Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mysql lua scripts throw mysql.lua:93: bad argument #2 to 'unpack' (data string too short) error #2128

Closed
bstrobel opened this issue Sep 22, 2020 · 5 comments
Closed

mysql lua scripts throw mysql.lua:93: bad argument #2 to 'unpack' (data string too short) error #2128

bstrobel opened this issue Sep 22, 2020 · 5 comments
Assignees
@nnposter
Labels
bug NSE

Comments

@bstrobel
Copy link

bstrobel commented Sep 22, 2020
edited

Describe the bug

I'm running nmap 7.80 from the latest Kali distribution (2020.3).

As a target I'm using the Metasploitable-Linux-2.0.0 VM which runs a mysql 5.0.51a-3ubuntu5 on 192.168.56.103:3306 and has a root account without a password.

Running nmap mysql scripts against it results in this output:

nmap -n -Pn --script mysql-\*  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 10:03 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00026s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|_  Statistics: Performed 40013 guesses in 19 seconds, average tps: 2105.9
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 123125
|   Capabilities flags: 43564
|   Some Capabilities: LongColumnFlag, SwitchToSSLAfterHandshake, SupportsTransactions, Support41Auth, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: gCXoHXcfYh#q4Md3lIeC
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 18.81 seconds

Debug output (-d) for one of the failed scripts as an example (it seems to be the same for all of them):

nmap -n -Pn --script mysql-empty-password,mysql-databases -d  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 10:04 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 2 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Initiating Connect Scan at 10:04
Scanning 192.168.56.103 [1 port]
Discovered open port 3306/tcp on 192.168.56.103
Completed Connect Scan at 10:04, 0.00s elapsed (1 total ports)
Overall sending rates: 2923.98 packets / s.
NSE: Script scanning 192.168.56.103.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
NSE: Starting mysql-empty-password against 192.168.56.103:3306.
NSE: Finished mysql-empty-password against 192.168.56.103:3306.
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
NSE: Starting mysql-databases against 192.168.56.103:3306.
NSE: mysql-databases against 192.168.56.103:3306 threw an error!
/usr/bin/../share/nmap/nselib/mysql.lua:93: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/mysql.lua:93: in upvalue 'decodeHeader'
        /usr/bin/../share/nmap/nselib/mysql.lua:469: in function 'mysql.decodeDataPackets'
        /usr/bin/../share/nmap/nselib/mysql.lua:532: in function 'mysql.sqlQuery'
        /usr/bin/../share/nmap/scripts/mysql-databases.nse:84: in function </usr/bin/../share/nmap/scripts/mysql-databases.nse:42>
        (...tail calls...)

Completed NSE at 10:04, 0.00s elapsed
Nmap scan report for 192.168.56.103
Host is up, received user-set (0.00027s latency).
Scanned at 2020-09-22 10:04:57 CEST for 0s

PORT     STATE SERVICE REASON
3306/tcp open  mysql   syn-ack
| mysql-empty-password: 
|_  root account has empty password
Final times for host: srtt: 268 rttvar: 5000  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

To Reproduce
See above discription

Expected behavior
Scripts to retrieve and display the information successfully.

Version info (please complete the following information):

  • OS:
uname -a
Linux kaliacer 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64 GNU/Linux

cat /etc/*-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2020.3"
VERSION_ID="2020.3"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
  • Output of nmap --version:
nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1g libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
@bstrobel bstrobel added the Nmap label Sep 22, 2020
@bstrobel
Copy link
Author

PS: The same error is raised when I run the mysql-* nmap scripts against the local MariaDB 10.3.24-MariaDB-2 Debian buildd-unstable on my kali. In contrary to the Metasploitable VM above this also requires a password (which I provided using --script-args). So it seems the empty password is not the cause of problem.

@nnposter nnposter mentioned this issue Oct 6, 2020
Closed
@nnposter nnposter self-assigned this Oct 7, 2020
@nnposter nnposter added bug NSE and removed Nmap labels Oct 7, 2020
@nnposter
Copy link

nnposter commented Oct 8, 2020

Please test updated nselib/mysql.lua from 932901e and report back.

