mysql lua scripts throw mysql.lua:93: bad argument #2 to 'unpack' (data string too short) error

[bstrobel]

Describe the bug

I'm running nmap 7.80 from the latest Kali distribution (2020.3).

As a target I'm using the Metasploitable-Linux-2.0.0 VM which runs a mysql 5.0.51a-3ubuntu5 on 192.168.56.103:3306 and has a root account without a password.

Running nmap mysql scripts against it results in this output:

nmap -n -Pn --script mysql-\*  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 10:03 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00026s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|_  Statistics: Performed 40013 guesses in 19 seconds, average tps: 2105.9
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 123125
|   Capabilities flags: 43564
|   Some Capabilities: LongColumnFlag, SwitchToSSLAfterHandshake, SupportsTransactions, Support41Auth, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: gCXoHXcfYh#q4Md3lIeC
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 18.81 seconds

Debug output (-d) for one of the failed scripts as an example (it seems to be the same for all of them):

nmap -n -Pn --script mysql-empty-password,mysql-databases -d  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 10:04 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 2 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Initiating Connect Scan at 10:04
Scanning 192.168.56.103 [1 port]
Discovered open port 3306/tcp on 192.168.56.103
Completed Connect Scan at 10:04, 0.00s elapsed (1 total ports)
Overall sending rates: 2923.98 packets / s.
NSE: Script scanning 192.168.56.103.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
NSE: Starting mysql-empty-password against 192.168.56.103:3306.
NSE: Finished mysql-empty-password against 192.168.56.103:3306.
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
NSE: Starting mysql-databases against 192.168.56.103:3306.
NSE: mysql-databases against 192.168.56.103:3306 threw an error!
/usr/bin/../share/nmap/nselib/mysql.lua:93: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/mysql.lua:93: in upvalue 'decodeHeader'
        /usr/bin/../share/nmap/nselib/mysql.lua:469: in function 'mysql.decodeDataPackets'
        /usr/bin/../share/nmap/nselib/mysql.lua:532: in function 'mysql.sqlQuery'
        /usr/bin/../share/nmap/scripts/mysql-databases.nse:84: in function </usr/bin/../share/nmap/scripts/mysql-databases.nse:42>
        (...tail calls...)

Completed NSE at 10:04, 0.00s elapsed
Nmap scan report for 192.168.56.103
Host is up, received user-set (0.00027s latency).
Scanned at 2020-09-22 10:04:57 CEST for 0s

PORT     STATE SERVICE REASON
3306/tcp open  mysql   syn-ack
| mysql-empty-password: 
|_  root account has empty password
Final times for host: srtt: 268 rttvar: 5000  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

To Reproduce
See above discription

Expected behavior
Scripts to retrieve and display the information successfully.

Version info (please complete the following information):

• OS:

uname -a
Linux kaliacer 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64 GNU/Linux

cat /etc/*-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2020.3"
VERSION_ID="2020.3"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"

• Output of nmap --version:

nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1g libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

[bstrobel]

PS: The same error is raised when I run the mysql-* nmap scripts against the local MariaDB 10.3.24-MariaDB-2 Debian buildd-unstable on my kali. In contrary to the Metasploitable VM above this also requires a password (which I provided using --script-args). So it seems the empty password is not the cause of problem.

[nnposter]

Please test updated nselib/mysql.lua from 932901e and report back.

[bstrobel]

Hi, it works now. See below. Thanks for fixing it!

