使用背景

在使用专业数据库软件Navicat 是都是习惯性的保存了默认密码，但是久而久之后 就会忘记数据库密码，然后自己也没备份，软件上面不可以直接查看填写密码， 这就很不舒服了，

但是，有个小技巧，可以查看navicat 已连接保存的密码。

第一步：首先去 导出连接

1.1导出连接获取到 connections.ncx 文件，选择需要导出的数据库


1.2 用notepad++打开，然后找到 文件里 password 字段的值

第二步：php方案破解

2.1 打开在线php工具，地址：https://tool.lu/coderunner/
2.2 把代码（代码如下）粘上去就行，然后把刚复制的加密密码替换倒数第二行里的值 , 然后运行就行了

下面是代码：

<?php
namespace FatSmallTools;
class NavicatPassword
{
protected $version = 0;
protected $aesKey = 'libcckeylibcckey';
protected $aesIv = 'libcciv libcciv ';
protected $blowString = '3DC5CA39';
protected $blowKey = null;
protected $blowIv = null;

public function __construct($version = 12)
{
$this->version = $version;
$this->blowKey = sha1('3DC5CA39', true);
$this->blowIv = hex2bin('d9c7c3c8870d64bd');
}

public function encrypt($string)
{
$result = FALSE;
switch ($this->version) {
case 11:
$result = $this->encryptEleven($string);
break;
case 12:
$result = $this->encryptTwelve($string);
break;
default:
break;
}

return $result;
}

protected function encryptEleven($string)
{
$round = intval(floor(strlen($string) / 8));
$leftLength = strlen($string) % 8;
$result = '';
$currentVector = $this->blowIv;

for ($i = 0; $i < $round; $i++) {
$temp = $this->encryptBlock($this->xorBytes(substr($string, 8 * $i, 8), $currentVector));
$currentVector = $this->xorBytes($currentVector, $temp);
$result .= $temp;
}

if ($leftLength) {
$currentVector = $this->encryptBlock($currentVector);
$result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
}

return strtoupper(bin2hex($result));
}

protected function encryptBlock($block)
{
return openssl_encrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING); 
}

protected function decryptBlock($block)
{
return openssl_decrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING); 
}

protected function xorBytes($str1, $str2)
{
$result = '';
for ($i = 0; $i < strlen($str1); $i++) {
$result .= chr(ord($str1[$i]) ^ ord($str2[$i]));
}

return $result;
}

protected function encryptTwelve($string)
{
$result = openssl_encrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
return strtoupper(bin2hex($result));
}

public function decrypt($string)
{
$result = FALSE;
switch ($this->version) {
case 11:
$result = $this->decryptEleven($string);
break;
case 12:
$result = $this->decryptTwelve($string);
break;
default:
break;
}

return $result;
}

protected function decryptEleven($upperString)
{
$string = hex2bin(strtolower($upperString));

$round = intval(floor(strlen($string) / 8));
$leftLength = strlen($string) % 8;
$result = '';
$currentVector = $this->blowIv;

for ($i = 0; $i < $round; $i++) {
$encryptedBlock = substr($string, 8 * $i, 8);
$temp = $this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector);
$currentVector = $this->xorBytes($currentVector, $encryptedBlock);
$result .= $temp;
}

if ($leftLength) {
$currentVector = $this->encryptBlock($currentVector);
$result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
}

return $result;
}

protected function decryptTwelve($upperString)
{
$string = hex2bin(strtolower($upperString));
return openssl_decrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
}
}


use FatSmallTools\NavicatPassword;

//需要指定版本，11或12
$navicatPassword = new NavicatPassword(11);
//$navicatPassword = new NavicatPassword(11);

//解密
//$decode = $navicatPassword->decrypt('15057D7BA390');
$decode = $navicatPassword->decrypt('68700E7EA495');
echo $decode."\n";

可能解码的时候遇到乱码，这时只需要修改一下指定的版本就行了

有时候php网站故障，可以使用下面的网站破解。

三、java 方案破解

2.1 打开在线菜鸟工具，地址：https://www.runoob.com/try/runcode.php?filename=HelloWorld&type=java
2.2 把代码（代码如下）粘上去就行，然后把刚复制的加密密码替换里面的值 , 然后运行就行了

代码如下：

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
import java.util.Arrays;
 
public class NavicatPassword {
    public static void main(String[] args) throws Exception {
        NavicatPassword navicatPassword = new NavicatPassword();
 
        // 11版本及以前的密码，填写在""中，本例以11的密码为例
        String decode = navicatPassword.decrypt("9B3B1FFEFB1E3B21B2E22CB844FB0DC3", 11);
 
        // 12版本及以后的密码，填写在""中
        // String decode = navicatPassword.decrypt("9B3B1FFEFB1E3B21B2E22CB844FB0DC3", 12);

