I created a script in Jython which extracts some properties of a Data Source from WAS 7. One of theese properties is the Authentification Alias. I know that the password is crypted, but project has a semididactical purpose so the focus is on retriving the username and password, not to hack something.
How can I extract the properties of the Authentification Alias, i mean the username and the password?
Thanks in advance!
I solved the problem. :) Let's start with the beginning.
You have to find security.xml (WAS_HOME/AppServer/profiles/Profile_Name/config/cells/Cell_Name/security.xml) file and search in it the Authentication Alias.
Keep the line that contains the Auth Alias in a variable called Line and then extract the username, password and description.
After that you have to decrypt your password with a XOR algorithm, and write the variables in a file as a list. Ex: AuthDataAlias = [\ ['AuthAlias', 'username', 'password', 'description'] ]
Code:
import sys, java, java.io, java.lang, base64, binascii
resFile="resources.res"
def search ( alias, file ):
f=open(file)
lines=f.readlines()
for line in lines:
poz = line.find('/'+alias)
if poz > 0:
Line = line
break
user = Line[Line.find('userId=')+8:Line.find('\" password')]
password = Line[Line.find('password=')+15:Line.find('\" description')]
password = decrypt(password)
description = Line[Line.find('description=')+13:Line.find('\"/>')]
write ( AuthAlias, user, password, description, resFile)
def write ( alias, user, password, desc, file ):
objItemFileOutputStream = java.io.FileOutputStream(file, 1) #apend la sfirsit fisier
objItemFileOutputStream.write('\n')
AuthList = "AuthDataAlias = [\\\n[\'"+alias+"\', \'"+user+"\', \'"+password+"\', \'"+desc+"\'] ]"
objItemFileOutputStream.write(AuthList)
def decrypt ( word ):
if not len(word) > 1: exit()
word = word.replace(':', '')
value1 = binascii.a2b_base64(word)
value2 = '_' * len(value1)
out = ''
for a, b in zip(value1, value2):
out = ''.join([out, chr(ord(a) ^ ord(b))])
return out
#MAIN
search ( AuthAlias, securityFile )
If anyone gets stuck with this issue feel free to post your questions and I will try to answer ASAP.
Related
I'm using the BeforeConnect option in Genexus. I put this code in a procedure...
&UserID = &websession.Get("db")
//select the Database depending on websession
Do Case
Case &UserID = "1"
&DataBase = "CambioDB1"
Case &UserID = "2"
&DataBase = "CambioDB2"
Otherwise
&DataBase = "CambioDB1" //default database
EndCase
//Change connection properties
&dbconn = GetDatastore("Default")
&dbconn.UserName = 'username'
&dbconn.UserPassword = 'password'
&dbconn.ConnectionData = "DATABASE=" + &DataBase.Trim() //SQLServer
... set the BeforeConnect property and it works.
But how can I avoid to put the password of the db in the code?
I was thinking to use a file to read from, but it would be an unencrypted password anyway.
How can I solve this? Is there a way to manage this or do I have to risk the password in clear text?
Nicola,
You may use the ConfigurationManager to read a value from the standard config file (client.cfg for Java, web.config for .net).
&MyPassword = ConfigurationManager.GetValue('MY_PASSWORD')
Add a value to your configuration file with the password.
For example:
MY_PASSWORD=my-db-password
You probably want to save the password encrypted for an extra layer of security.
Simple:
&EncPass = Encrypt64(&Password, &SysEncKey)
Stonger encryption:
https://wiki.genexus.com/commwiki/servlet/wiki?42682,Symmetric+Stream+Encryption
&EncPass = &SymmetricStreamCipher.DoEncrypt(symmetricStreamAlgorithm, key, iv, plainText)
This is my code and I'm trying to get it so when a user does the add command, it stores their id and number they have used the command, but this isn't working, please can someone help.
num = 0
#client.command()
async def add(ctx):
global num
num += 1
await ctx.send('non')
mongo_url = "mongodb+=true&w=majority"
cluster = MongoClient(mongo_url)
db = cluster["mongo_url "]
collection = db["mongo_url "]
ping_cm = {"bank":num}
collection.insert_one(ping_cm)
I assume your mongo_url token is incorrect, it should have your name and password and db that you are storing it to, but you are accessing your token currently instead of your bank name, whatever that is called,
for example,
db = cluster["mongo_url "] #This has been set to your token, your mongo_url which won't do anything
You have used "bank" in other parts of your code, which is really confusing but I assume thats what you want to do and access, this will then store it in different rows for each user id who uses the command
num = 0
#client.command()
async def add(ctx):
global num
num += 1
await ctx.send('non')
mongo_url = "YOUR_MONGO_DATABASE_URL"
cluster = MongoClient(mongo_url)
db = cluster["bank"]
collection = db["bank"]
ping_cm = {"bank":num}
collection.insert_one(ping_cm)
await ctx.channel.send("Bank Updated!")
