指令類型:portrule
下載:https://svn.nmap.org/nmap/scripts/mysql-vuln-cve2012-2122.nse
指令摘要
嘗試利用 CVE2012-2122 漏洞繞過 MySQL 和 MariaDB 服務器的身份驗證。如果它易受攻擊,腳本還將嘗試傾倒 MySQL 用戶名和密碼雜湊。
所有 MariaDB 和 MySQL 版本直到 5.1.61、5.2.11、5.3.5、5.5.22 都是易受攻擊的,但利用這個漏洞是否成功取決於 memcmp() 是否返回 -128..127 範圍外的任意整數。
"當用戶連接到 MariaDB/MySQL 時,會計算一個令牌(SHA 過一個密碼和一個隨機攪亂字符串),並與預期值進行比較。由於不正確的類型轉換,可能會發生令牌和預期值被認為是相等的情況,即使 memcmp() 返回非零值。在這種情況下,MySQL/MariaDB 會認為密碼是正確的,即使它不是。因為該協議使用隨機字符串,觸發此錯誤的概率大約是 1/256。這意味著,如果知道一個用戶名來連接(而且“root”幾乎總是存在的),她可以通過重複連接嘗試使用任何密碼連接。大約 300 次嘗試只需要不到一秒的時間,所以基本上賬戶密碼保護幾乎等於不存在。”
原始公開通告:
關於這個漏洞的有趣帖子:
指令參數
mysql-vuln-cve2012-2122.passMySQL 密碼。預設:nmapFTW。
mysql-vuln-cve2012-2122.userMySQL 用戶名。預設:root。
mysql-vuln-cve2012-2122.iterations連接重試次數。預設:1500。
mysql-vuln-cve2012-2122.socket_timeout套接字超時時間。預設:5秒。
vulns.short, vulns.showall請參閱 vulns 函式庫的文檔。
指令範例
nmap -p3306 --script mysql-vuln-cve2012-2122 <target>nmap -sV --script mysql-vuln-cve2012-2122 <target>指令輸出
PORT STATE SERVICE REASON
3306/tcp open mysql syn-ack
| mysql-vuln-cve2012-2122:
| VULNERABLE:
| Authentication bypass in MySQL servers.
| State: VULNERABLE
| IDs: CVE:CVE-2012-2122
| Description:
| When a user connects to MariaDB/MySQL, a token (SHA
| over a password and a random scramble string) is calculated and compared
| with the expected value. Because of incorrect casting, it might've
| happened that the token and the expected value were considered equal,
| even if the memcmp() returned a non-zero value. In this case
| MySQL/MariaDB would think that the password is correct, even while it is
| not. Because the protocol uses random strings, the probability of
| hitting this bug is about 1/256.
| Which means, if one knows a user name to connect (and "root" almost
| always exists), she can connect using *any* password by repeating
| connection attempts. ~300 attempts takes only a fraction of second, so
| basically account password protection is as good as nonexistent.
|
| Disclosure date: 2012-06-9
| Extra information:
| Server granted access at iteration #204
| root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
| debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF
| phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
| References:
| https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
| http://seclists.org/oss-sec/2012/q2/493
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122作者:
Paulino Calderon <calderon@websec.mx>
License: Same as Nmap--See https://nmap.org/book/man-legal.html
隨選即看研討會
延伸閱讀
CyberScope Nmap 滲透測試手持式網路分析儀,整合了 Nmap 功能,為站點存取層提供全面的網路安全風險評估、分析、和報告——包括所有的端點和網路探索、有線與無線網路安全、漏洞評估 (Nmap) 以及網段和設定驗證;IT 人員透過單一工具以及單一介面,即可快速且即時的掌握企業或組織的各種混合式網路環境 (有線、無線、PoE)、各種連網終端裝置的拓樸、架構、設定、網段、效能、直到網路安全評估。