mysql 登录认证流程代码实现
前言:c++集成libmysql.lib静态库的话,就直接3M了,但是自己只需要登录认证这个功能,所以这里自己去学习并且用实现mysql的登录认证
https://dev.mysql.com/doc/internals/en/secure-password-authentication.html
https://www.cnblogs.com/zhanyd/p/9895241.html
sha1加密:
#pragma once
#include "public.h"
class SHA1 final
{
public:
SHA1();
void update(const std::string &s);
void update(std::istream &is);
std::string final();
std::string final_bin();
static std::string from_file(const std::string &filename);
static std::string encode(const std::string &s);
static std::string encode_bin(const std::string &s);
private:
uint32_t digest[5];
std::string buffer;
uint64_t transforms;
};
// 100% Public Domain.
//
// Original C Code
// -- Steve Reid <steve@edmweb.com>
// Small changes to fit into bglibs
// -- Bruce Guenter <bruce@untroubled.org>
// Translation to simpler C++ Code
// -- Volker Grabsch <vog@notjusthosting.com>
// Safety fixes
// -- Eugene Hopkinson <slowriot at voxelstorm dot com>
// Adapt for project
// Dmitriy Khaustov <khaustov.dm@gmail.com>
//
// File created on: 2017.02.25
// SHA1.cpp
#include "crypto_Sha1.h"
static const size_t BLOCK_INTS = 16; /* number of 32bit integers per SHA1 block */
static const size_t BLOCK_BYTES = BLOCK_INTS * 4;
static void reset(uint32_t digest[], std::string &buffer, uint64_t &transforms)
{
/* SHA1 initialization constants */
digest[0] = 0x67452301;
digest[1] = 0xefcdab89;
digest[2] = 0x98badcfe;
digest[3] = 0x10325476;
digest[4] = 0xc3d2e1f0;
/* Reset counters */
buffer = "";
transforms = 0;
}
static uint32_t rol(const uint32_t value, const size_t bits)
{
return (value << bits) | (value >> (32 - bits));
}
static uint32_t blk(const uint32_t block[BLOCK_INTS], const size_t i)
{
return rol(block[(i + 13) & 15] ^ block[(i + 8) & 15] ^ block[(i + 2) & 15] ^ block[i], 1);
}
/*
* (R0+R1), R2, R3, R4 are the different operations used in SHA1
*/
static void R0(const uint32_t block[BLOCK_INTS], const uint32_t v, uint32_t &w, const uint32_t x, const uint32_t y, uint32_t &z, const size_t i)
{
z += ((w&(x^y)) ^ y) + block[i] + 0x5a827999 + rol(v, 5);
w = rol(w, 30);
}
static void R1(uint32_t block[BLOCK_INTS], const uint32_t v, uint32_t &w, const uint32_t x, const uint32_t y, uint32_t &z, const size_t i)
{
block[i] = blk(block, i);
z += ((w&(x^y)) ^ y) + block[i] + 0x5a827999 + rol(v, 5);
w = rol(w, 30);
}
static void R2(uint32_t block[BLOCK_INTS], const uint32_t v, uint32_t &w, const uint32_t x, const uint32_t y, uint32_t &z, const size_t i)
{
block[i] = blk(block, i);
z += (w^x^y) + block[i] + 0x6ed9eba1 + rol(v, 5);
w = rol(w, 30);
}
static void R3(uint32_t block[BLOCK_INTS], const uint32_t v, uint32_t &w, const uint32_t x, const uint32_t y, uint32_t &z, const size_t i)
{
block[i] = blk(block, i);
z += (((w | x)&y) | (w&x)) + block[i] + 0x8f1bbcdc + rol(v, 5);
w = rol(w, 30);
}
static void R4(uint32_t block[BLOCK_INTS], const uint32_t v, uint32_t &w, const uint32_t x, const uint32_t y, uint32_t &z, const size_t i)
{
block[i] = blk(block, i);
z += (w^x^y) + block[i] + 0xca62c1d6 + rol(v, 5);
w = rol(w, 30);
}
/*
* Hash a single 512-bit block. This is the core of the algorithm.