Make sure you are providing your mongo url "properly" otherwise the code won't be working at all they should look like this: eg.
EXAMPLE ONLY
mongo_url = "mongodb+srv://name:password#bank.9999000.mongodb.net/bank?retryWrites=true&w=majority" #EXAMPLE
You can get the URL when you go to the database you want to connect to, the click manage > db_url and copy that where I have included “YOUR_MONGO_DATABASE_URL" that should work if it is correct
I am looking for a way to prompt for password (that is, no input echo).
I am using jython in WebSphere's 7.0.0.19 wsadmin.
I've looked for it - it appears to be possible with import getpass or import termios (but I get "no module named ..." exception).
Any way to prompt for password anyway?
Thank you.
You can use the following code. It basically uses Java's console() if present (note that console may not be present all the time) else use raw_input() and password masking logic.
# if console is not available (ex: when invoked from a shell script or another java process)
# we need to fall back to use raw_input, but we should mask the password if we use it
import sys, thread, time, threading
from java.lang import String
def getPass(stream=None):
console = java.lang.System.console()
if console is None:
global p_stopMasking
if not stream:
stream = sys.stderr
try:
p_stopMasking = 0
threading.Thread(target=_doMasking,args=(stream,)).start()
password = raw_input()
p_stopMasking = 1
except Exception, e:
p_stopMasking = 1
print "Error Occured"
print e
exit()
else:
password = console.readPassword()
return String.valueOf(password)
def _doMasking(stream):
while not p_stopMasking:
stream.write("\010*")
#stream.write("\n")
stream.flush()
time.sleep(0.01)
def populateCredentials():
global username
global password
print 'Enter username:'
username = raw_input();
print 'Enter password:'
password = getPass(sys.stdout);
# start main
print 'start program...'
p_stopMasking= 1
username = None
password = None
populateCredentials()
print 'username is : ' + username
print 'password is : ' + password
The following also worked for me:
raw_input("")
myPass = raw_input("Please enter a password: ")
This isn't perfect because it doesn't mask the password, but it does work. For some reason, if you don't specify the first "raw_input" invocation then the script won't block on the second one.
I need to check if the password for an user that will be created later on in an installation process will be valid. That is, whether it will conform to the OS validation rules. Is there an API call to check if a given password will be valid? This is on Windows
You're looking for NetValidatePasswordPolicy function.
This can check against the local OS password policy too.
Windows 7 Help says that in password any characters can be used:
a..z
A..Z
0..9
` ~ ! # # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /
and space.
Read here: http://windows.microsoft.com/en-GB/windows7/Tips-for-creating-strong-passwords-and-passphrases
Maybe it is possible to use regular expression to check the password.
Hey all,
I am building a gui in wich there is an edit box, waiting for the user to write a name.
Currently I force the user to give a legitimate name with this code :
NewPNUName = get(handles.nameOfNewPNU, 'String');
if ( isempty(NewPNUName) ||...
strcmp(NewPNUName,'Enter the name for the new PNU') )
errordlg('Please enter a name for the new PNU.');
elseif (~ischar(NewPNUName(1)))
errordlg('The PNU name should start with a letter.');
else
handles.NewPNUName = NewPNUName;
end
if (~isempty(handles.NewPNUName))
% Do all the things needed if there is a legit name
end
What it does is nothing if the user didn't write a legit name.
What I want it to do is to make a popup with an edit box, asking the user to input the wanted name again, until it is a legitimate name.
Thanks for the help!
EDIT:
following #woodchips advice I corrected my code to the foloowing:
NewPNUName = get(handles.nameOfNewPNU, 'String');
ValidName = ~isempty(NewPNUName) && isletter(NewPNUName(1)) &&...
~strcmp(NewPNUName,'Enter the name for the new PNU');
while (~ValidName)
if ( isempty(NewPNUName) ||...
strcmp(NewPNUName,'Enter the name for the new PNU') )
NewPNUName = char(inputdlg('Please enter a name for the new PNU.','No name entered'));
elseif (~isletter(NewPNUName(1)))
NewPNUName = char(inputdlg('The name of the new PNU should start with a letter. Please enter a new name',...
'Invalid name entered'));
else
allConds = 'are met'
end
ValidName = ~isempty(NewPNUName) && isletter(NewPNUName(1)) &&...
~strcmp(NewPNUName,'Enter the name for the new PNU');
end
So, put a while loop around a block of code, that generates an inputdlg box. Set the condition on the while loop to be that the result is a valid one.