@bstrobel
Copy link
Author

bstrobel commented Oct 8, 2020

Hi, it works now. See below. Thanks for fixing it!

nmap -n -Pn --script mysql-\*  192.168.56.103 -p 3306
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 11:53 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00048s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|_  Statistics: Performed 40012 guesses in 19 seconds, average tps: 2105.9
| mysql-databases: 
|   information_schema
|   dvwa
|   metasploit
|   mysql
|   owasp10
|   tikiwiki
|_  tikiwiki195
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: Speaks41ProtocolNew, SupportsCompression, Support41Auth, SupportsTransactions, LongColumnFlag, ConnectWithDatabase, SwitchToSSLAfterHandshake
|   Status: Autocommit
|_  Salt: _{p@,X[?hosvuh+:$A[)
| mysql-users: 
|   debian-sys-maint
|   guest
|_  root
| mysql-variables: 
|   auto_increment_increment: 1
|   auto_increment_offset: 1
|   automatic_sp_privileges: ON
|   back_log: 50
|   basedir: /usr/
|   binlog_cache_size: 32768
|   bulk_insert_buffer_size: 8388608
|   character_set_client: latin1
|   character_set_connection: latin1
|   character_set_database: latin1
|   character_set_filesystem: binary
|   character_set_results: latin1
|   character_set_server: latin1
|   character_set_system: utf8
|   character_sets_dir: /usr/share/mysql/charsets/
|   collation_connection: latin1_swedish_ci
|   collation_database: latin1_swedish_ci
|   collation_server: latin1_swedish_ci
|   completion_type: 0
|   concurrent_insert: 1
|   connect_timeout: 5
|   datadir: /var/lib/mysql/
|   date_format: %Y-%m-%d
|   datetime_format: %Y-%m-%d %H:%i:%s
|   default_week_format: 0
|   delay_key_write: ON
|   delayed_insert_limit: 100
|   delayed_insert_timeout: 300
|   delayed_queue_size: 1000
|   div_precision_increment: 4
|   keep_files_on_create: OFF
|   engine_condition_pushdown: OFF
|   expire_logs_days: 10
|   flush: OFF
|   flush_time: 0
|   ft_boolean_syntax: + -><()~*:""&|
|   ft_max_word_len: 84
|   ft_min_word_len: 4
|   ft_query_expansion_limit: 20
|   ft_stopword_file: (built-in)
|   group_concat_max_len: 1024
|   have_archive: YES
|   have_bdb: NO
|   have_blackhole_engine: YES
|   have_compress: YES
|   have_crypt: YES
|   have_csv: YES
|   have_dynamic_loading: YES
|   have_example_engine: NO
|   have_federated_engine: YES
|   have_geometry: YES
|   have_innodb: YES
|   have_isam: NO
|   have_merge_engine: YES
|   have_ndbcluster: DISABLED
|   have_openssl: YES
|   have_ssl: YES
|   have_query_cache: YES
|   have_raid: NO
|   have_rtree_keys: YES
|   have_symlink: YES
|   hostname: metasploitable
|   init_connect: 
|   init_file: 
|   init_slave: 
|   innodb_additional_mem_pool_size: 1048576
|   innodb_autoextend_increment: 8
|   innodb_buffer_pool_awe_mem_mb: 0
|   innodb_buffer_pool_size: 8388608
|   innodb_checksums: ON
|   innodb_commit_concurrency: 0
|   innodb_concurrency_tickets: 500
|   innodb_data_file_path: ibdata1:10M:autoextend
|   innodb_data_home_dir: 
|   innodb_doublewrite: ON
|   innodb_fast_shutdown: 1
|   innodb_file_io_threads: 4
|   innodb_file_per_table: OFF
|   innodb_flush_log_at_trx_commit: 1
|   innodb_flush_method: 
|   innodb_force_recovery: 0
|   innodb_lock_wait_timeout: 50
|   innodb_locks_unsafe_for_binlog: OFF
|   innodb_log_arch_dir: 
|   innodb_log_archive: OFF
|   innodb_log_buffer_size: 1048576
|   innodb_log_file_size: 5242880
|   innodb_log_files_in_group: 2
|   innodb_log_group_home_dir: ./
|   innodb_max_dirty_pages_pct: 90
|   innodb_max_purge_lag: 0
|   innodb_mirrored_log_groups: 1
|   innodb_open_files: 300
|   innodb_rollback_on_timeout: OFF
|   innodb_support_xa: ON
|   innodb_sync_spin_loops: 20
|   innodb_table_locks: ON
|   innodb_thread_concurrency: 8
|   innodb_thread_sleep_delay: 10000
|   interactive_timeout: 28800
|   join_buffer_size: 131072
|   key_buffer_size: 16777216
|   key_cache_age_threshold: 300
|   key_cache_block_size: 1024
|   key_cache_division_limit: 100
|   language: /usr/share/mysql/english/
|   large_files_support: ON
