Oracle 10g绕过密码登陆数据库

联系:手机/微信(+86 17813235971) QQ(107644445)

标题:Oracle 10g绕过密码登陆数据库

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

0、数据库版本

SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod
PL/SQL Release 10.2.0.4.0 - Production
CORE    10.2.0.4.0      Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production

1、Oracle 10g密码加密猜测
user$表中的password=hash(user||password)

SQL> create user xff identified by xifenfei;
User created.
SQL> create user xf identified by fxifenfei;
User created.
SQL> select name,password from user$ where name in('XF','XFF');
NAME                           PASSWORD
------------------------------ ------------------------------
XF                             1B60F4BFF1DAB500
XFF                            1B60F4BFF1DAB500

2、测试通过修改user$.password饶过oracle密码登陆

--创建两个可以登陆用户
SQL> grant connect to ab identified by xifenfei;
Grant succeeded.
SQL> grant connect to abc identified by xifenfei;
Grant succeeded.
--查看用户名和password内容
SQL> select user#,name,password from user$ where name in ('AB','ABC');
     USER# NAME                           PASSWORD
---------- ------------------------------ ------------------------------
        63 AB                             7AF07A2EFB054758
        64 ABC                            40C0E6EE497444B7
--修改ab用户的password内容和abc相同,即ab用户对应的密码应该为cxifenfei
SQL> update user$ set password='40C0E6EE497444B7' where user#=63;
1 row updated.
SQL> commit;
Commit complete.
SQL> select user#,name,password from user$ where name in ('AB','ABC');
     USER# NAME                           PASSWORD
---------- ------------------------------ ------------------------------
        63 AB                             40C0E6EE497444B7
        64 ABC                            40C0E6EE497444B7
--修改后登陆失败
SQL> conn ab/cxifenfei
ERROR:
ORA-01017: 用户名/口令无效; 登录被拒绝
Warning: You are no longer connected to ORACLE.
SQL> conn / as sysdba
Connected.
--ab的user$.password被重设为原先值
SQL> select user#,name,password from user$ where name in ('AB','ABC');
     USER# NAME                           PASSWORD
---------- ------------------------------ ------------------------------
        63 AB                             7AF07A2EFB054758
        64 ABC                            40C0E6EE497444B7
SQL>  update user$ set password='40C0E6EE497444B7' where user#=63;
1 row updated.
SQL> commit;
Commit complete.
SQL> select user#,name,password from user$ where name in ('AB','ABC');
     USER# NAME                           PASSWORD
---------- ------------------------------ ------------------------------
        63 AB                             40C0E6EE497444B7
        64 ABC                            40C0E6EE497444B7
--刷新databuffer和shared_pool
SQL> alter system flush buffer_cache ;
System altered.
SQL> alter system flush shared_buffer;
alter system flush shared_buffer
*
ERROR at line 1:
ORA-02000: missing SHARED_POOL/BUFFER_CACHE/GLOBAL CONTEXT keyword
SQL> alter system flush shared_pool;
System altered.
--修改ab的密码为cxifenfei成功
SQL> conn ab/cxifenfei
Connected.
SQL> show user;
USER is "AB"

3、绕过密码登陆数据库方法
1)建立一个和你需要登陆用户相似用户(一般是末尾多一个或者几个字符)
2)查询建立用户的user$.password,并修改你需要的用户的password
3)刷新data buffer和shared pool
4)使用你建立的用户多出在字符串+你建立用户的密码登陆你需要登陆用户

