PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 14:11:29 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Fixed mysql-brute.nse error that would cause brute-forcing to fail

Browse Source 
if password contained a format string. Fixed a problem with SSL support
  detection in mysql.lua library. [Patrik]
This commit is contained in:
patrik
2010-03-17 09:30:26 +00:00
parent 68f3bca589
commit 53460a9682
2 changed files with 27 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
nselib/mysql.lua
View File

@@ -126,37 +126,35 @@ function receiveGreeting( socket )
end end
if HAVE_SSL then --- Creates a hashed value of the password and salt according to MySQL authentication post version 4.1
--
-- @param pass string containing the users password
-- @param salt string containing the servers salt as obtained from <code>receiveGreeting</code>
-- @return reply string containing the raw hashed value
local function createLoginHash(pass, salt)
local hash_stage1
local hash_stage2
local hash_stage3
local reply = ""
local pos, b1, b2, b3, _ = 1, 0, 0, 0
--- Creates a hashed value of the password and salt according to MySQL authentication post version 4.1 if ( not(HAVE_SSL) ) then
--
-- @param pass string containing the users password
-- @param salt string containing the servers salt as obtained from <code>receiveGreeting</code>
-- @return reply string containing the raw hashed value
local function createLoginHash(pass, salt)
local hash_stage1 = openssl.sha1( pass )
local hash_stage2 = openssl.sha1( hash_stage1 )
local hash_stage3 = openssl.sha1( salt .. hash_stage2 )
local reply = ""
local pos, b1, b2, b3, _ = 1, 0, 0, 0
for pos=1, hash_stage1:len() do
_, b1 = bin.unpack( "C", hash_stage1, pos )
_, b2 = bin.unpack( "C", hash_stage3, pos )
reply = reply .. string.char( bit.bxor( b2, b1 ) )
end
return reply
end
else
local function createLoginHash(pass, salt)
return nil return nil
end end
hash_stage1 = openssl.sha1( pass )
hash_stage2 = openssl.sha1( hash_stage1 )
hash_stage3 = openssl.sha1( salt .. hash_stage2 )
for pos=1, hash_stage1:len() do
_, b1 = bin.unpack( "C", hash_stage1, pos )
_, b2 = bin.unpack( "C", hash_stage3, pos )
reply = reply .. string.char( bit.bxor( b2, b1 ) )
end
return reply
end end

2
scripts/mysql-brute.nse
View File

@@ -63,7 +63,7 @@ action = function( host, port )
try( socket:connect(host.ip, port.number, "tcp") ) try( socket:connect(host.ip, port.number, "tcp") )
response = try( mysql.receiveGreeting( socket ) ) response = try( mysql.receiveGreeting( socket ) )
stdnse.print_debug( string.format("Trying %s/%s ...", username, password ) ) stdnse.print_debug( "Trying %s/%s ...", username, password )
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
socket:close() socket:close()