*/
static void transform(uint32_t digest[], uint32_t block[BLOCK_INTS], uint64_t &transforms)
{
/* Copy digest[] to working vars */
uint32_t a = digest[0];
uint32_t b = digest[1];
uint32_t c = digest[2];
uint32_t d = digest[3];
uint32_t e = digest[4];
/* 4 rounds of 20 operations each. Loop unrolled. */
R0(block, a, b, c, d, e, 0);
R0(block, e, a, b, c, d, 1);
R0(block, d, e, a, b, c, 2);
R0(block, c, d, e, a, b, 3);
R0(block, b, c, d, e, a, 4);
R0(block, a, b, c, d, e, 5);
R0(block, e, a, b, c, d, 6);
R0(block, d, e, a, b, c, 7);
R0(block, c, d, e, a, b, 8);
R0(block, b, c, d, e, a, 9);
R0(block, a, b, c, d, e, 10);
R0(block, e, a, b, c, d, 11);
R0(block, d, e, a, b, c, 12);
R0(block, c, d, e, a, b, 13);
R0(block, b, c, d, e, a, 14);
R0(block, a, b, c, d, e, 15);
R1(block, e, a, b, c, d, 0);
R1(block, d, e, a, b, c, 1);
R1(block, c, d, e, a, b, 2);
R1(block, b, c, d, e, a, 3);
R2(block, a, b, c, d, e, 4);
R2(block, e, a, b, c, d, 5);
R2(block, d, e, a, b, c, 6);
R2(block, c, d, e, a, b, 7);
R2(block, b, c, d, e, a, 8);
R2(block, a, b, c, d, e, 9);
R2(block, e, a, b, c, d, 10);
R2(block, d, e, a, b, c, 11);
R2(block, c, d, e, a, b, 12);
R2(block, b, c, d, e, a, 13);
R2(block, a, b, c, d, e, 14);
R2(block, e, a, b, c, d, 15);
R2(block, d, e, a, b, c, 0);
R2(block, c, d, e, a, b, 1);
R2(block, b, c, d, e, a, 2);
R2(block, a, b, c, d, e, 3);
R2(block, e, a, b, c, d, 4);
R2(block, d, e, a, b, c, 5);
R2(block, c, d, e, a, b, 6);
R2(block, b, c, d, e, a, 7);
R3(block, a, b, c, d, e, 8);
R3(block, e, a, b, c, d, 9);
R3(block, d, e, a, b, c, 10);
R3(block, c, d, e, a, b, 11);
R3(block, b, c, d, e, a, 12);
R3(block, a, b, c, d, e, 13);
R3(block, e, a, b, c, d, 14);
R3(block, d, e, a, b, c, 15);
R3(block, c, d, e, a, b, 0);
R3(block, b, c, d, e, a, 1);
R3(block, a, b, c, d, e, 2);
R3(block, e, a, b, c, d, 3);
R3(block, d, e, a, b, c, 4);
R3(block, c, d, e, a, b, 5);
R3(block, b, c, d, e, a, 6);
R3(block, a, b, c, d, e, 7);
R3(block, e, a, b, c, d, 8);
R3(block, d, e, a, b, c, 9);
R3(block, c, d, e, a, b, 10);
R3(block, b, c, d, e, a, 11);
R4(block, a, b, c, d, e, 12);
R4(block, e, a, b, c, d, 13);
R4(block, d, e, a, b, c, 14);
R4(block, c, d, e, a, b, 15);
R4(block, b, c, d, e, a, 0);
R4(block, a, b, c, d, e, 1);
R4(block, e, a, b, c, d, 2);
R4(block, d, e, a, b, c, 3);
R4(block, c, d, e, a, b, 4);
R4(block, b, c, d, e, a, 5);
R4(block, a, b, c, d, e, 6);
R4(block, e, a, b, c, d, 7);
R4(block, d, e, a, b, c, 8);
R4(block, c, d, e, a, b, 9);
R4(block, b, c, d, e, a, 10);
R4(block, a, b, c, d, e, 11);
R4(block, e, a, b, c, d, 12);
R4(block, d, e, a, b, c, 13);
R4(block, c, d, e, a, b, 14);
R4(block, b, c, d, e, a, 15);
/* Add the working vars back into digest[] */
digest[0] += a;
digest[1] += b;
digest[2] += c;
digest[3] += d;
digest[4] += e;
/* Count the number of transformations */
transforms++;
}
static void buffer_to_block(const std::string &buffer, uint32_t block[BLOCK_INTS])
{
/* Convert the std::string (byte buffer) to a uint32_t array (MSB) */
for (size_t i = 0; i < BLOCK_INTS; i++)
{
block[i] =
(buffer[4 * i + 3] & 0xFF)
| (buffer[4 * i + 2] & 0xFF) << 8
| (buffer[4 * i + 1] & 0xff) << 16
| (buffer[4 * i + 0] & 0xff) << 24;
}
}
SHA1::SHA1()
{
reset(digest, buffer, transforms);
}
void SHA1::update(const std::string &s)
{
std::istringstream is(s);
update(is);
}
void SHA1::update(std::istream &is)
{
while (true)
{
char sbuf[BLOCK_BYTES];
is.read(sbuf, BLOCK_BYTES - buffer.size());
buffer.append(sbuf, is.gcount());
if (buffer.size() != BLOCK_BYTES)
{
return;
}
uint32_t block[BLOCK_INTS];
buffer_to_block(buffer, block);
transform(digest, block, transforms);
buffer.clear();
}
}
/*
* Add padding and return the message digest.