nmap -n -Pn --script mysql-\*  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 11:53 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00048s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|_  Statistics: Performed 40012 guesses in 19 seconds, average tps: 2105.9
| mysql-databases: 
|   information_schema
|   dvwa
|   metasploit
|   mysql
|   owasp10
|   tikiwiki
|_  tikiwiki195
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: Speaks41ProtocolNew, SupportsCompression, Support41Auth, SupportsTransactions, LongColumnFlag, ConnectWithDatabase, SwitchToSSLAfterHandshake
|   Status: Autocommit
|_  Salt: _{p@,X[?hosvuh+:$A[)
| mysql-users: 
|   debian-sys-maint
|   guest
|_  root
| mysql-variables: 
|   auto_increment_increment: 1
|   auto_increment_offset: 1
|   automatic_sp_privileges: ON
|   back_log: 50
|   basedir: /usr/
|   binlog_cache_size: 32768
|   bulk_insert_buffer_size: 8388608
|   character_set_client: latin1
|   character_set_connection: latin1
|   character_set_database: latin1
|   character_set_filesystem: binary
|   character_set_results: latin1
|   character_set_server: latin1
|   character_set_system: utf8
|   character_sets_dir: /usr/share/mysql/charsets/
|   collation_connection: latin1_swedish_ci
|   collation_database: latin1_swedish_ci
|   collation_server: latin1_swedish_ci
|   completion_type: 0
|   concurrent_insert: 1
|   connect_timeout: 5
|   datadir: /var/lib/mysql/
|   date_format: %Y-%m-%d
|   datetime_format: %Y-%m-%d %H:%i:%s
|   default_week_format: 0
|   delay_key_write: ON
|   delayed_insert_limit: 100
|   delayed_insert_timeout: 300
|   delayed_queue_size: 1000
|   div_precision_increment: 4
|   keep_files_on_create: OFF
|   engine_condition_pushdown: OFF
|   expire_logs_days: 10
|   flush: OFF
|   flush_time: 0
|   ft_boolean_syntax: + -><()~*:""&|
|   ft_max_word_len: 84
|   ft_min_word_len: 4
|   ft_query_expansion_limit: 20
|   ft_stopword_file: (built-in)
|   group_concat_max_len: 1024
|   have_archive: YES
|   have_bdb: NO
|   have_blackhole_engine: YES
|   have_compress: YES
|   have_crypt: YES
|   have_csv: YES
|   have_dynamic_loading: YES
|   have_example_engine: NO
|   have_federated_engine: YES
|   have_geometry: YES
|   have_innodb: YES
|   have_isam: NO
|   have_merge_engine: YES
|   have_ndbcluster: DISABLED
|   have_openssl: YES
|   have_ssl: YES
|   have_query_cache: YES
|   have_raid: NO
|   have_rtree_keys: YES
|   have_symlink: YES
|   hostname: metasploitable
|   init_connect: 
|   init_file: 
|   init_slave: 
|   innodb_additional_mem_pool_size: 1048576
|   innodb_autoextend_increment: 8
|   innodb_buffer_pool_awe_mem_mb: 0
|   innodb_buffer_pool_size: 8388608
|   innodb_checksums: ON
|   innodb_commit_concurrency: 0
|   innodb_concurrency_tickets: 500
|   innodb_data_file_path: ibdata1:10M:autoextend
|   innodb_data_home_dir: 
|   innodb_doublewrite: ON
|   innodb_fast_shutdown: 1
|   innodb_file_io_threads: 4
|   innodb_file_per_table: OFF
|   innodb_flush_log_at_trx_commit: 1
|   innodb_flush_method: 
|   innodb_force_recovery: 0
|   innodb_lock_wait_timeout: 50
|   innodb_locks_unsafe_for_binlog: OFF
|   innodb_log_arch_dir: 
|   innodb_log_archive: OFF
|   innodb_log_buffer_size: 1048576
|   innodb_log_file_size: 5242880
|   innodb_log_files_in_group: 2
|   innodb_log_group_home_dir: ./
|   innodb_max_dirty_pages_pct: 90
|   innodb_max_purge_lag: 0
|   innodb_mirrored_log_groups: 1
|   innodb_open_files: 300
|   innodb_rollback_on_timeout: OFF
|   innodb_support_xa: ON
|   innodb_sync_spin_loops: 20
|   innodb_table_locks: ON
|   innodb_thread_concurrency: 8
|   innodb_thread_sleep_delay: 10000
|   interactive_timeout: 28800
|   join_buffer_size: 131072
|   key_buffer_size: 16777216
|   key_cache_age_threshold: 300
|   key_cache_block_size: 1024
|   key_cache_division_limit: 100
