam_repair_threads: 1
|   myisam_sort_buffer_size: 8388608
|   myisam_stats_method: nulls_unequal
|   ndb_autoincrement_prefetch_sz: 32
|   ndb_force_send: ON
|   ndb_use_exact_count: ON
|   ndb_use_transactions: ON
|   ndb_cache_check_time: 0
|   ndb_connectstring: 
|   net_buffer_length: 16384
|   net_read_timeout: 30
|   net_retry_count: 10
|   net_write_timeout: 60
|   new: OFF
|   old_passwords: OFF
|   open_files_limit: 1024
|   optimizer_prune_level: 1
|   optimizer_search_depth: 62
|   pid_file: /var/run/mysqld/mysqld.pid
|   port: 3306
|   preload_buffer_size: 32768
|   profiling: OFF
|   profiling_history_size: 15
|   protocol_version: 10
|   query_alloc_block_size: 8192
|   query_cache_limit: 1048576
|   query_cache_min_res_unit: 4096
|   query_cache_size: 16777216
|   query_cache_type: ON
|   query_cache_wlock_invalidate: OFF
|   query_prealloc_size: 8192
|   range_alloc_block_size: 2048
|   read_buffer_size: 131072
|   read_only: OFF
|   read_rnd_buffer_size: 262144
|   relay_log_purge: ON
|   relay_log_space_limit: 0
|   rpl_recovery_rank: 0
|   secure_auth: OFF
|   secure_file_priv: 
|   server_id: 0
|   skip_external_locking: ON
|   skip_networking: OFF
|   skip_show_database: OFF
|   slave_compressed_protocol: OFF
|   slave_load_tmpdir: /tmp/
|   slave_net_timeout: 3600
|   slave_skip_errors: OFF
|   slave_transaction_retries: 10
|   slow_launch_time: 2
|   socket: /var/run/mysqld/mysqld.sock
|   sort_buffer_size: 2097144
|   sql_big_selects: ON
|   sql_mode: 
|   sql_notes: ON
|   sql_warnings: OFF
|   ssl_ca: /etc/mysql/cacert.pem
|   ssl_capath: 
|   ssl_cert: /etc/mysql/server-cert.pem
|   ssl_cipher: 
|   ssl_key: /etc/mysql/server-key.pem
|   storage_engine: MyISAM
|   sync_binlog: 0
|   sync_frm: ON
|   system_time_zone: EDT
|   table_cache: 64
|   table_lock_wait_timeout: 50
|   table_type: MyISAM
|   thread_cache_size: 8
|   thread_stack: 131072
|   time_format: %H:%i:%s
|   time_zone: SYSTEM
|   timed_mutexes: OFF
|   tmp_table_size: 33554432
|   tmpdir: /tmp
|   transaction_alloc_block_size: 8192
|   transaction_prealloc_size: 4096
|   tx_isolation: REPEATABLE-READ
|   updatable_views_with_limit: YES
|   version: 5.0.51a-3ubuntu5
|   version_comment: (Ubuntu)
|   version_compile_machine: i486
|   version_compile_os: debian-linux-gnu
|_  wait_timeout: 28800
MAC Address: 08:00:27:85:99:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.96 seconds
@nnposter
Copy link

@nnposter nnposter commented Oct 8, 2020

The fix has been committed as r38089. Thank you for reporting the issue!

@nmap-bot nmap-bot closed this in 1d4d353 Oct 8, 2020
@fyodor
Copy link
Member

@fyodor fyodor commented Oct 14, 2020

Update: this is now fixed in Nmap 7.91

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.