*/
std::string SHA1::final()
{
auto str = final_bin();
std::ostringstream result;
for (size_t i = 0; i < str.size(); i++)
{
char b[3];
sprintf(b, "%02x", static_cast<unsigned char>(str[i]));
result << b;
}
return result.str();
}
std::string SHA1::final_bin()
{
/* Total number of hashed bits */
uint64_t total_bits = (transforms*BLOCK_BYTES + buffer.size()) * 8;
/* Padding */
buffer += 0x80;
size_t orig_size = buffer.size();
while (buffer.size() < BLOCK_BYTES)
{
buffer += (char)0x00;
}
uint32_t block[BLOCK_INTS];
buffer_to_block(buffer, block);
if (orig_size > BLOCK_BYTES - 8)
{
transform(digest, block, transforms);
for (size_t i = 0; i < BLOCK_INTS - 2; i++)
{
block[i] = 0;
}
}
/* Append total_bits, split this uint64_t into two uint32_t */
block[BLOCK_INTS - 1] = total_bits;
block[BLOCK_INTS - 2] = (total_bits >> 32);
transform(digest, block, transforms);
/* Hex std::string */
std::string result;
for (size_t i = 0; i < sizeof(digest) / sizeof(digest[0]); i++)
{
for (size_t b = 0; b < sizeof(digest[0]) / sizeof(uint8_t); b++)
{
result.push_back((digest[i] >> (8 * (sizeof(digest[0]) / sizeof(uint8_t)-1 - b))) & 0xFF);
}
}
/* Reset for next run */
reset(digest, buffer, transforms);
return result;
}
std::string SHA1::from_file(const std::string &filename)
{
std::ifstream stream(filename.c_str(), std::ios::binary);
SHA1 checksum;
checksum.update(stream);
return checksum.final();
}
std::string SHA1::encode(const std::string &s)
{
SHA1 sha1;
sha1.update(s);
return sha1.final();
}
std::string SHA1::encode_bin(const std::string &s)
{
SHA1 sha1;
sha1.update(s);
return sha1.final_bin();
}
加密代码如下,具体看checkWeakpass功能中如何实现解析的即可,我这个实现肯定是可以的,自己是实践在自己工具上的,图就不放了,大家有兴趣可以自己试试
#include "m_mysql_exp.h"
#include "crypto_Sha1.h"
extern mutex g_vServiceMutex;
extern vector<ServiceVuln> g_vServiceVuln;
m_mysql_exp::m_mysql_exp(PortService portService)
{
this->portService = portService;
}
m_mysql_exp::~m_mysql_exp()
{
}
void m_mysql_exp::checkServiceIsVuln(){
if (!s_net_scanner::checkAliveReturn(this->portService.serviceIpAddr)){
this->checkWeakpass();
}
}
void m_mysql_exp::mysql_init(string& receiveData1){
byte bSalt1[9] = { 0 };
byte bSalt2[13] = { 0 };
char szBuffer[100]{ 0 };
char* p = NULL;
memset(szBuffer, 0, 100);
memcpy(szBuffer, receiveData1.c_str(), receiveData1.size());
DWORD dwPacketSize = *(DWORD*)receiveData1.c_str();
p = new char[dwPacketSize];
char* pTemp = p;
memcpy(pTemp, szBuffer + 4, dwPacketSize);
pTemp++;
int iVersionLength = strlen(pTemp + 1) + 2;
pTemp += iVersionLength;
int threadId = *(int*)pTemp;
pTemp += 4;
memcpy(bSalt1, pTemp, 9); // salt1
pTemp += 9;
pTemp += 18;
memcpy(bSalt2, pTemp, 13); // salt2
if (p != NULL){
delete p;
p = NULL;
}
}
void m_mysql_exp::mysql_connect(){
}
string m_mysql_exp::hex2String(const char* data, size_t length){
size_t i;
char szBuffer[100] = { 0 };
for (i = 0; i < length; i++) {
sprintf(szBuffer, "%s%02x", szBuffer, (unsigned char)data[i]);
}
return szBuffer;
}
void m_mysql_exp::checkWeakpass(){
string bugName = "weakpass";
vector<string> vUsername{ "root", "mysql", "test" };
vector<string> vPassword{ "root", "test", "mysql", "root123", "test123", "mysql123", "root@123", "test@123", "123456", "mysql@123",