One thought on “Oracle 10g绕过密码登陆数据库

  1. 在oracle 11g中,不能直接修改user$.password

    SQL> select user#,name,password from user$ where name in ('AB','ABC');
         USER# NAME                           PASSWORD
    ---------- ------------------------------ ------------------------------
            97 AB                             7AF07A2EFB054758
            96 ABC                            40C0E6EE497444B7
    SQL> update user$ set password='40C0E6EE497444B7' where user#=97;
    update user$ set password='40C0E6EE497444B7' where user#=97
           *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    SQL> shutdown immediate
    Database closed.
    Database dismounted.
    ORACLE instance shut down.
    SQL> Startup Migrate
    ORACLE instance started.
    Total System Global Area 2137886720 bytes
    Fixed Size                  2230072 bytes
    Variable Size            1493174472 bytes
    Database Buffers          637534208 bytes
    Redo Buffers                4947968 bytes
    Database mounted.
    Database opened.
    SQL> update user$ set password='40C0E6EE497444B7' where user#=97;
    update user$ set password='40C0E6EE497444B7' where user#=97
           *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    SQL> shutdown immediate
    Database closed.
    Database dismounted.
    ORACLE instance shut down.
    SQL>  startup upgrade
    ORACLE instance started.
    Total System Global Area 2137886720 bytes
    Fixed Size                  2230072 bytes
    Variable Size            1493174472 bytes
    Database Buffers          637534208 bytes
    Redo Buffers                4947968 bytes
    Database mounted.
    Database opened.
    SQL> update user$ set password='40C0E6EE497444B7' where user#=97;
    update user$ set password='40C0E6EE497444B7' where user#=97
           *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    

