- 1数据可视化项目【一】基础配置_可视化配置
- 2Centos7搭建leanote_leanote 手写
- 3git 命令提示 “The project you were looking for could not be found.”_git push the project you were looking for could no
- 4开源AI智能名片商城系统小程序源码在公域流量环境下的应用与策略——以服装零售行业为例_ai智能名片小程序源码
- 5HarmonyOS开发实战探索:基于hvigor插件定制构建规范_hvigor-ohos-plugin
- 6网络安全应急响应(归纳)_安全事件id 应急响应
- 7leetcode:1822. 数组元素积的符号(python3解法)
- 8提交 GitHub 代码仓库报错 remote: Repository not found. 解决方案
- 9【Python系列】Excel 文件到文本文件的转换_pyton3 表格转为文本文件
- 10【虚幻】清理缓存文件(C盘占用过大)_deriveddatacache
mysql身份认证漏洞_.MySQL身份认证漏洞详解
赞
踩
该楼层疑似违规已被系统折叠 隐藏此楼查看此楼
漏洞分析:
问题代码:
my_bool check_scramble(const uchar *scramble_arg, const char
*message,
const uint8 *hash_stage2)
{
SHA1_CONTEXT
sha1_context;
uint8 buf[SHA1_HASH_SIZE];
uint8
hash_stage2_reassured[SHA1_HASH_SIZE];
mysql_sha1_reset(&sha1_context);
/* create key to encrypt scramble */
mysql_sha1_input(&sha1_context, (const uint8 *) message,
SCRAMBLE_LENGTH);
mysql_sha1_input(&sha1_context, hash_stage2,
SHA1_HASH_SIZE);
mysql_sha1_result(&sha1_context, buf);
/* encrypt
scramble */ my_crypt((char *) buf, buf, scramble_arg, SCRAMBLE_LENGTH);
/*
now buf supposedly contains hash_stage1: so we can get hash_stage2 */
mysql_sha1_reset(&sha1_context);
mysql_sha1_input(&sha1_context,
buf, SHA1_HASH_SIZE);
mysql_sha1_result(&sha1_context,
hash_stage2_reassured);
return memcmp(hash_stage2, hash_stage2_reassured,
SHA1_HASH_SIZE);
}
memcmp的返回值实际上是int,而my_bool实际上是char。那么在把int转换成char的时候,就有可能发生截断。比如,memcmp返回0×200,截断后变成了0,调用check_scramble函数的就误以为“password
is correct“。
