联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
0、数据库版本
SQL> select * from v$version; BANNER ---------------------------------------------------------------- Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod PL/SQL Release 10.2.0.4.0 - Production CORE 10.2.0.4.0 Production TNS for Linux: Version 10.2.0.4.0 - Production NLSRTL Version 10.2.0.4.0 - Production
1、Oracle 10g密码加密猜测
user$表中的password=hash(user||password)
SQL> create user xff identified by xifenfei;
User created.
SQL> create user xf identified by fxifenfei;
User created.
SQL> select name,password from user$ where name in('XF','XFF');
NAME PASSWORD
------------------------------ ------------------------------
XF 1B60F4BFF1DAB500
XFF 1B60F4BFF1DAB500
2、测试通过修改user$.password饶过oracle密码登陆
--创建两个可以登陆用户
SQL> grant connect to ab identified by xifenfei;
Grant succeeded.
SQL> grant connect to abc identified by xifenfei;
Grant succeeded.
--查看用户名和password内容
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 7AF07A2EFB054758
64 ABC 40C0E6EE497444B7
--修改ab用户的password内容和abc相同,即ab用户对应的密码应该为cxifenfei
SQL> update user$ set password='40C0E6EE497444B7' where user#=63;
1 row updated.
SQL> commit;
Commit complete.
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 40C0E6EE497444B7
64 ABC 40C0E6EE497444B7
--修改后登陆失败
SQL> conn ab/cxifenfei
ERROR:
ORA-01017: 用户名/口令无效; 登录被拒绝
Warning: You are no longer connected to ORACLE.
SQL> conn / as sysdba
Connected.
--ab的user$.password被重设为原先值
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 7AF07A2EFB054758
64 ABC 40C0E6EE497444B7
SQL> update user$ set password='40C0E6EE497444B7' where user#=63;
1 row updated.
SQL> commit;
Commit complete.
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 40C0E6EE497444B7
64 ABC 40C0E6EE497444B7
--刷新databuffer和shared_pool
SQL> alter system flush buffer_cache ;
System altered.
SQL> alter system flush shared_buffer;
alter system flush shared_buffer
*
ERROR at line 1:
ORA-02000: missing SHARED_POOL/BUFFER_CACHE/GLOBAL CONTEXT keyword
SQL> alter system flush shared_pool;
System altered.
--修改ab的密码为cxifenfei成功
SQL> conn ab/cxifenfei
Connected.
SQL> show user;
USER is "AB"
3、绕过密码登陆数据库方法
1)建立一个和你需要登陆用户相似用户(一般是末尾多一个或者几个字符)
2)查询建立用户的user$.password,并修改你需要的用户的password
3)刷新data buffer和shared pool
4)使用你建立的用户多出在字符串+你建立用户的密码登陆你需要登陆用户
在oracle 11g中,不能直接修改user$.password
SQL> select user#,name,password from user$ where name in ('AB','ABC'); USER# NAME PASSWORD ---------- ------------------------------ ------------------------------ 97 AB 7AF07A2EFB054758 96 ABC 40C0E6EE497444B7 SQL> update user$ set password='40C0E6EE497444B7' where user#=97; update user$ set password='40C0E6EE497444B7' where user#=97 * ERROR at line 1: ORA-01031: insufficient privileges SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> Startup Migrate ORACLE instance started. Total System Global Area 2137886720 bytes Fixed Size 2230072 bytes Variable Size 1493174472 bytes Database Buffers 637534208 bytes Redo Buffers 4947968 bytes Database mounted. Database opened. SQL> update user$ set password='40C0E6EE497444B7' where user#=97; update