foundations for dictionary attack support combined with the sqlmap's password/hash retrieval functionality (--password switch)

2025-12-07 05:01:30 +00:00 · 2010-11-20 13:14:13 +00:00
parent 71107e4e9e
commit 1f8a9fe033
4 changed files with 1011 additions and 0 deletions
--- a/lib/utils/hash.py
+++ b/lib/utils/hash.py
@@ -0,0 +1,140 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from hashlib import md5
+from hashlib import sha1
+
+from extra.pydes.pyDes import des
+from extra.pydes.pyDes import CBC
+from lib.core.convert import hexdecode
+from lib.core.convert import hexencode
+
+def mysql_password(password, uppercase=True):
+    """
+    Reference(s):
+        http://csl.sublevel3.org/mysql-password-function/
+
+    >>> mysql_password(password='testpass', uppercase=True)
+    '*00E247AC5F9AF26AE0194B41E1E769DEE1429A29'
+    """
+
+    retVal = "*%s" % sha1(sha1(password).digest()).hexdigest()
+
+    return retVal.upper() if uppercase else retVal.lower()
+
+def mysql_old_password(password, uppercase=True): # prior to version '4.1'
+    """
+    Reference(s):
+        http://www.sfr-fresh.com/unix/privat/tpop3d-1.5.5.tar.gz:a/tpop3d-1.5.5/password.c
+        http://voidnetwork.org/5ynL0rd/darkc0de/python_script/darkMySQLi.html
+
+    >>> mysql_old_password(password='testpass', uppercase=True)
+    '7DCDA0D57290B453'
+    """
+
+    a, b, c = 1345345333, 7, 0x12345671
+
+    for d in password:
+        if d == ' ' or d == '\t':
+            continue
+
+        e = ord(d)
+        a ^= (((a & 63) + b) * e) + (a << 8)
+        c += (c << 8) ^ a
+        b += e
+
+    retVal = "%08lx%08lx" % (a & ((1 << 31) - 1), c & ((1 << 31) - 1))
+
+    return retVal.upper() if uppercase else retVal.lower()
+
+def postgres_password(password, username, uppercase=False):
+    """
+    Reference(s):
+        http://pentestmonkey.net/blog/cracking-postgres-hashes/
+
+    >>> postgres_password(password='testpass', username='testuser', uppercase=False)
+    'md599e5ea7a6f7c3269995cba3927fd0093'
+    """
+
+    retVal = "md5%s" % md5(password + username).hexdigest()
+
+    return retVal.upper() if uppercase else retVal.lower()
+
+def mssql_password(password, salt, uppercase=False):
+    """
+    Reference(s):
+        http://www.leidecker.info/projects/phrasendrescher/mssql.c
+        https://www.evilfingers.com/tools/GSAuditor.php
+
+    >>> mssql_password(password='testpass', salt='4086ceb6', uppercase=False)
+    '0x01004086ceb60c90646a8ab9889fe3ed8e5c150b5460ece8425a'
+    """
+
+    binsalt = hexdecode(salt)
+    unistr = "".join("%s\0" % c for c in password)
+
+    retVal = "0100%s%s" % (salt, sha1(unistr + binsalt).hexdigest())
+
+    return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
+
+def mssql_old_password(password, salt, uppercase=True): # prior to version '2005'
+    """
+    Reference(s):
+        www.exploit-db.com/download_pdf/15537/
+        http://www.leidecker.info/projects/phrasendrescher/mssql.c
+        https://www.evilfingers.com/tools/GSAuditor.php
+
+    >>> mssql_old_password(password='testpass', salt='4086ceb6', uppercase=True)
+    '0x01004086CEB60C90646A8AB9889FE3ED8E5C150B5460ECE8425AC7BB7255C0C81D79AA5D0E93D4BB077FB9A51DA0'
+    """
+
+    binsalt = hexdecode(salt)
+    unistr = "".join("%s\0" % c for c in password)
+
+    retVal = "0100%s%s%s" % (salt, sha1(unistr + binsalt).hexdigest(), sha1(unistr.upper() + binsalt).hexdigest())
+
+    return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
+
+def oracle_password(password, salt, uppercase=True):
+    """
+    Reference(s):
+        https://www.evilfingers.com/tools/GSAuditor.php
+        http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
+        http://seclists.org/bugtraq/2007/Sep/304
+
+    >>> oracle_password(password='SHAlala', salt='1B7B5F82B7235E9E182C', uppercase=True)
+    'S:2BFCFDF5895014EE9BB2B9BA067B01E0389BB5711B7B5F82B7235E9E182C'
+    """
+
+    binsalt = hexdecode(salt)
+
+    retVal="s:%s%s" % (sha1(password + binsalt).hexdigest(), salt)
+
+    return retVal.upper() if uppercase else retVal.lower()
+
+def oracle_old_password(password, username, uppercase=True): # prior to version '11g'
+    """
+    Reference(s):
+        http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
+
+    >>> oracle_old_password(password='tiger', username='scott', uppercase=True)
+    'F894844C34402B67'
+    """
+
+    IV, pad = "\0"*8, "\0"
+    unistr = "".join("\0%s" % c for c in (username + password).upper())
+
+    cipher = des(hexdecode("0123456789ABCDEF"), CBC, IV, pad)
+    encrypted = cipher.encrypt(unistr)
+    cipher = des(encrypted[-8:], CBC, IV, pad)
+    encrypted = cipher.encrypt(unistr)
+
+    retVal = hexencode(encrypted[-8:])
+
+    return retVal.upper() if uppercase else retVal.lower()