    使用bbed修改user$.password

    [oracle@node1 db_1]$ bbed
    Password:
    BBED: Release 2.0.0.0.0 - Limited Production on Fri Dec 16 14:59:22 2011
    Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
    ************* !!! For Oracle Internal Use only !!! ***************
    BBED> set filename "/opt/oracle/oradata/ora11g/system01.dbf"
            FILENAME        /opt/oracle/oradata/ora11g/system01.dbf
    BBED> set block 213
            BLOCK#          213
    BBED> file /c 40C0E6EE497444B7
    BBED-00200: invalid keyword (file)
    BBED> find /c 40C0E6EE497444B7
     File: /opt/oracle/oradata/ora11g/system01.dbf (0)
     Block: 213              Offsets:  332 to  843           Dba:0x00000000
    ------------------------------------------------------------------------
     34304330 45364545 34393734 34344237 02c10502 c1040778 6f0c0c18 0d1a0778
     6f0c0c18 0d1affff 0180ff02 c102ffff 01800180 16444546 41554c54 5f434f4e
     53554d45 525f4752 4f5550ff 0180ffff 3e533a45 36414536 35383630 32453235
     34373638 44373039 34333346 36373939 43364235 31354335 46354537 37343341
     32443230 44434333 35433930 3639325c 02130c00 4000d100 000a5f4e 4558545f
     55534552 0180ff01 80018007 786f0911 0a2f17ff ffff0180 ff0180ff ff018001
     80164445 4641554c 545f434f 4e53554d 45525f47 524f5550 ff0180ac 00010000
     00000040 00d5000c 004000d5 000c02c1 636c0016 0a034142 4302c102 10343043
     30453645 45343937 34343442 3702c105 02c10407 786f0c0c 180c2607 786f0c0c
     180c26ff ff0180ff 02c102ff ff018001 80164445 4641554c 545f434f 4e53554d
     45525f47 524f5550 ff0180ff ff3e533a 32343330 38314135 32343932 44423942
     34344534 36363539 38384243 46363244 31373844 42463431 33374137 35423044
     35384230 39393345 45353830 5c02130b 004000d1 00000a5f 4e455854 5f555345
     520180ff 01800180 07786f09 110a2f17 ffffff01 80ff0180 ffff0180 01801644
     45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ac000101 00010000
     4000d500 0b004000 d5000b02 c1626c00 16080358 464602c1 02103142 36304634
     <32 bytes per line>
    BBED> set offset 332
            OFFSET          332
    BBED> dump /v
     File: /opt/oracle/oradata/ora11g/system01.dbf (0)
     Block: 213     Offsets:  332 to  843  Dba:0x00000000
    -------------------------------------------------------
     34304330 45364545 34393734 34344237 l 40C0E6EE497444B7
     02c10502 c1040778 6f0c0c18 0d1a0778 l .......xo......x
     6f0c0c18 0d1affff 0180ff02 c102ffff l o...............
     01800180 16444546 41554c54 5f434f4e l .....DEFAULT_CON
     53554d45 525f4752 4f5550ff 0180ffff l SUMER_GROUP.....
     3e533a45 36414536 35383630 32453235 l >S:E6AE658602E25
     34373638 44373039 34333346 36373939 l 4768D709433F6799
     43364235 31354335 46354537 37343341 l C6B515C5F5E7743A
     32443230 44434333 35433930 3639325c l 2D20DCC35C90692\
     02130c00 4000d100 000a5f4e 4558545f l ....@....._NEXT_
     55534552 0180ff01 80018007 786f0911 l USER........xo..
     0a2f17ff ffff0180 ff0180ff ff018001 l ./..............
     80164445 4641554c 545f434f 4e53554d l ..DEFAULT_CONSUM
     45525f47 524f5550 ff0180ac 00010000 l ER_GROUP........
     00000040 00d5000c 004000d5 000c02c1 l ...@.....@......
     636c0016 0a034142 4302c102 10343043 l cl....ABC....40C
     30453645 45343937 34343442 3702c105 l 0E6EE497444B7...
     02c10407 786f0c0c 180c2607 786f0c0c l ....xo....&.xo..
     180c26ff ff0180ff 02c102ff ff018001 l ..&.............
     80164445 4641554c 545f434f 4e53554d l ..DEFAULT_CONSUM
     45525f47 524f5550 ff0180ff ff3e533a l ER_GROUP.....>S:
     32343330 38314135 32343932 44423942 l 243081A52492DB9B
     34344534 36363539 38384243 46363244 l 44E4665988BCF62D
     31373844 42463431 33374137 35423044 l 178DBF4137A75B0D
     35384230 39393345 45353830 5c02130b l 58B0993EE580\...
     004000d1 00000a5f 4e455854 5f555345 l .@....._NEXT_USE
     520180ff 01800180 07786f09 110a2f17 l R........xo.../.
     ffffff01 80ff0180 ffff0180 01801644 l ...............D
     45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_
     47524f55 50ff0180 ac000101 00010000 l GROUP...........
     4000d500 0b004000 d5000b02 c1626c00 l @.....@......bl.
     16080358 464602c1 02103142 36304634 l ...XFF....1B60F4
     <16 bytes per line>
    BBED> find /c 7AF07A2EFB054758
     File: /opt/oracle/oradata/ora11g/system01.dbf (0)
     Block: 213              Offsets: 5522 to 6033           Dba:0x00000000
