SysAdmin, avoid Data Leakage! It’s all about decode passwords…

All About Data Integrity in 6 steps:

  1. As every of you know, data integrity is one of Corporate Ethical items. These days we have to pay attention on everything we search and input on Internet that is about our daily customer’s data, day-by-day, etc. Data leakage is very common in behind the scenes.
  2. It’s very common go over Search Engines for stuffs how-to, specially when those are very specific.
  3. XOR Password are used mainly for WebSphere family products, and usually are administrative or Database’s password written into XML in plain text, but XOR decoded.
  4. What is like XOR password? Look at that: {xor}Bjo+N34GMCoSPjs6Fit+
  5. Easily it can be decoded? Use that HTML attached and avoid expose the password to Internet watchers!
  6. Here is the content of JavaScript. If you think it is a good practice, share to every SysAdmin, DBA, Web Admin and technical enthusiasts.

<html>

<head>
<title>{xor} password decoder and encoder</title>

var END_OF_INPUT = -1;

var base64Chars = new Array(
‘A’,’B’,’C’,’D’,’E’,’F’,’G’,’H’,
‘I’,’J’,’K’,’L’,’M’,’N’,’O’,’P’,
‘Q’,’R’,’S’,’T’,’U’,’V’,’W’,’X’,
‘Y’,’Z’,’a’,’b’,’c’,’d’,’e’,’f’,
‘g’,’h’,’i’,’j’,’k’,’l’,’m’,’n’,
‘o’,’p’,’q’,’r’,’s’,’t’,’u’,’v’,
‘w’,’x’,’y’,’z’,’0′,’1′,’2′,’3′,
‘4’,’5′,’6′,’7′,’8′,’9′,’+’,’/’
);

var reverseBase64Chars = new Array();
for (var i=0; i

var base64Str;
var base64Count;
function setBase64Str(str){
base64Str = str;
base64Count = 0;
}
function readBase64(){
if (!base64Str) return END_OF_INPUT;
if (base64Count >= base64Str.length) return END_OF_INPUT;
var c = base64Str.charCodeAt(base64Count) & 0xff;
base64Count++;
return c;
}
function encodeBase64(str){
setBase64Str(str);
var result = ”;
var inBuffer = new Array(3);
var lineCount = 0;
var done = false;
while (!done && (inBuffer[0] = readBase64()) != END_OF_INPUT){
inBuffer[1] = readBase64();
inBuffer[2] = readBase64();
result += (base64Chars[ inBuffer[0] >> 2 ]);
if (inBuffer[1] != END_OF_INPUT){
result += (base64Chars [(( inBuffer[0] > 4) ]);
if (inBuffer[2] != END_OF_INPUT){
result += (base64Chars [((inBuffer[1] > 6) ]);
result += (base64Chars [inBuffer[2] & 0x3F]);
} else {
result += (base64Chars [((inBuffer[1] = 76){
result += (‘\n’);
lineCount = 0;
}
}
return result;
}

function readReverseBase64(){
if (!base64Str) return END_OF_INPUT;
while (true){
if (base64Count >= base64Str.length) return END_OF_INPUT;
var nextCharacter = base64Str.charAt(base64Count);
base64Count++;
if (reverseBase64Chars[nextCharacter]){
return reverseBase64Chars[nextCharacter];
}
if (nextCharacter == ‘A’) return 0;
}
return END_OF_INPUT;
}

function ntos(n){
n=n.toString(16);
if (n.length == 1) n=”0″+n;
n=”%”+n;
return unescape(n);
}

function decodeBase64(str){
setBase64Str(str);
var result = “”;
var inBuffer = new Array(4);
var done = false;
while (!done && (inBuffer[0] = readReverseBase64()) != END_OF_INPUT
&& (inBuffer[1] = readReverseBase64()) != END_OF_INPUT){
inBuffer[2] = readReverseBase64();
inBuffer[3] = readReverseBase64();
result += ntos((((inBuffer[0] > 4));
if (inBuffer[2] != END_OF_INPUT){
result +=  ntos((((inBuffer[1] > 2));
if (inBuffer[3] != END_OF_INPUT){
result +=  ntos((((inBuffer[2]

function decode() {

  var s = document.form1.encodedtxt.value;

  // strip {xor} if existant
if (s.toUpperCase().substring(0,5)==”{XOR}”) {
s = s.substr(5);
}

s = decodeBase64( s );

// XOR each char to ASCII(‘_’) (underscore is 95)
var r = ”;
for (i=0; i

function encode() {

  var s = document.form1.decodedtxt.value;

// XOR each char to ASCII(‘_’) (underscore is 95)
var r = ”;
for (i=0; i

<style><!–
body { font:12pt “Trebuchet MS”,arial,sans-serif; }
.smaller { font-size:9pt; }
//–></style>
</head>
<body>

<form id=”form1″ name=”form1″>
<h3>WebSphere {xor} password decoder and encoder</h3>

 <p>encoded string: <input id=”encodedtxt” type=”text” value=”{xor}CDo9Hgw=” size=”30″>
<button onclick=”javascript:decode(); return false;”>decode &rarr;</button>
&nbsp;
<button onclick=”javascript:encode(); return false;”>&larr; encode</button>
decoded string: <input id=”decodedtxt” type=”text” value=”” size=”30″>

<p>&nbsp;</p>

</form>
</body>
</html>

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair /  Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )

Conectando a %s