user$ set password='40C0E6EE497444B7' where user#=97 * ERROR at line 1: ORA-01031: insufficient privileges SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> startup upgrade ORACLE instance started. Total System Global Area 2137886720 bytes Fixed Size 2230072 bytes Variable Size 1493174472 bytes Database Buffers 637534208 bytes Redo Buffers 4947968 bytes Database mounted. Database opened. SQL> update user$ set password='40C0E6EE497444B7' where user#=97; update user$ set password='40C0E6EE497444B7' where user#=97 * ERROR at line 1: ORA-01031: insufficient privileges使用bbed修改user$.password
[oracle@node1 db_1]$ bbed Password: BBED: Release 2.0.0.0.0 - Limited Production on Fri Dec 16 14:59:22 2011 Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved. ************* !!! For Oracle Internal Use only !!! *************** BBED> set filename "/opt/oracle/oradata/ora11g/system01.dbf" FILENAME /opt/oracle/oradata/ora11g/system01.dbf BBED> set block 213 BLOCK# 213 BBED> file /c 40C0E6EE497444B7 BBED-00200: invalid keyword (file) BBED> find /c 40C0E6EE497444B7 File: /opt/oracle/oradata/ora11g/system01.dbf (0) Block: 213 Offsets: 332 to 843 Dba:0x00000000 ------------------------------------------------------------------------ 34304330 45364545 34393734 34344237 02c10502 c1040778 6f0c0c18 0d1a0778 6f0c0c18 0d1affff 0180ff02 c102ffff 01800180 16444546 41554c54 5f434f4e 53554d45 525f4752 4f5550ff 0180ffff 3e533a45 36414536 35383630 32453235 34373638 44373039 34333346 36373939 43364235 31354335 46354537 37343341 32443230 44434333 35433930 3639325c 02130c00 4000d100 000a5f4e 4558545f 55534552 0180ff01 80018007 786f0911 0a2f17ff ffff0180 ff0180ff ff018001 80164445 4641554c 545f434f 4e53554d 45525f47 524f5550 ff0180ac 00010000 00000040 00d5000c 004000d5 000c02c1 636c0016 0a034142 4302c102 10343043 30453645 45343937 34343442 3702c105 02c10407 786f0c0c 180c2607 786f0c0c 180c26ff ff0180ff 02c102ff ff018001 80164445 4641554c 545f434f 4e53554d 45525f47 524f5550 ff0180ff ff3e533a 32343330 38314135 32343932 44423942 34344534 36363539 38384243 46363244 31373844 42463431 33374137 35423044 35384230 39393345 45353830 5c02130b 004000d1 00000a5f 4e455854 5f555345 520180ff 01800180 07786f09 110a2f17 ffffff01 80ff0180 ffff0180 01801644 45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ac000101 00010000 4000d500 0b004000 d5000b02 c1626c00 16080358 464602c1 02103142 36304634 <32 bytes per line> BBED> set offset 332 OFFSET 332 BBED> dump /v File: /opt/oracle/oradata/ora11g/system01.dbf (0) Block: 213 Offsets: 332 to 843 Dba:0x00000000 ------------------------------------------------------- 34304330 45364545 34393734 34344237 l 40C0E6EE497444B7 02c10502 c1040778 6f0c0c18 0d1a0778 l .......xo......x 6f0c0c18 0d1affff 0180ff02 c102ffff l o............... 01800180 16444546 41554c54 5f434f4e l .....DEFAULT_CON 53554d45 525f4752 4f5550ff 0180ffff l SUMER_GROUP..... 3e533a45 36414536 35383630 32453235 l >S:E6AE658602E25 34373638 44373039 34333346 36373939 l 4768D709433F6799 43364235 31354335 46354537 37343341 l C6B515C5F5E7743A 32443230 44434333 35433930 3639325c l 2D20DCC35C90692\ 02130c00 4000d100 000a5f4e 4558545f l ....