Question
I have DBA authority to a sybase database on Windows.
I have a another user that I don't know the password for.
I regularly use an application that does know the password, and it uses the password to automatically login to the application. However, I can't find a way to find that password anywhere in the application or its dlls/files/registry/etc.
I obviously don't want to just change the password of the user, as the password in the application can't be updated (that i know of).
I want to be able to login to the database as this user.
Are there any logging settings for the database server that will log the password in plaintext? Or any other methods I can use to obtain the password (maybe via login_procedure)? I'd also be okay with just obtaining the hash for the password(+salt).
Solution
There is no SAP Sybase supported way to get the password in plaintext. You can view the hashed password by querying master..syslogins.passwords column.
A possible workaround would be to create a new user, and alias them to user in question inside the database.
sp_addalias is the command you would use to do something like that.
You can view the hashed password
OTHER TIPS
You can't get the plaintext password as it's not logged anywhere and we don't store it. What's stored in the ISYSUSER system table is the SHA-256 hash of the password, and so it is not possible to get the password from it. (And it's not the hash of just the password - it includes a random salt.)
However, if you have DBA authority, you can do anything in the database anyway. If you need to be connected as that particular user, you can connect as the user with DBA authority and then use the SETUSER statement.
Disclaimer: I work for SAP in SQL Anywhere engineering.
https://www.thegrideon.com/qb-internals-sql2.html
As highlighted several times in the previous parts QuickBooks company files are SQL Anywhere database files, but QB credentials are not used for SQL Anywhere directly. User name is converted to Hex string and password is calculated based on QB password and converted to hex string as well.
Default pair "Admin" with empty password converted into SQL Anywhere: UID=41646d696e PWD=064e7afebcfbae000b22c7c85e5560f89a2a028000 PWD format for QuickBooks 2018 & 2019 (SQL Anywhere 17) is different: PWD=074c99f858df3c75f8add53fe5b3413e25cb3c2f98ec3545ae8dbe5bebda83d9fa00
SQL Anywhere UID & PWD Calculator is part of QuickBooks Forensics functionality.
Another option might be to decompile the application program and look for the password. I don't know who in their right mind would hard code a password into program code, but it kind of sounds like that is what happened here? Alternatively, if it is an internally-developed app, do you have access to the source code?
If that is what happened, and you have the ability to recompile the app, use the keyring (Mac, Linux) or DPAPI (Windows) to securely (as much as possible) store an encrypted instance of the password outside the application code. You'll be able to change it, and some random person who manages to hack in and get access to the source code or binary won't be able to inspect the program like I'm suggesting you try.
I also realize this is an old post and you've either solved the problem or moved on by now. ;-)
https://stackoverflow.com/questions/21101024
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian