SQL Server Database Password Vulnerability

Tracked down the database zone hrefdev. yesky. the logon process of the comdevsjktarget_blankSQLSERVER database server finds that password computing is very fragile. The password of the SQLSERVER database is vulnerable in two aspects: 1. Password Encryption Algorithm for network login 2. password encryption for database storage

I followed the database zone href = "http://dev.yesky.com/devsjk" target = _ blank> SQL SERVER database SERVER login process, found that password calculation is very fragile, the weak passwords of SQL SERVER databases are reflected in two aspects: 1. Password Encryption Algorithm for network login 2. password encryption for database storage

TrackedDatabaseZone href = "http://dev.yesky.com/devsjk" target = _ blank> SQL SERVERDatabaseServer login process, foundPasswordComputing is very fragile, SQL SERVERDatabaseOfPasswordTwo aspects of vulnerability:

1. During network loginPasswordEncryption Algorithm

2,DatabaseStoredPasswordEncryption algorithm.

The following sections describe:

　　1. During network loginPasswordEncryption Algorithm

SQL SERVER network-encryptedPasswordIt has always been very fragile. There are a lot of comparison tables written on the Internet, but there is no specific algorithm processing. In fact, it is easy to obtain the decryption algorithm by tracking the login process of SQL SERVER: okay, let's demonstrate the assembly process:

Log on to the TDS package 4126a4 and run the following command:

004DE72E: generate a buffer of the corresponding size based on the received size field for the next copy.

004DE748 copy the LOGIN information from the received tds buf offset 8

004DE762: call sub_54E4D0: process the new copy buffer for parameter check.

Process the information in the TDS package in sequence. The climate of each field should have the length of each region, and compare the length with the offset 0x24.

The following Assembly Code implements the network encryption and decryption algorithm:

The following is a reference clip: . Text: 0065C880 mov cl, [edi] . Text: 0065C882 mov dl, cl . Text: 0065C884 xor cl, 5 . Text: 0065C887 xor dl, 0AFh . Text: 0065C88A shr dl, 4 . Text: 0065C88D shl cl, 4 . Text: 0065C890 or dl, cl . Text: 0065C892 mov [edi], dl . Text: 0065C894 inc edi . Text: 0065C895 dec eax . Text: 0065C896 jnz short loc_65C880 . Text: 0065C898 jmp loc_4DE7E6

It is easy to replace it with the C code. It can be seen that its encryption is simple, and there is no difference with the text, you can embed this code in SNIFFER to decrypt the sniffing TDS login package. In fact, 0XA5 is not the demarcation symbol of the specific SQL SERVER password field, only because the encryption algorithm will automatically encrypt the 0x0 value in the double byte of ASC to 0xa5, but if the double byte is allowedPasswordThis is not the main reason for judging the demarcation.

The following is a reference clip: Void sqlpasswd (char * enp, char * dnp) { Int I; Unsigned char a1; Unsigned char a2; For (I = 0; I <128; I ++) { If (enp [I] = 0) Break; A1 = enp [I] ^ 5; A1 = a1 <4; A2 = enp [I] ^ 0xaf; A2 = a2> 4; Dnp [I] = a1 | a2; } Dnp [I] = 0; Dnp [I + 1] = 0; Wprintf (L "passwd: % s \ n", (const wchar_t *) dnp ); }

　　2,DatabaseStoredPasswordEncryption Algorithm

SQL SERVERPasswordToDatabaseThe storage encryption method is also weird. The process is as follows:

After obtaining the network decryption passwordPasswordCall SQLSORT_14 at 005F9D5A in the future to implement a conversion to uppercasePasswordBuffer to save.

Then, call a function at 004def6d to retrieveDatabaseThe encrypted PASSWORD in the form:

2 bytes header 0x0100 (fixed)

4-byte HASH and secret KEY

HASH1 of 20 bytes

HASH2 of 20 bytes

Example:

The following is a reference clip: Fx: 0x0100 1751857F DFDEC4FB618D8D18EBA5A27F615639F607 CD46BE DFDEC4FB618D8D18EBA5A27F615639F607CD46BE Fixed KEY HASH1 HASH2 supplement 　　PasswordYes: 123456