2024-03-09 14:23:42 +00:00
|
|
|
id: mysql-default-login
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: MySQL - Default Login
|
|
|
|
|
author: DhiyaneshDk,pussycat0x,ritikchaddha
|
|
|
|
|
severity: high
|
|
|
|
|
description: |
|
|
|
|
|
A MySQL service was accessed with easily guessed credentials.
|
|
|
|
|
metadata:
|
|
|
|
|
verified: true
|
2024-03-23 09:28:19 +00:00
|
|
|
max-request: 21
|
|
|
|
|
shodan-query: "port:3306"
|
2025-10-17 14:17:02 +02:00
|
|
|
tags: js,mysql,default-login,network,fuzz,enum,vuln
|
2024-03-09 14:23:42 +00:00
|
|
|
|
|
|
|
|
javascript:
|
|
|
|
|
- pre-condition: |
|
2024-07-10 17:38:01 +05:30
|
|
|
isPortOpen(Host,Port);
|
2024-03-09 14:23:42 +00:00
|
|
|
code: |
|
|
|
|
|
var m = require("nuclei/mysql");
|
|
|
|
|
var c = m.MySQLClient();
|
2024-07-25 14:23:01 +05:30
|
|
|
c.Connect(Host,Port,User,Pass)
|
2024-03-09 14:23:42 +00:00
|
|
|
|
|
|
|
|
args:
|
|
|
|
|
Host: "{{Host}}"
|
|
|
|
|
Port: "3306"
|
|
|
|
|
User: "{{usernames}}"
|
|
|
|
|
Pass: "{{passwords}}"
|
|
|
|
|
|
|
|
|
|
payloads:
|
2026-01-08 11:25:56 +08:00
|
|
|
usernames: helpers/wordlists/mysql-users.txt
|
|
|
|
|
passwords: helpers/wordlists/mysql-passwords.txt
|
2024-03-22 19:41:12 +05:30
|
|
|
attack: clusterbomb
|
2024-03-09 14:23:42 +00:00
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: dsl
|
|
|
|
|
dsl:
|
|
|
|
|
- "response == true"
|
|
|
|
|
- "success == true"
|
|
|
|
|
condition: and
|
2026-01-08 11:25:56 +08:00
|
|
|
# digest: 4a0a0047304502202e60c03105cba531fe84fd491ad25fc7cc97070adc3a43865bad78e1ba274f7d022100f26af1d4d6e117ac8cbe021961ba09bf1c3c29c18ee17d8e4d378d0ac634fd24:922c64590222798bb761d5b6d8e72950
|