@....._NEXT_ 55534552 0180ff01 80018007 786f0911 l USER........xo.. 0a2f17ff ffff0180 ff0180ff ff018001 l ./.............. 80164445 4641554c 545f434f 4e53554d l ..DEFAULT_CONSUM 45525f47 524f5550 ff0180ac 00010000 l ER_GROUP........ 00000040 00d5000c 004000d5 000c02c1 l ...@.....@...... 636c0016 0a034142 4302c102 10343043 l cl....ABC....40C 30453645 45343937 34343442 3702c105 l 0E6EE497444B7... 02c10407 786f0c0c 180c2607 786f0c0c l ....xo....&.xo.. 180c26ff ff0180ff 02c102ff ff018001 l ..&............. 80164445 4641554c 545f434f 4e53554d l ..DEFAULT_CONSUM 45525f47 524f5550 ff0180ff ff3e533a l ER_GROUP.....>S: 32343330 38314135 32343932 44423942 l 243081A52492DB9B 34344534 36363539 38384243 46363244 l 44E4665988BCF62D 31373844 42463431 33374137 35423044 l 178DBF4137A75B0D 35384230 39393345 45353830 5c02130b l 58B0993EE580\... 004000d1 00000a5f 4e455854 5f555345 l .@....._NEXT_USE 520180ff 01800180 07786f09 110a2f17 l R........xo.../. ffffff01 80ff0180 ffff0180 01801644 l ...............D 45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_ 47524f55 50ff0180 ac000101 00010000 l GROUP........... 4000d500 0b004000 d5000b02 c1626c00 l @.....@......bl. 16080358 464602c1 02103142 36304634 l ...XFF....1B60F4 <16 bytes per line> BBED> find /c 7AF07A2EFB054758 File: /opt/oracle/oradata/ora11g/system01.dbf (0) Block: 213 Offsets: 5522 to 6033 Dba:0x00000000 ------------------------------------------------------------------------ 37414630 37413245 46423035 34373538 02c10502 c1040778 6f0c0c18 0d1a0778 6f0c0c18 0d1affff 0180ff02 c102ffff 018002c1 02164445 4641554c 545f434f 4e53554d 45525f47 524f5550 ff0180ff ff3e533a 34344433 36364139 41343236 43334643 45374231 46353639 37374532 34314230 35463534 42463536 38463736 37323930 36393342 46313744 37384236 6c00160c 014102c1 02104437 33333435 46453037 41364131 373402c1 0502c104 07786f0c 0c181d0d 07786f0c 0c181d0d ffff0180 ff02c102 ffff0180 01801644 45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ffff3e53 3a353934 36323843 41343436 46464431 35304630 35374341 43374441 33323131 30374445 39423942 34384635 46463130 37464133 30383143 41353636 436c0007 0802c105 018004c3 021c4d01 80018001 8001806c 00160b02 414202c1 02103741 46303741 32454642 30353437 353802c1 0502c104 07786f0c 0c180d1a 07786f0c 0c180d1a ffff0180 ff02c102 ffff0180 01801644 45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ffff3e53 3a343444 33363641 39413432 36433346 43453742 31463536 39373745 32343142 30354635 34424635 36384637 36373239 30363933 42463137 44373842 366c0016 0a034142 4302c102 10343043 30453645 45343937 34343442 3702c105 02c10407 786f0c0c <32 bytes per line> BBED> set offset 5522 OFFSET 5522 BBED> dump /v File: /opt/oracle/oradata/ora11g/system01.dbf (0) Block: 213 Offsets: 5522 to 6033 Dba:0x00000000 ------------------------------------------------------- 37414630 37413245 46423035 34373538 l 7AF07A2EFB054758 02c10502 c1040778 6f0c0c18 0d1a0778 l .......xo......x 6f0c0c18 0d1affff 0180ff02 c102ffff l o............... 018002c1 02164445 4641554c 545f434f l ......DEFAULT_CO 4e53554d 45525f47 524f5550 ff0180ff l NSUMER_GROUP.... ff3e533a 34344433 36364139 41343236 l .