View Full Version : Recovering SQL connection string in .NET from configuration file
ronnie291983
May 4th, 2011, 05:45
Hi,
This might be a very lame question, but i cannot find a way to do the following:
An application is storing the sql connection string in app.exe.config file, the app is obfuscated.
The string is encrypted by marking it as protected section inside the app.exe.config.
Is there anyway to recover the decrypted string.
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAkLtZfp04NUOd+Gp6oKeWlAQAAAACAAAAAAADZgAAqAAAABAAAAC4253VR0Qt .............. (encrypted string)</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
Darkelf
May 4th, 2011, 07:25
Is this the whole encrypted string or just a part of it?
I ask because it looks like base64 but decoding it delivers only garbage.
If it is the whole string, have you tried to trace the .exe at the location where the string is read-in? Or even better, can you read the source with Reflector or something like that?
Just guessing because you don't give much input.
Regards
darkelf
Kurapica
May 4th, 2011, 08:49
I agree with Darkelf
you should look for the classes which creates a Connection object, OleDBConnection or an SQLConnection or whatever data provider your app is using, those two objects have a property called "ConnectionString" to which the real decrypted string should be assigned, so you should trace where those objects are created and try to find the decrypted string, I remember I used PEBrowse Debugger to find the connection string of an Access database,it was also encrypted and it contained a password which was necessary to open the database in Access.
good luck
ronnie291983
May 4th, 2011, 08:49
Sorry for the lack of information,
All the encryption part is handled by .Net framework itself, it is using the following code to protect the section where the connection string is stored
L_0053: ldstr "DataProtectionConfigurationProvider"
L_0058: callvirt instance void [System.Configuration]System.Configuration.SectionInformation::ProtectSection(string)
The part where the string is read in is not part of the application code, but it think it is (correct me if i am wrong) part of the framework code.
I don't which class/method is responsible for decrypting the string in the framework itself, i am sure it is not part of the application code.
It (framework) might be doing a base64 encoding to store the generated cipher text.
And also i tried to attach to the process using DILE and deblector but not able to see the process listed in the attach list.
Any suggestions on how to proceed for debugging the app and also where to break to get the decrypted string?
disavowed
May 4th, 2011, 10:25
Just write your own program and call System.Configuration.DpapiProtectedConfigurationProvider.Decrypt(...) on that XML. Tada!
http://msdn.microsoft.com/en-US/library/system.configuration.dpapiprotectedconfigurationprovider.decrypt(v=VS.80).aspx
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.