If you carefully track the login process of the SQL Server database Server, you will find that password computing is actually very fragile. The weak password of the SQL Server database reflects two aspects:
1. Password Encryption Algorithm for network login
2. Password Encryption Algorithm stored in the database.
The following sections describe:
1. Password Encryption Algorithm for network login
SQL Server network encryption passwords have always been very fragile. There are many comparison tables written on the Internet, but no specific algorithms are available. In fact, we track the login process of SQL Server, it is easy to obtain the decryption algorithm: Well, let's demonstrate the assembly process:
Log on to the TDS package 4126a4 and run the following command:
004DE72E: generate a buffer of the corresponding size based on the received size field for the next copy.
004DE748 copy the LOGIN information from the received tds buf offset 8
004DE762: call sub_54E4D0: process the new copy buffer for parameter check.
Process the information in the TDS package in sequence. The climate of each field should have the length of each region, and compare the length with the offset 0x24.
The following Assembly Code implements the network encryption and decryption algorithm:
Copy codeThe Code is as follows:
. Text: 0065C880 mov cl, [edi]
. Text: 0065C882 mov dl, cl
. Text: 0065C884 xor cl, 5
. Text: 0065C887 xor dl, 0AFh
. Text: 0065C88A shr dl, 4
. Text: 0065C88D shl cl, 4
. Text: 0065C890 or dl, cl
. Text: 0065C892 mov [edi], dl
. Text: 0065C894 inc edi
. Text: 0065C895 dec eax
. Text: 0065C896 jnz short loc_65C880
. Text: 0065C898 jmp loc_4DE7E6
It is easy to replace it with the C code. It can be seen that its encryption is simple, and there is no difference with the text, you can embed this code in SNIFFER to decrypt the sniffing TDS login package. In fact, 0XA5 is not the demarcation symbol of the specific SQL Server password field, the encryption algorithm will automatically encrypt the 0x0 value in the Two-byte form of ASC to 0xa5. However, if the dual-byte password is allowed, this is not the main reason for determining the demarcation.
Copy codeThe Code is as follows:
Void sqlpasswd (char * enp, char * dnp)
{
Int I;
Unsigned char a1;
Unsigned char a2;
For (I = 0; I <128; I ++)
{
If (enp [I] = 0)
Break;
A1 = enp [I] ^ 5;
A1 = a1 <4;
A2 = enp [I] ^ 0xaf;
A2 = a2> 4;
Dnp [I] = a1 | a2;
}
Dnp [I] = 0;
Dnp [I + 1] = 0;
Wprintf (L "passwd: % s \ n", (const wchar_t *) dnp );
}