How to Hack XSilva Lightspeed to Get OpenBase Password

Posted November 19th, 2007 by david & filed under Haxor, Tech.

Having recently invested in a retail store, I had to go through the unenviable process of choosing a Point of Sale software. Doing this is NOT fun. The software is expensive, and if you don’t like it 6 months later its not exactly trivial to switch to another POS software. Once your inventory is loaded in, you really don’t want to have to switch.

Anyway I ended up choosing XSilva Lightspeed. For the most part we are very happy with it so far. The only thing I don’t like is that it doesn’t have a way to automatically email out reports. I’d like to see what kind of sales the store is doing on a daily basis. Since the whole thing is based on OpenBase/SQL, I figured it would be trivial to write some tools to generate and email my own reports. I did a quick search, and came to find out that XSilva keeps the database password a secret. Lame. Granted, I didn’t try to call their tech support and insist that I wanted it but it seems like from responses on their forum that they won’t give it up.

So here’s how to hack it:

On the machine that has Lightspeed and the server, fire up Lightspeed but don’t login. Open up a terminal, and I’m assuming you already have tcpdump installed.

/usr/sbin/tcpdump -i lo0 -s0 -c 1000 -x -w dump

Run that tcpdump, and then login to lightspeed. Once LS has logged in, you can Ctl-C the tcpdump.

Now use ngrep to pull out the login information from the dump file:
ngrep -wi "dbpassword" -I dump

The output of this looks like:
input: dump match: ((^dbpassword\W)|(\Wdbpassword$)|(\Wdbpassword\W)) ################################## ###################### ######################### T 127.0.0.1:56526 -> 127.0.0.1:20223 [AP] ....|dict|....action....call_register....usersAllowed....1000 ....dblogin....lightspeed....dbpassword....adminXXXXX....userlogin....light speed....hostName....192.168.3.180....databaseName. ...xsilva_db_217demo....softwareId....Lig htSpeed:REALbasicCM....processId....0016CB08 4925_21777781.... ########################

See the adminXXXXX? That’s the db admin password. I redacted the actual string. I’m HOPING that they actually use a random string for every LS install. I didn’t verify on another install that its different. If not, I don’t really want to publish the password for every LS SQL database. However, they are retards if they don’t use a random secret.

Now you can go nuts on the database.

Update: I’ve verified on 2 installs that the admin password for the SQL is the same. Lesson here: firewall off your POS or anyone can modify your store database.

If you like what’s here, please follow me on twitter here.

11 Responses to “How to Hack XSilva Lightspeed to Get OpenBase Password”

HustleStrategy | November 20th, 2007 at 9:31 am

i assume there is a central db. most pos’s are completely locked down so cashiers/thieves can’t open command prompts or play games. that would eliminate “this” problem. it wouldn’t however have eliminated the network sniff (assuming you can get into the network).

are you having to do anything with PCI compliance for credit cards/merchants account and are you using a specific vendor for the debit device (verifone, hypercom, Nurit, etc…)? not sure if they store CC#’s but that could get ugly really quickly… PCI compliance is huge for large vendors.
Mike Peters | November 21st, 2007 at 6:57 pm

Just watched the XSilva video. Looks hot!

What type of products are you going to be using it with? Electronics?
Companies Being Careless With Employee Data - ShoeMoney® | November 23rd, 2007 at 1:48 pm

[...] Dillsmack made a post about haxing the Xsilva Lightspeed POS system to get the database password. Now obviously this isnt really that big of security issue for [...]
Tim Putnam | December 2nd, 2007 at 9:52 am

Hello Dellanave,
I am having a similar issue with a program called Daylite. I purchased Daylite and imported 18 years of data for my company..
I am very disappointed with Daylite’s user interface and want to access the sql database so I can run my own reports and queries….
Just like LightSpeed the database is “Open Base SQL” and there is a password…

My operating system is Mac OX and I was wondering if your solution would work for me?

Thanks in advance for your reply…

Tim Putnam
Louis | December 11th, 2007 at 2:38 pm

I am thinking of using lightspeed, and I would like to know if you still recommend it after having used it. I own a retail bookstore, and I am interested in the features of using the online store that operates from the same database as my pos
Indigo | January 24th, 2008 at 4:04 pm

I’m having trouble reproducing your results with Lightspeed 2.5 here. I am running the LS server on a remote machine, so I modified the tcpdump command to listen on en0, and I do indeed see traffic to and from the database. However, there is very little plain text in it, and nothing that looks like a password. I’m wondering if xsilva now encrypts the traffic, or what. Can you confirm if this still works on LS 2.5?
Christian Skarby » Blog Archive » Obstacles with LightSpeed Web Store | August 6th, 2008 at 3:59 am

[...] locks all our data in a database from http://www.openbase.com, it used to be possible to sniff the master database password, but that has changed after upgrading to 2.5.2 (and a newer version of openbase.) And for the time [...]
david | December 11th, 2007 at 3:40 pm

I’m very, very happy with lightspeed overall. Honestly, the new iPhone Stats feature pretty much eliminated my desire to access the SQL.
david | December 11th, 2007 at 3:41 pm

Yes it would work almost exactly the same.
david | January 24th, 2008 at 4:10 pm

Are you using something like ngrep to look at the dump file? Keep in mind tcpdump doesn’t store anything in plaintext.

I can’t confirm it working on 2.5, but I can take a look.
david | January 24th, 2008 at 5:10 pm

Scratch that, I can confirm that it works in 2.5 as well.