If you carefully track the login process of the SQL Server database server, you will find that password computing is actually very fragile. The weak password of the SQL Server database reflects two aspects:
1. Password Encryption during network login Algorithm
2. Password Encryption Algorithm stored in the database.
The following sections describe:
1. Password Encryption Algorithm for network login
SQL server network encryption passwords have always been very fragile. There are many comparison tables written on the Internet, but no specific algorithms are available. In fact, we track the login process of SQL Server, it is easy to obtain the decryption algorithm: Well, let's demonstrate the assembly process:
log on to the TDS package 4126a4 and run the following command:
004de72e: generate a buffer of the corresponding size based on the received size field for the next copy
004de748 copy the login information from the received TDS Buf offset 8
004de762: call sub_54e4d0: process the new copy of the buffer into the parameter check
process the information in the TDS package in sequence. The climate of each field must have the length of each region, the offset 0x24 is compared with the length.
The following Code is an algorithm used to decrypt the encrypted network password: copy Code the code is as follows :. text: 0065c880 mov Cl, [EDI]
. text: 0065c882 mov DL, CL
. text: 0065c884 XOR Cl, 5
. text: 0065c887 xor dl, 0afh
. text: 0065c88a shr dl, 4
. text: 0065c88d SHL cl, 4
. text: 0065c890 or DL, CL
. text: 0065c892 mov [EDI], DL
. text: 0065c894 Inc EDI
. text: 0065c895 dec eax
. text: 0065c896 jnz short loc_65c880
. text: 0065c898 JMP loc_4de7e6
It is easy to replace it with the C code. It can be seen that its encryption is simple, and there is no difference with the text, you can embed this code in sniffer to decrypt the sniffing TDS login package. In fact, 0xa5 is not the demarcation symbol of the specific SQL server password field, the encryption algorithm will automatically encrypt the 0x0 value in the Two-byte form of ASC to 0xa5. However, if the dual-byte password is allowed, this is not the main reason for determining the demarcation.Copy codeCode: void sqlpasswd (char * ENP, char * DNP)
{
Int I;
Unsigned char A1;
Unsigned char A2;
For (I = 0; I <128; I ++)
{
If (ENP [I] = 0)
Break;
A1 = ENP [I] ^ 5;
A1 = A1 <4;
A2 = ENP [I] ^ 0xaf;
A2 = A2> 4;
DNP [I] = A1 | A2;
}
DNP [I] = 0;
DNP [I + 1] = 0;
Wprintf (L "passwd: % s \ n", (const wchar_t *) DNP );
}