SHA could not escape my hands: clever use Cain crack MYSQL database password-bug warning-the black bar safety net

ID MYHACK58:62200923469
Type myhack58
Reporter 佚名
Modified 2009-06-07T00:00:00


MYSQL database user password with the database user password the same, in the application of the system code are based on the plaintext appears in the access file read access can be directly from the database connection file is read, for example, asp code in conn. asp database connection file, in this file generally contains the database type, physical location, user name and password and other information; and in MYSQL, even access a user's database user, the root user except for the password, the only operation a user of the data in the database.

In the actual attack process, in the Get Webshell case, is you can directly download the MYSQL database to preserve user of the user. MYD file, which is stored in the MYSQL database all the users in the corresponding database password, as long as capable of cracking these passwords then you can fair and Square the operation of these data, although there are many online modify the MYSQL database user password, but not desirable, because to modify the user password thing is very easy to be found!

Research the MYSQL database the encryption and decryption manner, in the network attack-Defense process has important significance; just imagine once you obtain the website certain permissions, if you can get MYSQL to save the user data by the decryption, you can through the normal way to access the database; one can directly manipulate data in the database, on the other hand can be used to enhance the permissions. Through on the web to find information, now on to crack the MYSQL aspect of the research, the article considered the topic, although the effect is not particularly good, but can be considered to crack the MYSQL database user password an explore and try.

A MYSQL encryption mode

The MYSQL database of the authentication password in two ways, with MYSQL 4. 1 Before version is MYSQL323 encrypted, MYSQL 4. 1 and later versions are MYSQLSHA1 encryption, the MYSQL database comes with Old_Password(str)and Password(str)function,they can be in MYSQL database query, the former is MYSQL323 encrypted, which is MYSQLSHA1 way encryption.

(1)to MYSQL323 way encryption


SELECT Old_Password('');

Query results MYSQL323 = 10c886615b135b38

(2)to MYSQLSHA1 way encryption

SELECT Password('');

Query results MYSQLSHA1 = A2EBAE36132928537ADA8E6D1F7C5C5886713CC2 implementation of the results as shown in Figure 1, MYSQL323 encrypted generate is 1 6-bit string, and in the MYSQLSHA1 survival are 4 1-bit string, whereis not added into the actual cryptographic operation, by observing in the a lot of users are carrying“”, in the actual cracking process to remove the“”, that is MYSQLSHA1 the encrypted password of the actual number of bits is 4 0 bit.


Figure 1 in the MYSQL database query the same password for different SHA value

The MYSQL database file structure

1. MYSQL database file types

MYSQL database files there are“frm”and“MYD and MYI”file“. frm”is a description of the table structure file,

“. MYD”is a table of the data files“. MYI”is a table data file, any index of the data tree. Is generally present separately in a folder, the default is in the path“C:\Program Files\MYSQL\MYSQL Server 5.0\data”.

2. MYSQL database user password file

In the MYSQL database all the settings by default are saved in“C:\Program Files\MYSQL\MYSQL Server 5.0\data\MYSQL”, which is the installer's data directory, as shown in Figure 2, information about the user a total of three files i.e. the user. frm, user. MYD and user. MYI MYSQL database user passwords are stored in the user. MYD file, including the root user and other user's password.


Figure 2 MYSQL database user password file

III crack MYSQL password

1. Get MYSQL database user password encryption string

Using UltraEdit-3 2 editor to directly open the user. MYD file, open after use binary mode for viewing, as shown in Figure 3, We can see the root user is behind a string of string, select the string to copy it to Notepad, the string is the user encrypted value, i.e. 506D1427F6F61696B4501445C90624897266DAE3 it.


(1)The root behind the“*”Do not copy to a string.

(2)in some cases, need to back and look, otherwise get is not a complete MYSQLSHA1 passwords, in short its the correct password digit is 4 0 bit.


Figure 3 to obtain the encrypted string

2. The MYSQL user password string is added to the Cain crack the list

As used herein, Cain & Abel to crack the MYSQL database user password, Cain & Abel is a crack screensavers, PWL password, sharing password, cache password, remote shared password, SMB password support VNC password decoder, Cisco Type-7 password decoder, Base64 password decoder, SQL Server 7.0/2 0 0 0 password decode, Remote Desktop password decoder, Access Database Password decoder, Cisco PIX Firewall password decoder, Cisco MD5 decode, NTLM Session Security password decoding, IKE Aggressive Mode Pre-Shared Keys password decoder, Dialup password decoder, Remote Desktop password decoding and other integrated tools, you can also remote hack, you can hang the dictionary as well as brute-force, sniffer extremely powerful, almost can be plaintext to capture all account passwords, including FTP, HTTP, IMAP, POP3, SMB, TELNET, VNC, TDS, SMTP, MSKERB5-PREAUTH, MSN, RADIUS-KEYS, RADIUS-USERS, ICQ, IKE Aggressive Mode Pre-Shared Keys authentications and the like.

Cain & Abel is currently the latest version is 4. 9. 3 0, software download address:<>is. Download Cain & Abel, direct installation, and then run it, in Cain & Abel the main interface, click the“Cracker”tab, and then the user password encryption string“506D1427F6F61696B4501445C90624897266DAE3”is added to the MYSQL Hashes crack the list, as shown in Figure 4, Click the“Add to list”, as shown in Figure 5, The string is copied to the Hash input box. Username can be any input.


