Sybase database password “recovery”

穿精又带淫゛_ 提交于 2020-01-04 17:29:27

问题


I have DBA authority to a sybase database on Windows.

I have a another user that I don't know the password for.

I regularly use an application that does know the password, and it uses the password to automatically login to the application. However, I can't find a way to find that password anywhere in the application or its dlls/files/registry/etc.

I obviously don't want to just change the password of the user, as the password in the application can't be updated (that i know of).

I want to be able to login to the database as this user.

Are there any logging settings for the database server that will log the password in plaintext? Or any other methods I can use to obtain the password (maybe via login_procedure)? I'd also be okay with just obtaining the hash for the password(+salt).


回答1:


There is no SAP Sybase supported way to get the password in plaintext. You can view the hashed password by querying master..syslogins.passwords column.

A possible workaround would be to create a new user, and alias them to user in question inside the database.

sp_addalias is the command you would use to do something like that.

You can view the hashed password




回答2:


You can't get the plaintext password as it's not logged anywhere and we don't store it. What's stored in the ISYSUSER system table is the SHA-256 hash of the password, and so it is not possible to get the password from it. (And it's not the hash of just the password - it includes a random salt.)

However, if you have DBA authority, you can do anything in the database anyway. If you need to be connected as that particular user, you can connect as the user with DBA authority and then use the SETUSER statement.

Disclaimer: I work for SAP in SQL Anywhere engineering.




回答3:


Another option might be to decompile the application program and look for the password. I don't know who in their right mind would hard code a password into program code, but it kind of sounds like that is what happened here? Alternatively, if it is an internally-developed app, do you have access to the source code?

If that is what happened, and you have the ability to recompile the app, use the keyring (Mac, Linux) or DPAPI (Windows) to securely (as much as possible) store an encrypted instance of the password outside the application code. You'll be able to change it, and some random person who manages to hack in and get access to the source code or binary won't be able to inspect the program like I'm suggesting you try.

I also realize this is an old post and you've either solved the problem or moved on by now. ;-)



来源:https://stackoverflow.com/questions/21101024/sybase-database-password-recovery

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!