Re: [Full-Disclosure] mysql password cracking

From: Willem Koenings (isec_at_europe.com)
Date: 10/09/04

  • Next message: Peter Kruse: "SV: SV: [Full-Disclosure] JPEG GDI+ (MS04-028) Exploit @ http://home.zccn.net/mm2004"
    To: full-disclosure@lists.netsys.com
    Date: Sat, 09 Oct 2004 09:44:55 -0500
    
    

    hi,

    > I'm wondering how dangerous it is to allow a user on a
    > mysql db to view the grants for another user. Could
    > they take the encrypted password data and possibly
    > crack it? If they can, how easy is it?

    on certain condition it's quite easy, if you have
    a hash:

    test.exe 57510426775c5b0f
    Hash: 57510426775c5b0f
    Trying length 3
    Trying length 4
    Trying length 5
    Found pass: guest

    some reading for you:

    http://www.ngssoftware.com/papers/HackproofingMySQL.pdf

    all the best,

    W.

    -- 
    ___________________________________________________________
    Sign-up for Ads Free at Mail.com
    http://promo.mail.com/adsfreejump.htm
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Peter Kruse: "SV: SV: [Full-Disclosure] JPEG GDI+ (MS04-028) Exploit @ http://home.zccn.net/mm2004"