|   language: /usr/share/mysql/english/
|   large_files_support: ON
|   large_page_size: 0
|   large_pages: OFF
|   lc_time_names: en_US
|   license: GPL
|   local_infile: ON
|   locked_in_memory: OFF
|   log: OFF
|   log_bin: OFF
|   log_bin_trust_function_creators: OFF
|   log_error: 
|   log_queries_not_using_indexes: OFF
|   log_slave_updates: OFF
|   log_slow_queries: OFF
|   log_warnings: 1
|   long_query_time: 10
|   low_priority_updates: OFF
|   lower_case_file_system: OFF
|   lower_case_table_names: 0
|   max_allowed_packet: 16776192
|   max_binlog_cache_size: 4294967295
|   max_binlog_size: 104857600
|   max_connect_errors: 10
|   max_connections: 100
|   max_delayed_threads: 20
|   max_error_count: 64
|   max_heap_table_size: 16777216
|   max_insert_delayed_threads: 20
|   max_join_size: 18446744073709551615
|   max_length_for_sort_data: 1024
|   max_prepared_stmt_count: 16382
|   max_relay_log_size: 0
|   max_seeks_for_key: 4294967295
|   max_sort_length: 1024
|   max_sp_recursion_depth: 0
|   max_tmp_tables: 32
|   max_user_connections: 0
|   max_write_lock_count: 4294967295
|   multi_range_count: 256
|   myisam_data_pointer_size: 6
|   myisam_max_sort_file_size: 2147483647
|   myisam_recover_options: OFF
|   myisam_repair_threads: 1
|   myisam_sort_buffer_size: 8388608
|   myisam_stats_method: nulls_unequal
|   ndb_autoincrement_prefetch_sz: 32
|   ndb_force_send: ON
|   ndb_use_exact_count: ON
|   ndb_use_transactions: ON
|   ndb_cache_check_time: 0
|   ndb_connectstring: 
|   net_buffer_length: 16384
|   net_read_timeout: 30
|   net_retry_count: 10
|   net_write_timeout: 60
|   new: OFF
|   old_passwords: OFF
|   open_files_limit: 1024
|   optimizer_prune_level: 1
|   optimizer_search_depth: 62
|   pid_file: /var/run/mysqld/mysqld.pid
|   port: 3306
|   preload_buffer_size: 32768
|   profiling: OFF
|   profiling_history_size: 15
|   protocol_version: 10
|   query_alloc_block_size: 8192
|   query_cache_limit: 1048576
|   query_cache_min_res_unit: 4096
|   query_cache_size: 16777216
|   query_cache_type: ON
|   query_cache_wlock_invalidate: OFF
|   query_prealloc_size: 8192
|   range_alloc_block_size: 2048
|   read_buffer_size: 131072
|   read_only: OFF
|   read_rnd_buffer_size: 262144
|   relay_log_purge: ON
|   relay_log_space_limit: 0
|   rpl_recovery_rank: 0
|   secure_auth: OFF
|   secure_file_priv: 
|   server_id: 0
|   skip_external_locking: ON
|   skip_networking: OFF
|   skip_show_database: OFF
|   slave_compressed_protocol: OFF
|   slave_load_tmpdir: /tmp/
|   slave_net_timeout: 3600
|   slave_skip_errors: OFF
|   slave_transaction_retries: 10
|   slow_launch_time: 2
|   socket: /var/run/mysqld/mysqld.sock
|   sort_buffer_size: 2097144
|   sql_big_selects: ON
|   sql_mode: 
|   sql_notes: ON
|   sql_warnings: OFF
|   ssl_ca: /etc/mysql/cacert.pem
|   ssl_capath: 
|   ssl_cert: /etc/mysql/server-cert.pem
|   ssl_cipher: 
|   ssl_key: /etc/mysql/server-key.pem
|   storage_engine: MyISAM
|   sync_binlog: 0
|   sync_frm: ON
|   system_time_zone: EDT
|   table_cache: 64
|   table_lock_wait_timeout: 50
|   table_type: MyISAM
|   thread_cache_size: 8
|   thread_stack: 131072
|   time_format: %H:%i:%s
|   time_zone: SYSTEM
|   timed_mutexes: OFF
|   tmp_table_size: 33554432
|   tmpdir: /tmp
|   transaction_alloc_block_size: 8192
|   transaction_prealloc_size: 4096
|   tx_isolation: REPEATABLE-READ
|   updatable_views_with_limit: YES
|   version: 5.0.51a-3ubuntu5
|   version_comment: (Ubuntu)
|   version_compile_machine: i486
|   version_compile_os: debian-linux-gnu
|_  wait_timeout: 28800
MAC Address: 08:00:27:85:99:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.96 seconds

[nnposter]

The fix has been committed as r38089. Thank you for reporting the issue!

[fyodor]

Update: this is now fixed in Nmap 7.91