"admin@123", "Aa@123456"};
char native_password[] = { 0x6d, 0x79, 0x73, 0x71, 0x6c, 0x5f, 0x6e, 0x61, 0x74, 0x69,
0x76, 0x65, 0x5f, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x00 };
TcpClient tcpClient;
char szBuffer[MAX_PATH]{ 0 };
char* p = NULL;
int packetSize;
string receiveData1;
for (DWORD i = 0; i < vUsername.size(); i++){
for (DWORD j = 0; j < vPassword.size(); j++){
SOCKET clientSocket;
if (!tcpClient.initWinSock())
{
if (!tcpClient.createSocket(clientSocket))
{
if (!tcpClient.connectSocket(clientSocket, this->portService.serviceIpAddr, this->portService.dwServicePort))
{
if (!tcpClient.receiveData(clientSocket, receiveData1, &packetSize))
{
byte bSalt1[9] = {};
byte bSalt2[13] = {};
char szBuffer[100]{ 0 };
char* p = NULL;
memset(szBuffer, 0, 100);
memcpy(szBuffer, receiveData1.c_str(), packetSize);
DWORD dwPacketSize = *(PDWORD)szBuffer;
p = new char[dwPacketSize];
RtlZeroMemory(p, dwPacketSize);
memcpy(p, szBuffer + 4, dwPacketSize);
char* pTemp = p;
pTemp++;
int iVersionLength = strlen(pTemp + 1) + 2;
pTemp += iVersionLength;
int threadId = *(int*)pTemp;
pTemp += 4;
memcpy(bSalt1, pTemp, 9); // salt1
pTemp += 9;
pTemp += 18;
memcpy(bSalt2, pTemp, 13); // salt2
pTemp = NULL;
if (p != NULL){
delete p;
p = NULL;
}
// 开始通过salt1 salt2来进行加密
memset(szBuffer, 0, 100);
memcpy(szBuffer, bSalt1, 8);
memcpy(szBuffer + 8, bSalt2, 12);
// SHA1(password) XOR SHA1( "20-bytes random data from server" <concat> SHA1(SHA1(password)))
string p1Bytes = SHA1::encode_bin(vPassword[j]);
string randomBytes = SHA1::encode_bin(string(szBuffer) + SHA1::encode_bin(p1Bytes));
string p3Bytes;
p3Bytes.resize(20);
for (DWORD p = 0; p<randomBytes.size(); p++){ p3Bytes[p] = p1Bytes[p] ^ randomBytes[p]; }
// 开始拼接认证包
char* p1 = new char[100];
RtlZeroMemory(p1, 100);
pTemp = p1;
pTemp += 3;
*pTemp = 0x01;
pTemp++;
*(PWORD)pTemp = 0xa685;
pTemp += 2;
*pTemp = 0xff;
pTemp++;
*pTemp = 0x01;
pTemp++;
*(PDWORD)pTemp = 0x1000000;
pTemp += 4;
*pTemp = 0x21;
pTemp += 2;
pTemp += 22;
strcpy(pTemp, vUsername[i].c_str());
pTemp += vUsername[i].size();
*(PWORD)pTemp = 0x1400;
pTemp += 2;
memcpy(pTemp, p3Bytes.data(), p3Bytes.size());
pTemp += p3Bytes.size();
memcpy(pTemp, native_password, 22);
pTemp += 22;
DWORD dwRangeSize = (DWORD)pTemp - (DWORD)p1 - 4;
*(PWORD)p1 = dwRangeSize;
string finaDataString = string(p1, dwRangeSize+4);
pTemp = NULL;
if (p1 != NULL){
delete p1;
p1 = NULL;
}
receiveData1.clear();
Sleep(50);
if (!tcpClient.sendData(clientSocket, finaDataString))
{
if (!tcpClient.receiveData(clientSocket, receiveData1, &packetSize))
{
pTemp = (char*)receiveData1.c_str();
pTemp += 5;
if (*pTemp == 0){
memset(szBuffer, 0, 100);
sprintf(szBuffer, "%s %s %s %s/%s", this->portService.serviceIpAddr.data(), this->portService.serviceNameString.data(),
bugName.data(), vUsername[i].data(), vPassword[j].data());
g_vServiceMutex.lock();
g_vServiceVuln.push_back(ServiceVuln(this->portService.serviceNameString, true, true, this->portService.dwServicePort, szBuffer));
g_vServiceMutex.unlock();
closesocket(clientSocket);
return;
}
}
}
closesocket(clientSocket);
}
}
}
}
}
}
return;
}
浙公网安备 33010602011771号