SQL Server password SQL Server security 1th/2 page _mssql

If you follow the SQL Server database server login process carefully, you will find that the password calculation is actually very fragile, the SQL Server database Password Vulnerability embodies two aspects:
1, password encryption algorithm when the network login

2, the database stored password encryption algorithm.

Here is a separate story:
1, password encryption algorithm when the network login
SQL Server network encryption Password has been very fragile, the internet has a lot of written tables, but there is no specific algorithm to deal with, in fact, tracking SQL Server landing process, it is easy to obtain its decryption algorithm: Well, we still demonstrate the assembly process:

The TDS package for the login type jumps to the 4126A4 for execution:
004DE72E: Generates a buffer of the size corresponding to the next copy based on the Size field received
004de748 Copy login information from TDS received BUF offset 8
004de762:call sub_54e4d0: The processing of parameter checking for the buffering of new copy
The information in the TDS package is processed sequentially, each field should have the length of each domain, and the offset 0x24 is compared with the length.
The following assembly code is the implementation of the network encryption password decryption algorithm:

Copy Code code as follows:

. text:0065c880 mov cl, [edi]
. text:0065c882 mov dl, cl
. text:0065c884 XOR cl, 5
. text:0065c887 xor DL, 0AFh
. text:0065c88a SHR DL, 4
. text:0065c88d SHL cl, 4
. text:0065c890 or DL, cl
. text:0065c892 mov [edi], DL
. text:0065c894 Inc EDI
. text:0065c895 Dec EAX
. text:0065c896 JNZ Short loc_65c880
. text:0065c898 jmp Loc_4de7e6

It is easy to replace it with C code, you can see that its encryption and simple, and clear text is no different, you can embed this code in the sniffer to sniff the TDs landing packets to decrypt, in fact, 0XA5 is not a specific SQL Server password field demarcation symbol, Just because the encryption algorithm automatically encrypts the two-byte 0x0 of ASC into 0XA5, this is not the main reason to judge the boundaries if a double-byte password is allowed.

Copy Code code as follows:

void sqlpasswd (char * enp,char* DNP)
{
int i;
unsigned char A1;
unsigned char A2;
for (i=0;i<128;i++)
{
if (enp[i]==0)
Break
a1 = Enp[i]^5;
a1 = A1 << 4;
A2 = Enp[i]^0xaf;
a2 = A2 >> 4;
DNP[I]=A1|A2;
}
dnp[i]=0;
dnp[i+1]=0;
wprintf (L "passwd:%s\n", (const wchar_t *) DNP);
}

Current 1/2 page 12 Next read the full text