php · jafl · Apr 4, 2025 · Apr 5, 2025 · Apr 11, 2025 · Apr 11, 2025
@@ -29,7 +29,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Malicious OK Auth Response [Extract heap through buffer over-read]: 0900000200000002000000fcff
 
 Warning: mysqli::__construct(): OK packet message length is past the packet size in %s on line %d

@@ -35,7 +35,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Running query on the fake server...
 [*] Received: 140000000353454c454354202a2066726f6d207573657273

@@ -29,7 +29,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Running query on the fake server...
 [*] Received: 140000000353454c454354202a2066726f6d207573657273

@@ -35,7 +35,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Query the fake server...
 [*] Received: 200000000353454c4543542073747276616c2c2073747276616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542062697476616c2c2074696d76616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542073747276616c2c2064617476616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542073747276616c2c2064746976616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542073747276616c2c2064626c76616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542073747276616c2c20666c7476616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542073747276616c2c20696e7476616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542073747276616c2c2073747276616c2046524f4d2064617461

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 170000001653454c454354206974656d2046524f4d206974656d73

@@ -38,7 +38,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Preparing statement on the fake server...
 [*] Received: 200000001653454c4543542073747276616c2c2074696d76616c2046524f4d2064617461

@@ -42,7 +42,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Received: 200000000353454c4543542073747276616c2c20696e7476616c2046524f4d2064617461
 [*] Sending - Query execute data intval: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f746573740464617461046461746106696e7476616c06696e7476616c0c3f000b00000003011000000005000004fe0000220008000005047465737402313405000006fe00002200

@@ -43,7 +43,7 @@ print "done!";
 [*] Server started on 127.0.0.1:%d
 [*] Connection established
 [*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
-[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
+[*] Received: 6900000185a23a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
 [*] Sending - Server OK: 0700000200000002000000
 [*] Received: 200000001653454c4543542073747276616c2c20696e7476616c2046524f4d2064617461
 [*] Sending - Stmt prepare data intval: 0c0000010001000000020000000000003200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f746573740464617461046461746106696e7476616c06696e7476616c0c3f000b00000003011000000005000004fe00000200

@@ -68,15 +68,17 @@ mysqlnd_run_authentication(
 	memcpy(plugin_data, auth_plugin_data.s, plugin_data_len);
 	plugin_data[plugin_data_len] = '\0';
 
-	requested_protocol = mnd_pestrdup(auth_protocol? auth_protocol : MYSQLND_DEFAULT_AUTH_PROTOCOL, FALSE);
+	requested_protocol = mnd_pestrdup(mysql_flags & CLIENT_SEND_CLEAR_PASSWORD ? MYSQLND_CLEAR_PASSWORD_AUTH_PROTOCOL : (auth_protocol? auth_protocol : MYSQLND_DEFAULT_AUTH_PROTOCOL), FALSE);
 	if (!requested_protocol) {
 		goto end;
 	}
-
+php_log_err_with_severity(requested_protocol, LOG_NOTICE);
+php_log_err_with_severity((char*) plugin_data, LOG_NOTICE);
 	do {
 		struct st_mysqlnd_authentication_plugin * auth_plugin = conn->m->fetch_auth_plugin_by_name(requested_protocol);
 
 		if (!auth_plugin) {
+php_log_err_with_severity("auth plugin not found", LOG_NOTICE);
 			if (first_call) {
 				mnd_pefree(requested_protocol, FALSE);
 				requested_protocol = mnd_pestrdup(MYSQLND_DEFAULT_AUTH_PROTOCOL, FALSE);
@@ -112,6 +114,7 @@ mysqlnd_run_authentication(
 					passwd_len, plugin_data, plugin_data_len,
 					session_options, conn->protocol_frame_codec->data,
 					mysql_flags);
+php_log_err_with_severity((char*) scrambled_data, LOG_NOTICE);
 			}
 
 			if (conn->error_info->error_no) {

@@ -34,13 +34,15 @@
 
 #define MYSQLND_ASSEMBLED_PACKET_MAX_SIZE 3UL*1024UL*1024UL*1024UL
 
-#define MYSQLND_DEFAULT_AUTH_PROTOCOL "mysql_native_password"
+#define MYSQLND_DEFAULT_AUTH_PROTOCOL			"mysql_native_password"
+#define MYSQLND_CLEAR_PASSWORD_AUTH_PROTOCOL	"mysql_clear_password"
 
 #define MYSQLND_ERRMSG_SIZE			512
 #define MYSQLND_SQLSTATE_LENGTH		5
 #define MYSQLND_SQLSTATE_NULL		"00000"
 
 #define MYSQLND_MAX_ALLOWED_USER_LEN	252		/* 63 char * 4byte . MySQL supports now only 32 char, but let it be forward compatible */
+#define MYSQLND_MAX_ALLOWED_AUTH_LEN	4096	/* This would be a very large token! */
 #define MYSQLND_MAX_ALLOWED_DB_LEN		1024	/* 256 char * 4byte. MySQL supports now only 64 char in the tables, but on the FS could be different. Forward compatible. */
 
 #define MYSQLND_NET_CMD_BUFFER_MIN_SIZE			4096
@@ -101,6 +103,10 @@
 #define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA	(1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */
 #define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS		(1UL << 22) /* Don't close the connection for a connection with expired password. */
 #define CLIENT_SESSION_TRACK					(1UL << 23) /* Extended OK */
+/*
+  This is a mysqlnd extension. CLIENT_IGNORE_SIGPIPE is not used anyway. We will reuse it for our case and translate it to forcing the mysql_clear_password protocol
+*/
+#define CLIENT_SEND_CLEAR_PASSWORD		CLIENT_IGNORE_SIGPIPE /* Force plaintext password */
 /*
   This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification
 */
@@ -110,7 +116,8 @@
 
 #define MYSQLND_CAPABILITIES (CLIENT_LONG_PASSWORD | CLIENT_LONG_FLAG | CLIENT_TRANSACTIONS | \
 				CLIENT_PROTOCOL_41 | CLIENT_SECURE_CONNECTION | \
-				CLIENT_MULTI_RESULTS  | CLIENT_LOCAL_FILES | CLIENT_PLUGIN_AUTH)
+				CLIENT_MULTI_RESULTS  | CLIENT_LOCAL_FILES | CLIENT_PLUGIN_AUTH | \
+				CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA)
 
 #define MYSQLND_PROTOCOL_FLAG_USE_COMPRESSION 1