From 53460a96827d75eb7f84eee44448fc7557d54e3d Mon Sep 17 00:00:00 2001 From: patrik Date: Wed, 17 Mar 2010 09:30:26 +0000 Subject: [PATCH] o [NSE] Fixed mysql-brute.nse error that would cause brute-forcing to fail if password contained a format string. Fixed a problem with SSL support detection in mysql.lua library. [Patrik] --- nselib/mysql.lua | 54 ++++++++++++++++++++--------------------- scripts/mysql-brute.nse | 2 +- 2 files changed, 27 insertions(+), 29 deletions(-) diff --git a/nselib/mysql.lua b/nselib/mysql.lua index 154bf5dbd..2050062b0 100644 --- a/nselib/mysql.lua +++ b/nselib/mysql.lua @@ -126,37 +126,35 @@ function receiveGreeting( socket ) end -if HAVE_SSL then +--- Creates a hashed value of the password and salt according to MySQL authentication post version 4.1 +-- +-- @param pass string containing the users password +-- @param salt string containing the servers salt as obtained from receiveGreeting +-- @return reply string containing the raw hashed value +local function createLoginHash(pass, salt) + local hash_stage1 + local hash_stage2 + local hash_stage3 + local reply = "" + local pos, b1, b2, b3, _ = 1, 0, 0, 0 - --- Creates a hashed value of the password and salt according to MySQL authentication post version 4.1 - -- - -- @param pass string containing the users password - -- @param salt string containing the servers salt as obtained from receiveGreeting - -- @return reply string containing the raw hashed value - local function createLoginHash(pass, salt) - - local hash_stage1 = openssl.sha1( pass ) - local hash_stage2 = openssl.sha1( hash_stage1 ) - local hash_stage3 = openssl.sha1( salt .. hash_stage2 ) - local reply = "" - - local pos, b1, b2, b3, _ = 1, 0, 0, 0 - - for pos=1, hash_stage1:len() do - _, b1 = bin.unpack( "C", hash_stage1, pos ) - _, b2 = bin.unpack( "C", hash_stage3, pos ) - - reply = reply .. string.char( bit.bxor( b2, b1 ) ) - end - - return reply - - end - -else - local function createLoginHash(pass, salt) + if ( not(HAVE_SSL) ) then return nil end + + hash_stage1 = openssl.sha1( pass ) + hash_stage2 = openssl.sha1( hash_stage1 ) + hash_stage3 = openssl.sha1( salt .. hash_stage2 ) + + for pos=1, hash_stage1:len() do + _, b1 = bin.unpack( "C", hash_stage1, pos ) + _, b2 = bin.unpack( "C", hash_stage3, pos ) + + reply = reply .. string.char( bit.bxor( b2, b1 ) ) + end + + return reply + end diff --git a/scripts/mysql-brute.nse b/scripts/mysql-brute.nse index 731940a75..b7af37e9e 100644 --- a/scripts/mysql-brute.nse +++ b/scripts/mysql-brute.nse @@ -63,7 +63,7 @@ action = function( host, port ) try( socket:connect(host.ip, port.number, "tcp") ) response = try( mysql.receiveGreeting( socket ) ) - stdnse.print_debug( string.format("Trying %s/%s ...", username, password ) ) + stdnse.print_debug( "Trying %s/%s ...", username, password ) status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) socket:close()