    ------------------------------------------------------------------------
     37414630 37413245 46423035 34373538 02c10502 c1040778 6f0c0c18 0d1a0778
     6f0c0c18 0d1affff 0180ff02 c102ffff 018002c1 02164445 4641554c 545f434f
     4e53554d 45525f47 524f5550 ff0180ff ff3e533a 34344433 36364139 41343236
     43334643 45374231 46353639 37374532 34314230 35463534 42463536 38463736
     37323930 36393342 46313744 37384236 6c00160c 014102c1 02104437 33333435
     46453037 41364131 373402c1 0502c104 07786f0c 0c181d0d 07786f0c 0c181d0d
     ffff0180 ff02c102 ffff0180 01801644 45464155 4c545f43 4f4e5355 4d45525f
     47524f55 50ff0180 ffff3e53 3a353934 36323843 41343436 46464431 35304630
     35374341 43374441 33323131 30374445 39423942 34384635 46463130 37464133
     30383143 41353636 436c0007 0802c105 018004c3 021c4d01 80018001 8001806c
     00160b02 414202c1 02103741 46303741 32454642 30353437 353802c1 0502c104
     07786f0c 0c180d1a 07786f0c 0c180d1a ffff0180 ff02c102 ffff0180 01801644
     45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ffff3e53 3a343444
     33363641 39413432 36433346 43453742 31463536 39373745 32343142 30354635
     34424635 36384637 36373239 30363933 42463137 44373842 366c0016 0a034142
     4302c102 10343043 30453645 45343937 34343442 3702c105 02c10407 786f0c0c
     <32 bytes per line>
    BBED> set offset 5522
            OFFSET          5522
    BBED> dump /v
     File: /opt/oracle/oradata/ora11g/system01.dbf (0)
     Block: 213     Offsets: 5522 to 6033  Dba:0x00000000
    -------------------------------------------------------
     37414630 37413245 46423035 34373538 l 7AF07A2EFB054758
     02c10502 c1040778 6f0c0c18 0d1a0778 l .......xo......x
     6f0c0c18 0d1affff 0180ff02 c102ffff l o...............
     018002c1 02164445 4641554c 545f434f l ......DEFAULT_CO
     4e53554d 45525f47 524f5550 ff0180ff l NSUMER_GROUP....
     ff3e533a 34344433 36364139 41343236 l .>S:44D366A9A426
     43334643 45374231 46353639 37374532 l C3FCE7B1F56977E2
     34314230 35463534 42463536 38463736 l 41B05F54BF568F76
     37323930 36393342 46313744 37384236 l 7290693BF17D78B6
     6c00160c 014102c1 02104437 33333435 l l....A....D73345
     46453037 41364131 373402c1 0502c104 l FE07A6A174......
     07786f0c 0c181d0d 07786f0c 0c181d0d l .xo......xo.....
     ffff0180 ff02c102 ffff0180 01801644 l ...............D
     45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_
     47524f55 50ff0180 ffff3e53 3a353934 l GROUP.....>S:594
     36323843 41343436 46464431 35304630 l 628CA446FFD150F0
     35374341 43374441 33323131 30374445 l 57CAC7DA321107DE
     39423942 34384635 46463130 37464133 l 9B9B48F5FF107FA3
     30383143 41353636 436c0007 0802c105 l 081CA566Cl......
     018004c3 021c4d01 80018001 8001806c l ......M........l
     00160b02 414202c1 02103741 46303741 l ....AB....7AF07A
     32454642 30353437 353802c1 0502c104 l 2EFB054758......
     07786f0c 0c180d1a 07786f0c 0c180d1a l .xo......xo.....
     ffff0180 ff02c102 ffff0180 01801644 l ...............D
     45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_
     47524f55 50ff0180 ffff3e53 3a343444 l GROUP.....>S:44D
     33363641 39413432 36433346 43453742 l 366A9A426C3FCE7B
     31463536 39373745 32343142 30354635 l 1F56977E241B05F5
     34424635 36384637 36373239 30363933 l 4BF568F767290693
     42463137 44373842 366c0016 0a034142 l BF17D78B6l....AB
     4302c102 10343043 30453645 45343937 l C....40C0E6EE497
     34343442 3702c105 02c10407 786f0c0c l 444B7.......xo..
     <16 bytes per line>
    BBED> modify /c 40C0E6EE497444B7
    BBED-00215: editing not allowed in BROWSE mode
    BBED> set mode edit
            MODE            Edit
    BBED> modify /c 40C0E6EE497444B7
    Warning: contents of previous BIFILE will be lost. Proceed? (Y/N) y
     File: /opt/oracle/oradata/ora11g/system01.dbf (0)
     Block: 213              Offsets: 5522 to 6033           Dba:0x00000000
    ------------------------------------------------------------------------
     34304330 45364545 34393734 34344237 02c10502 c1040778 6f0c0c18 0d1a0778
     6f0c0c18 0d1affff 0180ff02 c102ffff 018002c1 02164445 4641554c 545f434f
     4e53554d 45525f47 524f5550 ff0180ff ff3e533a 34344433 36364139 41343236
     43334643 45374231 46353639 37374532 34314230 35463534 42463536 38463736
     37323930 36393342 46313744 37384236 6c00160c 014102c1 02104437 33333435
