如何解密 MySQL 密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5654819/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I decrypt MySQL passwords
提问by Mike
The developer who created a platform my company uses is no longer working for us and I don't know how I can retrieve the passwords from a custom PHP application
创建我公司使用的平台的开发人员不再为我们工作,我不知道如何从自定义 PHP 应用程序中检索密码
When I look in the PHPmyAdmin the passwords are ecrypted (eg *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19)
当我查看 PHPmyAdmin 时,密码被加密(例如 *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19)
How can I change or retrieve these?
如何更改或检索这些?
采纳答案by Pekka
If a proper encryption method was used, it's not going to be possible to easily retrieve them.
如果使用了正确的加密方法,就不可能轻松检索它们。
Just reset them with new passwords.
只需使用新密码重置它们。
Edit:The string looks like it is using PASSWORD():
编辑:字符串看起来像是在使用PASSWORD():
UPDATE user SET password = PASSWORD("newpassword");
回答by jww
How can I decrypt MySQL passwords
如何解密 MySQL 密码
You can't really because they are hashed and not encrypted.
你真的不能,因为它们是散列而不是加密的。
Here's the essence of the PASSWORDfunction that current MySQL uses. You can execute it from the sql terminal:
下面PASSWORD是当前 MySQL 使用的函数的本质。您可以从 sql 终端执行它:
mysql> SELECT SHA1(UNHEX(SHA1("password")));
+------------------------------------------+
| SHA1(UNHEX(SHA1("password"))) |
+------------------------------------------+
| 2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+------------------------------------------+
1 row in set (0.00 sec)
How can I change or retrieve these?
如何更改或检索这些?
If you are having trouble logging in on a debian or ubuntu system, first try this (thanks to tohuwawohu at https://askubuntu.com/questions/120718/cant-log-to-mysql):
如果您在登录 debian 或 ubuntu 系统时遇到问题,请先尝试此操作(感谢https://askubuntu.com/questions/120718/cant-log-to-mysql上的 tohuwawohu ):
$ sudo cat /etc/mysql/debian.conf | grep -i password
...
password: QWERTY12345...
Then, log in with the debian maintenance user:
然后,使用 debian 维护用户登录:
$ mysql -u debian-sys-maint -p
password:
Finally, change the user's password:
最后,更改用户的密码:
mysql> UPDATE mysql.user SET Password=PASSWORD('new password') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> quit;
When I look in the PHPmyAdmin the passwords are encrypted
当我查看 PHPmyAdmin 时,密码已加密
Related, if you need to dump the user database for the relevant information, try:
相关,如果需要转储用户数据库获取相关信息,可以尝试:
mysql> SELECT User,Host,Password FROM mysql.user;
+------------------+-----------+----------------------+
| User | Host | Password |
+------------------+-----------+----------------------+
| root | localhost | *0123456789ABCDEF... |
| root | 127.0.0.1 | *0123456789ABCDEF... |
| root | ::1 | *0123456789ABCDEF... |
| debian-sys-maint | localhost | *ABCDEF0123456789... |
+------------------+-----------+----------------------+
And yes, those passwords are NOTsalted. So an attacker can prebuild the tables and apply them to all MySQL installations. In addition, the adversary can learn which users have the same passwords.
是的,这些密码没有加盐。因此,攻击者可以预先构建表并将它们应用于所有 MySQL 安装。此外,攻击者可以了解哪些用户具有相同的密码。
Needles to say, the folks at mySQL are not following best practices. John Steven did an excellent paper on Password Storage Best Practice at OWASP's Password Storage Cheat Sheet. In fairness to the MySQL folks, they may be doing it because of pain points in the architecture, design or implementation (I simply don't know).
不用说,mySQL 的人没有遵循最佳实践。John Steven 在 OWASP 的密码存储备忘单上发表了一篇关于密码存储最佳实践的优秀论文。公平地说,对 MySQL 的人来说,他们这样做可能是因为架构、设计或实现中的痛点(我根本不知道)。
If you use the PASSWORDand UPDATEcommands and the change does not work, then see http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html. Even though the page is named "resetting permissions", its really about how to change a password. (Its befuddling the MySQL password change procedure is so broken that you have to jump through the hoops, but it is what it is).
如果您使用PASSWORDandUPDATE命令并且更改不起作用,请参阅http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html。尽管该页面名为“重置权限”,但它实际上是关于如何更改密码的。(它令人困惑的 MySQL 密码更改程序是如此破碎,以至于您必须跳过箍,但它就是这样)。
回答by Krishna
Hashing is a one-way process but using a password-list you can regenerate the hashes and compare to the stored hash to 'crack' the password.
散列是一种单向过程,但使用密码列表您可以重新生成散列并与存储的散列进行比较以“破解”密码。
This site https://crackstation.net/attempts to do this for you - run through passwords lists and tell you the cleartext password based on your hash.
该站点https://crackstation.net/尝试为您执行此操作 - 遍历密码列表并根据您的哈希告诉您明文密码。
回答by Adam Straughan
With luck, if the original developer was any good, you will not be able to get the plain text out. I say "luck" otherwise you probably have an insecure system.
幸运的是,如果最初的开发人员有任何好处,您将无法获得纯文本。我说“运气”,否则你可能有一个不安全的系统。
For the admin passwords, as you have the code, you should be able to create hashed passwords from a known plain text such that you can take control of the application. Follow the algorithm used by the original developer.
对于管理员密码,当您拥有代码时,您应该能够从已知的纯文本创建散列密码,以便您可以控制应用程序。遵循原始开发人员使用的算法。
If they were not salted and hashed, then make sure you do apply this as 'best practice'
如果它们没有经过腌制和散列处理,请确保将其作为“最佳实践”应用
回答by Nanne
just change them to password('yourpassword')
只需将它们更改为 password('yourpassword')
回答by macio.Jun
You can't decrypt password in mysql, because password is hashed by using md5 hashalgorithm, which is not an encodingalgorithm.
你不能在mysql中解密密码,因为密码是使用md5散列算法进行散列的,这不是一种编码算法。
回答by Tejas Tank
Simply best way from linux server
来自 linux 服务器的最佳方式
sudo mysql --defaults-file=/etc/mysql/debian.cnf -e 'use mysql;UPDATE user SET password=PASSWORD("snippetbucket-technologies") WHERE user="root";FLUSH PRIVILEGES;'
This way work for any linux server, I had 100% sure on Debian and Ubuntu you win.
这种方式适用于任何 linux 服务器,我 100% 确定您在 Debian 和 Ubuntu 上获胜。