|   large_page_size: 0
|   large_pages: OFF
|   lc_time_names: en_US
|   license: GPL
|   local_infile: ON
|   locked_in_memory: OFF
|   log: OFF
|   log_bin: OFF
|   log_bin_trust_function_creators: OFF
|   log_error: 
|   log_queries_not_using_indexes: OFF
|   log_slave_updates: OFF
|   log_slow_queries: OFF
|   log_warnings: 1
|   long_query_time: 10
|   low_priority_updates: OFF
|   lower_case_file_system: OFF
|   lower_case_table_names: 0
|   max_allowed_packet: 16776192
|   max_binlog_cache_size: 4294967295
|   max_binlog_size: 104857600
|   max_connect_errors: 10
|   max_connections: 100
|   max_delayed_threads: 20
|   max_error_count: 64
|   max_heap_table_size: 16777216
|   max_insert_delayed_threads: 20
|   max_join_size: 18446744073709551615
|   max_length_for_sort_data: 1024
|   max_prepared_stmt_count: 16382
|   max_relay_log_size: 0
|   max_seeks_for_key: 4294967295
|   max_sort_length: 1024
|   max_sp_recursion_depth: 0
|   max_tmp_tables: 32
|   max_user_connections: 0
|   max_write_lock_count: 4294967295
|   multi_range_count: 256
|   myisam_data_pointer_size: 6
|   myisam_max_sort_file_size: 2147483647
|   myisam_recover_options: OFF
|   myisam_repair_threads: 1
|   myisam_sort_buffer_size: 8388608
|   myisam_stats_method: nulls_unequal
|   ndb_autoincrement_prefetch_sz: 32
|   ndb_force_send: ON
|   ndb_use_exact_count: ON
|   ndb_use_transactions: ON
|   ndb_cache_check_time: 0
|   ndb_connectstring: 
|   net_buffer_length: 16384
|   net_read_timeout: 30
|   net_retry_count: 10
|   net_write_timeout: 60
|   new: OFF
|   old_passwords: OFF
|   open_files_limit: 1024
|   optimizer_prune_level: 1
|   optimizer_search_depth: 62
|   pid_file: /var/run/mysqld/mysqld.pid
|   port: 3306
|   preload_buffer_size: 32768
|   profiling: OFF
|   profiling_history_size: 15
|   protocol_version: 10
|   query_alloc_block_size: 8192
|   query_cache_limit: 1048576
|   query_cache_min_res_unit: 4096
|   query_cache_size: 16777216
|   query_cache_type: ON
|   query_cache_wlock_invalidate: OFF
|   query_prealloc_size: 8192
|   range_alloc_block_size: 2048
|   read_buffer_size: 131072
|   read_only: OFF
|   read_rnd_buffer_size: 262144
|   relay_log_purge: ON
|   relay_log_space_limit: 0
|   rpl_recovery_rank: 0
|   secure_auth: OFF
|   secure_file_priv: 
|   server_id: 0
|   skip_external_locking: ON
|   skip_networking: OFF
|   skip_show_database: OFF
|   slave_compressed_protocol: OFF
|   slave_load_tmpdir: /tmp/
|   slave_net_timeout: 3600
|   slave_skip_errors: OFF
|   slave_transaction_retries: 10
|   slow_launch_time: 2
|   socket: /var/run/mysqld/mysqld.sock
|   sort_buffer_size: 2097144
|   sql_big_selects: ON
|   sql_mode: 
|   sql_notes: ON
|   sql_warnings: OFF
|   ssl_ca: /etc/mysql/cacert.pem
|   ssl_capath: 
|   ssl_cert: /etc/mysql/server-cert.pem
|   ssl_cipher: 
|   ssl_key: /etc/mysql/server-key.pem
|   storage_engine: MyISAM
|   sync_binlog: 0
|   sync_frm: ON
|   system_time_zone: EDT
|   table_cache: 64
|   table_lock_wait_timeout: 50
|   table_type: MyISAM
|   thread_cache_size: 8
|   thread_stack: 131072
|   time_format: %H:%i:%s
|   time_zone: SYSTEM
|   timed_mutexes: OFF
|   tmp_table_size: 33554432
|   tmpdir: /tmp
|   transaction_alloc_block_size: 8192
|   transaction_prealloc_size: 4096
|   tx_isolation: REPEATABLE-READ
|   updatable_views_with_limit: YES
|   version: 5.0.51a-3ubuntu5
|   version_comment: (Ubuntu)
|   version_compile_machine: i486
|   version_compile_os: debian-linux-gnu
|_  wait_timeout: 28800
MAC Address: 08:00:27:85:99:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.96 seconds

@nnposter
Copy link

nnposter commented Oct 8, 2020

The fix has been committed as r38089. Thank you for reporting the issue!

@fyodor
Copy link
Member

fyodor commented Oct 14, 2020

Update: this is now fixed in Nmap 7.91

@nmap nmap deleted a comment Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nnposter nnposter

Labels
bug NSE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fyodor @bstrobel @nnposter