Strange Hash - Mysql 2000

[shesellsseaSHELLS]

Hi there guys,

Just conducting an assesment recently when i found a hash i've never seen before.

Here's the sample " UceWpAaS6iw55I1cwoc75xjsXDk= " Without the quotes.

It was from a mysql 2000 server i am wondering if anyone has seen this type of hash before.

If so what is the name of it.

Any input would be greatly appreciated. Cheers

[digininja]

I doubt that it is a hash, more likely something encrypted. Most hashes produce output that can easily be shown in hex but this is a base64 encoded string which when decoded gives non-ascii values.

[shesellsseaSHELLS]

Yes sorry i used the wrong terminology. It is encrypted you are correct, My further question is, The possibilty of remotely de-crypting the hash through sequel injection. Either that or obtaining admin password and somehow getting remotely client side. Just hypothetical of course !

[digip]

If we knew where and within what context it came from, might make more sense. Could be any iteration of things to come up with a string like that, like gzip, str13, base-64 in one(although its not any of those or iterations of, already checked) Its most likely something like gpg key or such. Spill the beans on where you got it, might make it easier to figure out what it is.

[digininja]

Agreed, without further context it could be anything.

In your apology for getting the terminology wrong you got it wrong again, a hash is a one way function, what you have there is something that is encoded in some way. If it is a password then it is probably encrypted but could, as digip says, simply be compressed in some way. It could still be an odd hashing algorithm but without knowing for sure the best you can say is "encoded data"

And decoding it through SQLi directly is unlikely, the encoding is probably done in code and just given to the database to store. What I would generally do in those situations is to use the SQLi to get further on to the server and try to acquire the encode/decode functions and any related keys, you then run the code on your own machine to decode the data.

[bwall]

When the base64 is decoded, it comes to 20 bytes(same as raw sha1), and when converted from binary data to ASCII hex, its comes to 51C796A40692EA2C39E48D5CC2873BE718EC5C39. I would try cracking that SHA-1.

A hash does not need to be ASCII hex, as the format that comes from the actual algorithms is the binary form, not the ASCII hex form. The ASCII hex form is just the default way to display it, even though base64 is more compressed(but takes more time to compute). Most hashing algorithms end up with just a set of 4 byte integers lined up to make the actual hash. In MD5, its 4 4 byte integers. In SHA-1 it is actually 5 4 byte integers, hence 20 byte raw SHA-1.

[digininja]

Well spotted, I hadn't checked how long it was so it could be a SHA-1. Every library I've used to generate hashes returns them as strings but I supposed there is no reason why there isn't one out there that returns it as a raw blob.

I'd still try to leverage the SQLi to try to grab the source then you'd know for definite.