SQLDeveloper stores their connection passwords in an xml file. Although it might seem safe since it is being stored in an encrypted way i found out that these can be decrypted.
I needed a password in readable format so i Googled for an answer :-).
I needed a password in readable format so i Googled for an answer :-).
Looking here i saw that others had the same question :-).
Luckily somebody else , mostly Adam Paynter, did all the leg work and made a java class to decode it.
Chris Jones made a Java class , ready to be used in the database, out of it.
Chris Jones made a Java class , ready to be used in the database, out of it.
So using this as the Java Class in the database:
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "Decrypt" AS import javax.crypto.*; import javax.crypto.spec.*; import java.security.*; /** * Decrypt passwords stored in Oracle SQL Developer. This is intended for * password recovery. * * Passwords are stored in * ~/.sqldeveloper/system2.1.1.64.39/o.jdeveloper.db.connection * .11.1.1.2.36.55.30/connections.xml */ public class Decrypt { public static byte[] decryptPassword(byte[] result) throws GeneralSecurityException { byte constant = result[0]; if (constant != (byte) 5) { throw new IllegalArgumentException(); } byte[] secretKey = new byte[8]; System.arraycopy(result, 1, secretKey, 0, 8); byte[] encryptedPassword = new byte[result.length - 9]; System.arraycopy(result, 9, encryptedPassword, 0, encryptedPassword.length); byte[] iv = new byte[8]; for (int i = 0; i < iv.length; i++) { iv[i] = 0; } Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(secretKey, "DES"), new IvParameterSpec(iv)); return cipher.doFinal(encryptedPassword); } public static void main(String[] args) { if (args.length != 1) { System.err.println("Usage: java Decrypt"); System.exit(1); } if (args[0].length() % 2 != 0) { System.err .println("Password must consist of hex pairs. Length is odd (not even)."); System.exit(2); } byte[] secret = new byte[args[0].length() / 2]; for (int i = 0; i < args[0].length(); i += 2) { String pair = args[0].substring(i, i + 2); secret[i / 2] = (byte) (Integer.parseInt(pair, 16)); } try { System.out.println(new String(decryptPassword(secret))); } catch (GeneralSecurityException e) { e.printStackTrace(); System.exit(3); } } } ;
and this as a PL/SQL wrapper :
create or replace PROCEDURE "GET_SQL_PW"("P_HASH" IN VARCHAR2) IS language java name 'Decrypt.main( java.lang.String[] )';
you now have something that decodes the passwords.
How to actually use this ?
Just use this in SQL Developer
----------Gebruik van de procedure set serveroutput on size 1000000; call dbms_java.set_output (1000000); --reroute println etc to DBMS_OUTPUT exec get_sql_pw('05F2CFAA600383C3614C41D6BE2A6558FE'); --decode pw; dbms_output shows password ---------
Note the use of dbms_java.set_output. This reroutes all the System.out lines to the DBMS_OUTPUT console. I did this so that i wouldn't have to rewrite the java stuff to return a value instead of writing it to the console.
No comments:
Post a Comment