Figure 4 Using Cain crack MYSQL password for the main interface


Figure 5 Add MYSQL Hashes

3. Use a dictionary to crack

As shown in Figure 6, Select the just added the need to hack the string, and then select“Dictionary Attack(dictionary crack”, and in the pop-up menu, select“MYSQL SHA1 Hashes”way to crack, the way is for MYSQL4. 1 Follow-up version for MYSQL4. 1 a previous version then select the“MYSQL v3. 2 3 Hashes”to crack.


Figure 6 Select crack way

Select Dictionary Attack(dictionary crack”and after a window appears, mainly used to select the dictionary, as shown in Figure 7, in the Dictionary beneath the right click, you can add one or more dictionary files, the dictionary selection in the“options”selection, then click the“Start”button to crack.


Figure 7MYSQL dictionary hack settings


In the“options”in a total of 8 ways namely:

(1)The string capitalized

(2)string reversal

(3)double string

(4)The string all lowercase

(5)The string all uppercase

(6)in the string joining the numbers

(7)in each string to uppercase the rotation

(8)in the string, added 2 digital crack after the success of Cain will give some hint information, as shown below:

Plaintext of user is databasepassword

Attack stopped!

1 of 1 hashes cracked

Indicates that the encrypted password is“databasepassword”in. Back to Cain to crack the main window, crack the password value is automatically added to the“Password”column, as shown in Figure 8, to facilitate viewing.


Figure 8 hack password successfully

IV crack explore 1. Dictionary crack talking dictionary related to the intensity of

Click“Start”-“Programs”-“MYSQL”-“MYSQL Server 5.0”-“the MYSQL Command Line Client”to open the MYSQL Command Line Client, and after entering the password, enter the following code to re-set a new password: a


update user set password=password("1977-05-05") where user="root";

flush privileges;

This test will be the original password to modify“1977-05-05”, the results as shown in Figure 9.


Figure 9 modify the MYSQL user password

Again using UltraEdit-3 2 software re-open“C:\Program Files\MYSQL\MYSQL Server 5.0\data\MYSQL\user. MYD”get their new password string“B046BBAF61FE3BB6F60CA99AF39F5C2702F00D12”, and then re-select a dictionary, in this case, select the Generate of birthday dictionary, as shown in Figure 1 0, Figure 1 1 shows, select only lower case string for the hack, quickly get cracking results. The actual results show that the use Cain to crack the MYSQL password, if you are using dictionary to crack, then the crack effect with dictionary related to the intensity, as long as the crack passwords in the dictionary, you will certainly be able to crack.


Figure 1 0 again crack the MYSQL password


Figure 1 1 modify the MYSQL password again to crack MYSQL password

2. Using a rainbow table to crack

In Cain also provides a rainbow table to crack MYSQL, in crack mode, select“Cryptanalysis Attack”-“the MYSQL SHA1 Hashes via RainbowTables”can be, as shown in Figure 1 2 Figure 1 3 shows, in the actual testing process due to the provided on the network of sha Rainbow tables is RTI, and Cain is a RT, I will download all of the rainbow table file suffix by RTI modified to RT, and then cracked, the tooltip is unsuccessful, it should be the rainbow table format is not the same, Cain only admit it to themselves.


Figure 1 2 Using a rainbow table to crack the way


Figure 1 3 Using a rainbow table to crack

3. Hash calculator

In Cain offers a variety of Hashes calculated, in the main interface, click the Computer icon button to pop up the Hashes calculator, in the“Text to hash”input needs to be converted to the original value, for example, the input“1 2 3 4 5 6 7 8”, and click“Calculate”to calculate, as shown in Figure 1 4 shows, you can see the 1 4 kinds of Hashes value.


Figure 1 4 calculate the Hashes values

4. To generate Rainbow table

In Cain's install directory C:\Program Files\Cain\Winrtgen directly run Winrtgen, as shown in Figure 1 5, the tools for Rainbow table generator, can easily generate various types of Rainbow tables value.


Figure 1 5 Winrtgen Rainbow table generation tool

5. Set Rainbow table

In Figure 1 5. Click the“Add Table”in the“Rainbow Table properties”of the Hash to select“MYSQLsha1”, and then according to the actual situation, respectively, set the“Min Len”,“Max Len is”,“Index”, the“Chain len”, the“Chain Count”and“N of the tables”values, generally only need to set the“Min Len”,“Max Len”and“N of the tables”value.“ N of tables”mainly used to test the Hashes generated complete the degree, enter a different value in the Table properties to display the percentage, by trying to determine a common need to generate how much a table, and then click the“Benchmark”for time estimates, as shown in Figure 1 6 is shown, click“OK”to complete Rainbow table generation settings.


Figure 1 6 Set Rainbow table

In the rainbow table generator, as shown in Figure 1 7, Click“Start”to start to generate the rainbow table, the Status will display the resulting size and schedule.


Figure 1 7 start to generate the rainbow table

Since the rainbow table generation time is relatively long, on the web also there is no search to to rt at the end of the MYSQL Sha1 hashes table, so this hack is mainly to dictionary crack based Rainbow table to crack in all of the generation after, on the use of a rainbow table to crack the MYSQL password, please pay attention to safety days 3 6 5 Forum in. In the Server Permissions settings are not too strict in the case, through the Webshell can be MYSQL under the user. MYD file is downloaded to the local, as long as the crack the root user password, and then by means of the Webshell can do a lot of things, this article by using cain to crack the MYSQL password, it's a good try, just use the dictionary tool to generate some have a certain strength of the dictionary, for the design is not too complex MYSQL password, cracked or relatively easy.