        System.out.println(decode);
    }

 
    private static final String AES_KEY = "libcckeylibcckey";
    private static final String AES_IV = "libcciv libcciv ";
    private static final String BLOW_KEY = "3DC5CA39";
    private static final String BLOW_IV = "d9c7c3c8870d64bd";
 
    public static String encrypt(String plaintext, int version) throws Exception {
        switch (version) {
            case 11:
                return encryptEleven(plaintext);
            case 12:
                return encryptTwelve(plaintext);
            default:
                throw new IllegalArgumentException("Unsupported version");
        }
    }
 
    public static String decrypt(String ciphertext, int version) throws Exception {
        switch (version) {
            case 11:
                return decryptEleven(ciphertext);
            case 12:
                return decryptTwelve(ciphertext);
            default:
                throw new IllegalArgumentException("Unsupported version");
        }
    }
 
    private static String encryptEleven(String plaintext) throws Exception {
        byte[] iv = hexStringToByteArray(BLOW_IV);
        byte[] key = hashToBytes(BLOW_KEY);
 
        int round = plaintext.length() / 8;
        int leftLength = plaintext.length() % 8;
        StringBuilder result = new StringBuilder();
        byte[] currentVector = iv.clone();
 
        Cipher cipher = Cipher.getInstance("Blowfish/ECB/NoPadding");
        SecretKeySpec secretKeySpec = new SecretKeySpec(key, "Blowfish");
        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
 
        for (int i = 0; i < round; i++) {
            byte[] block = xorBytes(plaintext.substring(i * 8, (i + 1) * 8).getBytes(), currentVector);
            byte[] temp = cipher.doFinal(block);
            currentVector = xorBytes(currentVector, temp);
            result.append(bytesToHex(temp));
        }
 
        if (leftLength > 0) {
            currentVector = cipher.doFinal(currentVector);
            byte[] block = xorBytes(plaintext.substring(round * 8).getBytes(), currentVector);
            result.append(bytesToHex(block));
        }
 
        return result.toString().toUpperCase();
    }
 
    private static String encryptTwelve(String plaintext) throws Exception {
        byte[] iv = AES_IV.getBytes();
        byte[] key = AES_KEY.getBytes();
 
        Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
        SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec);
 
        byte[] result = cipher.doFinal(plaintext.getBytes());
        return bytesToHex(result).toUpperCase();
    }
 
    private static String decryptEleven(String ciphertext) throws Exception {
        byte[] iv = hexStringToByteArray(BLOW_IV);
        byte[] key = hashToBytes(BLOW_KEY);
        byte[] encrypted = hexStringToByteArray(ciphertext.toLowerCase());
 
        int round = encrypted.length / 8;
        int leftLength = encrypted.length % 8;
        StringBuilder result = new StringBuilder();
        byte[] currentVector = iv.clone();
 
        Cipher cipher = Cipher.getInstance("Blowfish/ECB/NoPadding");
        SecretKeySpec secretKeySpec = new SecretKeySpec(key, "Blowfish");
        cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
 
        for (int i = 0; i < round; i++) {
            byte[] block = Arrays.copyOfRange(encrypted, i * 8, (i + 1) * 8);
            byte[] temp = xorBytes(cipher.doFinal(block), currentVector);
            currentVector = xorBytes(currentVector, block);
            result.append(new String(temp));
        }
 
        if (leftLength > 0) {
            currentVector = cipher.doFinal(currentVector);
            byte[] block = Arrays.copyOfRange(encrypted, round * 8, round * 8 + leftLength);
            result.append(new String(xorBytes(block, currentVector)));
        }
 
        return result.toString();
    }
 
    private static String decryptTwelve(String ciphertext) throws Exception {
        byte[] iv = AES_IV.getBytes();
        byte[] key = AES_KEY.getBytes();
        byte[] encrypted = hexStringToByteArray(ciphertext.toLowerCase());
 
        Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
        SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
        cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec);
 
        byte[] result = cipher.doFinal(encrypted);
        return new String(result);
    }
 
    private static byte[] xorBytes(byte[] bytes1, byte[] bytes2) {
        byte[] result = new byte[bytes1.length];
        for (int i = 0; i < bytes1.length; i++) {
            result[i] = (byte) (bytes1[i] ^ bytes2[i]);
        }
        return result;
    }
 
    private static byte[] hexStringToByteArray(String s) {
        int len = s.length();
        byte[] data = new byte[len / 2];
        for (int i = 0; i < len; i += 2) {
            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
                    + Character.digit(s.charAt(i + 1), 16));
        }
        return data;
    }
 
    private static byte[] hashToBytes(String s) throws Exception {
        return MessageDigest.getInstance("SHA-1").digest(s.getBytes());
    }
 
    private static String bytesToHex(byte[] bytes) {
        StringBuilder result = new StringBuilder();
        for (byte b : bytes) {
            result.append(String.format("%02X", b));
        }
        return result.toString();
    }
}