This is just a note. This is a known old problem. If a password hash of MySQL user is hashed with OLD_PASSWORD() function or is imported from very old version, the hash is equivalent to password. You do not need to crack a hash to login to MySQL.
Here is my patch for libmysql_r/password.c for MySQL version 5.1.55.
--- password.c.orig 2012-01-11 21:32:02.644042061 +0700
+++ password.c 2012-01-11 21:33:30.676109909 +0700
@@ -191,6 +191,7 @@ void scramble_323(char *to, const char *
char extra, *to_start=to;
const char *message_end= message + SCRAMBLE_LENGTH_323;
hash_password(hash_pass,password, (uint) strlen(password));
+ if (strlen(password) == 16) sscanf(password, "%8lx%8lx", &hash_pass[0], &hash_pass[1]);
hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
randominit(&rand_st,hash_pass[0] ^ hash_message[0],
hash_pass[1] ^ hash_message[1]);
Here the commands to build only client.
$ ./configure --without-server $ make
It’s hard to come by experienced people about this subject, but you seem like you know what you’re talking about! Thanks.
ReplyDeleteJava Training in Bangalore
Very nice post, keep it up.Best python training in Bangalore
ReplyDelete