[geeks] Encrypted hash question
Mike Parson
mparson at bl.org
Wed Jun 16 13:24:42 CDT 2004
On Wed, Jun 16, 2004 at 12:51:38PM -0500, Bill Bradford wrote:
> On Thu, Jun 17, 2004 at 05:48:36AM +1200, James Braid wrote:
>> They dont "look right" for SHA1; a standard SHA1 160-bit hash is
>> normally 40 characters long when stored as a plain text string (and only
>> has hex digits in it). But the application could have munged them or
>> something. Maybe they are weirdly crypt()'d or something.
>>
>> If you have the source for the app it should be easy enough to find how
>> it stores the passwords, and then change the app's password once you
>> have the root pw for MySQL.
>
> If I've got a mysqldump of the entire mysql installation on that
> box, how would you go around finding out what hash method its using?
> Is that possible?
If it's an application password stored in the MySQL db and not a MySQL
user password, then I doubt that the hashing scheme would be readily
aparent just from a text dump of the DB. It all depends on if MySQL
is doing the hashing, or if the application is storing it's own hashed
string as a text-field.
Can you null that field and login w/o a password?
--
Michael Parson
mparson at bl.org
More information about the geeks
mailing list