     46453037 41364131 373402c1 0502c104 07786f0c 0c181d0d 07786f0c 0c181d0d
     ffff0180 ff02c102 ffff0180 01801644 45464155 4c545f43 4f4e5355 4d45525f
     47524f55 50ff0180 ffff3e53 3a353934 36323843 41343436 46464431 35304630
     35374341 43374441 33323131 30374445 39423942 34384635 46463130 37464133
     30383143 41353636 436c0007 0802c105 018004c3 021c4d01 80018001 8001806c
     00160b02 414202c1 02103741 46303741 32454642 30353437 353802c1 0502c104
     07786f0c 0c180d1a 07786f0c 0c180d1a ffff0180 ff02c102 ffff0180 01801644
     45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ffff3e53 3a343444
     33363641 39413432 36433346 43453742 31463536 39373745 32343142 30354635
     34424635 36384637 36373239 30363933 42463137 44373842 366c0016 0a034142
     4302c102 10343043 30453645 45343937 34343442 3702c105 02c10407 786f0c0c
     <32 bytes per line>
    BBED> dump /v
     File: /opt/oracle/oradata/ora11g/system01.dbf (0)
     Block: 213     Offsets: 5522 to 6033  Dba:0x00000000
    -------------------------------------------------------
     34304330 45364545 34393734 34344237 l 40C0E6EE497444B7
     02c10502 c1040778 6f0c0c18 0d1a0778 l .......xo......x
     6f0c0c18 0d1affff 0180ff02 c102ffff l o...............
     018002c1 02164445 4641554c 545f434f l ......DEFAULT_CO
     4e53554d 45525f47 524f5550 ff0180ff l NSUMER_GROUP....
     ff3e533a 34344433 36364139 41343236 l .>S:44D366A9A426
     43334643 45374231 46353639 37374532 l C3FCE7B1F56977E2
     34314230 35463534 42463536 38463736 l 41B05F54BF568F76
     37323930 36393342 46313744 37384236 l 7290693BF17D78B6
     6c00160c 014102c1 02104437 33333435 l l....A....D73345
     46453037 41364131 373402c1 0502c104 l FE07A6A174......
     07786f0c 0c181d0d 07786f0c 0c181d0d l .xo......xo.....
     ffff0180 ff02c102 ffff0180 01801644 l ...............D
     45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_
     47524f55 50ff0180 ffff3e53 3a353934 l GROUP.....>S:594
     36323843 41343436 46464431 35304630 l 628CA446FFD150F0
     35374341 43374441 33323131 30374445 l 57CAC7DA321107DE
     39423942 34384635 46463130 37464133 l 9B9B48F5FF107FA3
     30383143 41353636 436c0007 0802c105 l 081CA566Cl......
     018004c3 021c4d01 80018001 8001806c l ......M........l
     00160b02 414202c1 02103741 46303741 l ....AB....7AF07A
     32454642 30353437 353802c1 0502c104 l 2EFB054758......
     07786f0c 0c180d1a 07786f0c 0c180d1a l .xo......xo.....
     ffff0180 ff02c102 ffff0180 01801644 l ...............D
     45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_
     47524f55 50ff0180 ffff3e53 3a343444 l GROUP.....>S:44D
     33363641 39413432 36433346 43453742 l 366A9A426C3FCE7B
     31463536 39373745 32343142 30354635 l 1F56977E241B05F5
     34424635 36384637 36373239 30363933 l 4BF568F767290693
     42463137 44373842 366c0016 0a034142 l BF17D78B6l....AB
     4302c102 10343043 30453645 45343937 l C....40C0E6EE497
     34343442 3702c105 02c10407 786f0c0c l 444B7.......xo..
     <16 bytes per line>
    BBED> sum apply
    Check value for File 0, Block 213:
    current = 0x45e5, required = 0x45e5
    BBED> exit
    [oracle@node1 db_1]$ sqlplus / as sysdba
    SQL*Plus: Release 11.2.0.3.0 Production on Fri Dec 16 15:02:43 2011
    Copyright (c) 1982, 2011, Oracle.  All rights reserved.
    Connected to an idle instance.
    SQL> startuup
    SP2-0042: unknown command "startuup" - rest of line ignored.
    SQL> startup
    ORACLE instance started.
    Total System Global Area 2137886720 bytes
    Fixed Size                  2230072 bytes
    Variable Size            1493174472 bytes
    Database Buffers          637534208 bytes
    Redo Buffers                4947968 bytes
    Database mounted.
    Database opened.
    SQL> conn ab/cxifenfei
    ERROR:
    ORA-01017: 用户名/口令无效; 登录被拒绝
    Warning: You are no longer connected to ORACLE.
    SQL> conn / as sysdba
    Connected.
    SQL> select user#,name,password from user$ where name in ('AB','ABC');
         USER# NAME                           PASSWORD
    ---------- ------------------------------ ------------------------------
            97 AB                             40C0E6EE497444B7
            96 ABC                            40C0E6EE497444B7
    

    跟踪alter user ab identified by xifenfei知道,因为user$.SPARE4在每次修改密码后,都会改变,应该oracle采用某种机制生产该值,然后登陆时验证该值,期待高手破解该值

发表评论

邮箱地址不会被公开。 必填项已用*标注

15 − 15 =