Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam  Beyond Security  SecuriTeam Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	dSQLSRVD, SQL Server SysComments Decryptor 23 Dec. 2001     Credit: The tool can be downloaded from: http://www.geocities.com/d0mn4r/dSQLSRVD.html The information has been provided by dOMNAR.    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner dSQLSRVD - dOMNAR's SQL Server SysComments Decryptor - has been designed to assist developers and administrators of SQL Server 7 and 2000 with examining stored procedures, triggers, views and user-defined functions, in order to gain better insight into 3rd party applications and their database functionality. Such a task is often necessary when integrating a new system with a company's existing systems, or when optimizing a database server's performance. Unfortunately, some companies insist on using the "With Encryption" clause in their T-SQL-code, which prevents the use of sp_helptext, the stored procedure normally used to extract the stored T-SQL-definition from the syscomments system-table. Why they do this is a puzzle, since encrypting something that can be decrypted without user interaction (i.e., entering of a password) isn't anything else than the infamous security by obscurity. Such "security" can always be broken in short time (speaking in cryptological terms), and offers no real security, which this utility is a proof of. It should be pointed out that Microsoft does not use the encryption clause for any of its own code accompanying SQL Server. SQL Server encryption notes: For SQL Server 7 you will only need an account with read-access on the syscomments table, which is the default. The encryption algorithm uses a static key for all encrypted entries. In SQL Server 2000, Microsoft improved the encryption somewhat, so that it is now impossible for accounts that are not members of the SysAdmin role to decrypt syscomments entries. This is because they changed the encryption algorithm to use dynamically calculated keys based on certain database specific information that can only be read by SysAdmins. Because of the algorithms used, brute forcing would not be a feasible solution.  Comments: Subject:  SQL Server 2005 SysComments Decrypter  Date:  9 Jun. 2006 From: Max H. dSQLSRVD does not work with SQL Server 2005. You need to use decrypter from http://www.elitude.net/ for SQL Server 2005  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Netifera - Modular Open Source Platform for Security Tools WarVOX - Tools for Exploring, Classifying, and Auditing Telephone Systems Webshag - Web Server Audit Tool Browser Fuzzer FSpy - Linux Filesystem Activity Monitoring telnetrecon - Telnet Recon Zerowine Sandbox JPEG Fuzzer VNC Server Fuzzer RSH Fuzzer Exomind Browser Rider MP3 TAG Fuzzer PDFuzzer - PDF File Standard Fuzzer Miranda - UPNP Administration and Audit Tool  Featured Articles Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability Microsoft Internet Explorer Security Zone Restrictions Bypass Adobe Acrobat and Reader Heap Overflow Vulnerability Adobe Reader U3D Stack Overflow Vulnerability Apple CUPS NULL Pointer Vulnerability SonicWALL Global Security Client Privilege Escalation Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®