diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..95b1d9d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM maven:3-jdk-8 AS builder + +LABEL MAINTAINER="4ra1n" + +COPY ./ /usr/src/ +COPY ./settings.xml /root/.m2/settings.xml + +WORKDIR /usr/src + +RUN cd /usr/src; \ + mvn -U clean package -Dmaven.test.skip=true + +FROM openjdk:8-jre + +LABEL MAINTAINER="4ra1n" + +COPY --from=builder /usr/src/fake-mysql-cli-0.0.1.jar /cli.jar + +EXPOSE 3306 + +CMD ["java","-jar","/cli.jar","-p","3306"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..9ba839f --- /dev/null +++ b/README.md @@ -0,0 +1,88 @@ +# MySQL Fake Server + +![](https://img.shields.io/badge/build-passing-brightgreen) +![](https://img.shields.io/badge/build-Java%208-orange) +![](https://img.shields.io/github/downloads/4ra1n/mysql-fake-server/total) +![](https://img.shields.io/github/v/release/4ra1n/mysql-fake-server) + +[English Version](doc/README.md) + +## 0x00 介绍 + +该项目是 [MySQL_Fake_Server](https://github.com/fnmsd/MySQL_Fake_Server) 高级版 + +当`JDBC URL`可控时,特殊的`MySQL`服务端可以读取`JDBC`客户端任意文件或执行反序列化操作 + +完全使用`Java`实现部分`MySQL`协议,内置常见`ysoserial`链,一键启动,自动生成可用的`payload`用于测试 + +## 0x01 GUI + +使用`GUI`版本一键启动,启动后可以根据自己的环境输入参数,生成`payload` + +启动:`java -jar fake-mysql-gui.jar` + +![](img/001.png) + +## 0x02 CLI + +当你的环境不允许使用`GUI`版时,可以使用命令行版启动,同样可以使用`GUI`辅助生成`payload` + +启动:`java -jar fake-mysql-cli.jar -p [port]` + +![](img/002.png) + +## 0x03 Docker + +构建:`docker build -t fake-mysql-server .` + +启动:`docker run -p 3306:3306 fake-mysql-server -d` + +![](img/003.png) + +## 0x04 RPC + +本项目提供了`GRPC`调用的方式 + +启动:`java -jar fake-mysql-rpc.jar`(默认启动端口9999) + +proto: + +```protobuf +syntax = "proto3"; + +option java_package = "me.n1ar4.fake.rpc"; +option java_outer_classname = "FakeServerRPC"; +option java_multiple_files = true; + +package me.n1ar4.fake.rpc; + +service RPCStart { + rpc start (RPCNull) returns (RPCResp) {} + rpc stop (RPCPort) returns(RPCResp) {} +} + +message RPCNull{} + +message RPCResp { + string status = 1; + int32 port = 2; +} + +message RPCPort { + int32 port = 1; +} +``` + +## 0x05 免责申明 + +本项目仅面向安全研究与学习,禁止任何非法用途 + +如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果 + +除非您已充分阅读、完全理解并接受本协议,否则,请您不要使用本项目 + +## 0x06 致谢与参考 + +- https://github.com/frohoff/ysoserial +- https://github.com/fnmsd/MySQL_Fake_Server +- https://pyn3rd.github.io/2022/06/06/Make-JDBC-Attacks-Brillian-Again-I/ diff --git a/doc/README.md b/doc/README.md new file mode 100644 index 0000000..f05ab79 --- /dev/null +++ b/doc/README.md @@ -0,0 +1,86 @@ +# MySQL Fake Server + +![](https://img.shields.io/badge/build-passing-brightgreen) +![](https://img.shields.io/badge/build-Java%208-orange) +![](https://img.shields.io/github/downloads/4ra1n/mysql-fake-server/total) +![](https://img.shields.io/github/v/release/4ra1n/mysql-fake-server) + +## 0x00 Introduction + +This project is an advanced version of [MySQL_Fake_Server](https://github.com/fnmsd/MySQL_Fake_Server). + +When the `JDBC URL` is controllable, a special `MySQL` server can read any file or perform deserialization operations on the `JDBC` client. + +The `MySQL` protocol is partially implemented entirely using `Java`, with built-in common `ysoserial` chains, one-click launch, and automatic generation of usable payloads for testing. + +## 0x01 GUI + +Use the `GUI` version to start with one click. After starting, you can enter parameters according to your environment to generate a payload. + +Launch: `java -jar fake-mysql-gui.jar` + +![](../img/001.png) + +## 0x02 CLI + +When your environment does not allow the use of the `GUI` version, you can use the command line version to start, and also use the `GUI` to generate a payload. + +Launch: `java -jar fake-mysql-cli.jar -p [port]` + +![](../img/002.png) + +## 0x03 Docker + +Build: `docker build -t fake-mysql-server .` + +Launch: `docker run -p 3306:3306 fake-mysql-server -d` + +![](../img/003.png) + +## 0x04 RPC + +This project provides a `GRPC` call method. + +Launch: `java -jar fake-mysql-rpc.jar` (default launch port 9999) + +proto: + +```protobuf +syntax = "proto3"; + +option java_package = "me.n1ar4.fake.rpc"; +option java_outer_classname = "FakeServerRPC"; +option java_multiple_files = true; + +package me.n1ar4.fake.rpc; + +service RPCStart { + rpc start (RPCNull) returns (RPCResp) {} + rpc stop (RPCPort) returns(RPCResp) {} +} + +message RPCNull{} + +message RPCResp { + string status = 1; + int32 port = 2; +} + +message RPCPort { + int32 port = 1; +} +``` + +## 0x05 Disclaimer + +This project is only for security research and learning purposes. Any illegal use is prohibited. + +If you engage in any illegal behavior during the use of this project, you will be responsible for the consequences. + +Unless you have fully read, completely understood, and accepted this agreement, please do not use this project. + +## 0x06 Acknowledgments and References + +- https://github.com/frohoff/ysoserial +- https://github.com/fnmsd/MySQL_Fake_Server +- https://pyn3rd.github.io/2022/06/06/Make-JDBC-Attacks-Brillian-Again-I/ \ No newline at end of file diff --git a/img/001.png b/img/001.png new file mode 100644 index 0000000..38c3c0f Binary files /dev/null and b/img/001.png differ diff --git a/img/002.png b/img/002.png new file mode 100644 index 0000000..d71ed80 Binary files /dev/null and b/img/002.png differ diff --git a/img/003.png b/img/003.png new file mode 100644 index 0000000..4db3337 Binary files /dev/null and b/img/003.png differ diff --git a/settings.xml b/settings.xml new file mode 100644 index 0000000..f3169e4 --- /dev/null +++ b/settings.xml @@ -0,0 +1,28 @@ + + + + + + + + + + + aliyunmaven + * + aliyun + https://maven.aliyun.com/repository/public + + + maven-default-http-blocker + external:http:* + Pseudo repository to mirror external repositories initially using HTTP. + http://0.0.0.0/ + true + + + + + \ No newline at end of file