联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
0、数据库版本
SQL> select * from v$version; BANNER ---------------------------------------------------------------- Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod PL/SQL Release 10.2.0.4.0 - Production CORE 10.2.0.4.0 Production TNS for Linux: Version 10.2.0.4.0 - Production NLSRTL Version 10.2.0.4.0 - Production
1、Oracle 10g密码加密猜测
user$表中的password=hash(user||password)
SQL> create user xff identified by xifenfei; User created. SQL> create user xf identified by fxifenfei; User created. SQL> select name,password from user$ where name in('XF','XFF'); NAME PASSWORD ------------------------------ ------------------------------ XF 1B60F4BFF1DAB500 XFF 1B60F4BFF1DAB500
2、测试通过修改user$.password饶过oracle密码登陆
--创建两个可以登陆用户 SQL> grant connect to ab identified by xifenfei; Grant succeeded. SQL> grant connect to abc identified by xifenfei; Grant succeeded. --查看用户名和password内容 SQL> select user#,name,password from user$ where name in ('AB','ABC'); USER# NAME PASSWORD ---------- ------------------------------ ------------------------------ 63 AB 7AF07A2EFB054758 64 ABC 40C0E6EE497444B7 --修改ab用户的password内容和abc相同,即ab用户对应的密码应该为cxifenfei SQL> update user$ set password='40C0E6EE497444B7' where user#=63; 1 row updated. SQL> commit; Commit complete. SQL> select user#,name,password from user$ where name in ('AB','ABC'); USER# NAME PASSWORD ---------- ------------------------------ ------------------------------ 63 AB 40C0E6EE497444B7 64 ABC 40C0E6EE497444B7 --修改后登陆失败 SQL> conn ab/cxifenfei ERROR: ORA-01017: 用户名/口令无效; 登录被拒绝 Warning: You are no longer connected to ORACLE. SQL> conn / as sysdba Connected. --ab的user$.password被重设为原先值 SQL> select user#,name,password from user$ where name in ('AB','ABC'); USER# NAME PASSWORD ---------- ------------------------------ ------------------------------ 63 AB 7AF07A2EFB054758 64 ABC 40C0E6EE497444B7 SQL> update user$ set password='40C0E6EE497444B7' where user#=63; 1 row updated. SQL> commit; Commit complete. SQL> select user#,name,password from user$ where name in ('AB','ABC'); USER# NAME PASSWORD ---------- ------------------------------ ------------------------------ 63 AB 40C0E6EE497444B7 64 ABC 40C0E6EE497444B7 --刷新databuffer和shared_pool SQL> alter system flush buffer_cache ; System altered. SQL> alter system flush shared_buffer; alter system flush shared_buffer * ERROR at line 1: ORA-02000: missing SHARED_POOL/BUFFER_CACHE/GLOBAL CONTEXT keyword SQL> alter system flush shared_pool; System altered. --修改ab的密码为cxifenfei成功 SQL> conn ab/cxifenfei Connected. SQL> show user; USER is "AB"
3、绕过密码登陆数据库方法
1)建立一个和你需要登陆用户相似用户(一般是末尾多一个或者几个字符)
2)查询建立用户的user$.password,并修改你需要的用户的password
3)刷新data buffer和shared pool
4)使用你建立的用户多出在字符串+你建立用户的密码登陆你需要登陆用户
在oracle 11g中,不能直接修改user$.password
使用bbed修改user$.password
跟踪alter user ab identified by xifenfei知道,因为user$.SPARE4在每次修改密码后,都会改变,应该oracle采用某种机制生产该值,然后登陆时验证该值,期待高手破解该值
11G区分大小写。