>S:44D366A9A426 43334643 45374231 46353639 37374532 l C3FCE7B1F56977E2 34314230 35463534 42463536 38463736 l 41B05F54BF568F76 37323930 36393342 46313744 37384236 l 7290693BF17D78B6 6c00160c 014102c1 02104437 33333435 l l....A....D73345 46453037 41364131 373402c1 0502c104 l FE07A6A174...... 07786f0c 0c181d0d 07786f0c 0c181d0d l .xo......xo..... ffff0180 ff02c102 ffff0180 01801644 l ...............D 45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_ 47524f55 50ff0180 ffff3e53 3a353934 l GROUP.....>S:594 36323843 41343436 46464431 35304630 l 628CA446FFD150F0 35374341 43374441 33323131 30374445 l 57CAC7DA321107DE 39423942 34384635 46463130 37464133 l 9B9B48F5FF107FA3 30383143 41353636 436c0007 0802c105 l 081CA566Cl...... 018004c3 021c4d01 80018001 8001806c l ......M........l 00160b02 414202c1 02103741 46303741 l ....AB....7AF07A 32454642 30353437 353802c1 0502c104 l 2EFB054758...... 07786f0c 0c180d1a 07786f0c 0c180d1a l .xo......xo..... ffff0180 ff02c102 ffff0180 01801644 l ...............D 45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_ 47524f55 50ff0180 ffff3e53 3a343444 l GROUP.....>S:44D 33363641 39413432 36433346 43453742 l 366A9A426C3FCE7B 31463536 39373745 32343142 30354635 l 1F56977E241B05F5 34424635 36384637 36373239 30363933 l 4BF568F767290693 42463137 44373842 366c0016 0a034142 l BF17D78B6l....AB 4302c102 10343043 30453645 45343937 l C....40C0E6EE497 34343442 3702c105 02c10407 786f0c0c l 444B7.......xo.. <16 bytes per line> BBED> modify /c 40C0E6EE497444B7 BBED-00215: editing not allowed in BROWSE mode BBED> set mode edit MODE Edit BBED> modify /c 40C0E6EE497444B7 Warning: contents of previous BIFILE will be lost. Proceed? (Y/N) y File: /opt/oracle/oradata/ora11g/system01.dbf (0) Block: 213 Offsets: 5522 to 6033 Dba:0x00000000 ------------------------------------------------------------------------ 34304330 45364545 34393734 34344237 02c10502 c1040778 6f0c0c18 0d1a0778 6f0c0c18 0d1affff 0180ff02 c102ffff 018002c1 02164445 4641554c 545f434f 4e53554d 45525f47 524f5550 ff0180ff ff3e533a 34344433 36364139 41343236 43334643 45374231 46353639 37374532 34314230 35463534 42463536 38463736 37323930 36393342 46313744 37384236 6c00160c 014102c1 02104437 33333435 46453037 41364131 373402c1 0502c104 07786f0c 0c181d0d 07786f0c 0c181d0d ffff0180 ff02c102 ffff0180 01801644 45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ffff3e53 3a353934 36323843 41343436 46464431 35304630 35374341 43374441 33323131 30374445 39423942 34384635 46463130 37464133 30383143 41353636 436c0007 0802c105 018004c3 021c4d01 80018001 8001806c 00160b02 414202c1 02103741 46303741 32454642 30353437 353802c1 0502c104 07786f0c 0c180d1a 07786f0c 0c180d1a ffff0180 ff02c102 ffff0180 01801644 45464155 4c545f43 4f4e5355 4d45525f 47524f55 50ff0180 ffff3e53 3a343444 33363641 39413432 36433346 43453742 31463536 39373745 32343142 30354635 34424635 36384637 36373239 30363933 42463137 44373842 366c0016 0a034142 4302c102 10343043 30453645 45343937 34343442 3702c105 02c10407 786f0c0c <32 bytes per line> BBED> dump /v File: /opt/oracle/oradata/ora11g/system01.dbf (0) Block: 213 Offsets: 5522 to 6033 Dba:0x00000000 ------------------------------------------------------- 34304330 45364545 34393734 34344237 l 40C0E6EE497444B7 02c10502 c1040778 6f0c0c18 0d1a0778 l .......xo......x 6f0c0c18 0d1affff 0180ff02 c102ffff l o............... 018002c1 02164445 4641554c 545f434f l ......DEFAULT_CO 4e53554d 45525f47 524f5550 ff0180ff l NSUMER_GROUP.... ff3e533a 34344433 36364139 41343236 l .>S:44D366A9A426 43334643 45374231 46353639 37374532 l C3FCE7B1F56977E2 34314230 35463534 42463536 38463736 l 41B05F54BF568F76 37323930 36393342 46313744 37384236 l 7290693BF17D78B6 6c00160c 014102c1 02104437 33333435 l l....A....D73345 46453037 41364131 373402c1 0502c104 l FE07A6A174...... 07786f0c 0c181d0d 07786f0c 0c181d0d l .xo......xo..... ffff0180 ff02c102 ffff0180 01801644 l ...............D 45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_ 47524f55 50ff0180 ffff3e53 3a353934 l GROUP.....>S:594 36323843 41343436 46464431 35304630 l 628CA446FFD150F0 35374341 43374441 33323131 30374445 l 57CAC7DA321107DE 39423942 34384635 46463130 37464133 l 9B9B48F5FF107FA3 30383143 41353636 436c0007 0802c105 l 081CA566Cl...... 018004c3 021c4d01 80018001 8001806c l ......M........l 00160b02 414202c1 02103741 46303741 l ....AB....7AF07A 32454642 30353437 353802c1 0502c104 l 2EFB054758...... 07786f0c 0c180d1a 07786f0c 0c180d1a l .xo......xo..... ffff0180 ff02c102 ffff0180 01801644 l ...............D 45464155 4c545f43 4f4e5355 4d45525f l EFAULT_CONSUMER_ 47524f55 50ff0180 ffff3e53 3a343444 l GROUP.....>S:44D 33363641 39413432 36433346 43453742 l 366A9A426C3FCE7B 31463536 39373745 32343142 30354635 l 1F56977E241B05F5 34424635 36384637 36373239 30363933 l 4BF568F767290693 42463137 44373842 366c0016 0a034142 l BF17D78B6l....AB 4302c102 10343043 30453645 45343937 l C....40C0E6EE497 34343442 3702c105 02c10407 786f0c0c l 444B7.......xo.. <16 bytes per line> BBED> sum apply Check value for File 0, Block 213: current = 0x45e5, required = 0x45e5 BBED> exit [oracle@node1 db_1]$ sqlplus / as sysdba SQL*Plus: Release 11.2.0.3.0 Production on Fri Dec 16 15:02:43 2011 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to an idle instance. SQL> startuup SP2-0042: unknown command "startuup" - rest of line ignored. SQL> startup ORACLE instance started. Total System Global Area 2137886720 bytes Fixed Size 2230072 bytes Variable Size 1493174472 bytes Database Buffers 637534208 bytes Redo Buffers 4947968 bytes Database mounted. Database opened. SQL> conn ab/cxifenfei ERROR: ORA-01017: 用户名/口令无效; 登录被拒绝 Warning: You are no longer connected to ORACLE. SQL> conn / as sysdba Connected. SQL> select user#,name,password from user$ where name in ('AB','ABC'); USER# NAME PASSWORD ---------- ------------------------------ ------------------------------ 97 AB 40C0E6EE497444B7 96 ABC 40C0E6EE497444B7跟踪alter user ab identified by xifenfei知道,因为user$.SPARE4在每次修改密码后,都会改变,应该oracle采用某种机制生产该值,然后登陆时验证该值,期待高手破解该值
11G区分大小写。