[20160906]修改口令在内存中.txt
--昨天测试了在内存中修改数据块的信息,突然想到如果我修改在内存中数据块sys.user$的口令的hash值,是否可以骗过系统认证,使
--用自己定制的口令。相关链接:http://blog.itpub.net/267265/viewspace-2124466/=>[20160904]在内存修改数据.txt
--仔细想想不对,我能修改sys.user$的口令的hash值在内存中数据块,但是user名要作为数据字典加入共享池中,我仅仅修改数据块显
--然没用,但是在unxi下一切皆文件,如果我直接修改内存块的对应信息是否可行呢?测试看看。
1.环境:
SYS@book> @ &r/ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
--另外注意要使用asmm自动内存管理,这样/dev/shm可以看到一个一个文件。(如果使用手动管理设置memory_target=0.先搁置一边).
--差别是如下:
$ ls -l /dev/shm/ora_book_*|wc
153 1224 13346
SCOTT@book> column SPARE4 format a62
SCOTT@book> select password, spare4 from sys.user$ where name = 'SCOTT';
PASSWORD SPARE4
------------------------------ --------------------------------------------------------------
0EDE56329E1D82EA S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
--当前的口令是book.
--如果口令是tiger,显示如下:(这步可以先做,确定下来)
SYS@book> select password, spare4 from sys.user$ where name = 'SCOTT';
PASSWORD SPARE4
------------------------------ --------------------------------------------------------------
F894844C34402B67 S:332623D5C1D6892E193E237C07028356C9E6E45E93A94AD331E059B88EEE
--我的测试就是修改口令为tiger.检查使用tiger口令来连接scott用户。
2.使用strings检索
$ strings ora_book_* | grep 2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
>S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EFl
S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
>S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EFl
>S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EFl
$ grep 2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF ora_book_847*
Binary file ora_book_84738051_100 matches
Binary file ora_book_84738051_147 matches
Binary file ora_book_84738051_91 matches
--可以确定口令信息就在这3个"文件"中。
--以其中一个文件为例:
$ strings -t d ora_book_84738051_100 | grep 2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
3557487 >S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EFl
--//前面的数字就是偏移量 ,实际上口令的长度62,而前面有一些字符比如>,我使用bvi加入了一些余量,选择长度64.
--// -b 表示开始 -s 表示长度。
$ bvi -b 3557487 -s 64 ora_book_84738051_100
--替换S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
-- S:332623D5C1D6892E193E237C07028356C9E6E45E93A94AD331E059B88EEE
--如果熟悉vi,使用bvi很简单,按tab键移动到左边,移动到单词S开头处,按R(事先copy和paste要修改的字符串),直接替换就ok了。
--其他"文件"如法炮制修改。其中ora_book_84738051_91存在2处。
$ strings -t d ora_book_84738051_91 | grep 2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
2697155 >S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EFl
2697327 >S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EFl
$ bvi -b 2697155 -s 64 ora_book_84738051_91
$ bvi -b 2697327 -s 64 ora_book_84738051_91
3.修改完成检查:
$ strings ora_book_* | grep 2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
--已经没有字符串2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF。
--测试:
$ rlsql scott/tiger
SQL*Plus: Release 11.2.0.4.0 Production on Tue Sep 6 08:31:14 2016
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
--^_^,已经把口令变成了tiger。而对应的数据块并没有修改。
SCOTT@book> select rowid,password, spare4 from sys.user$ where name = 'SCOTT';
ROWID PASSWORD SPARE4
------------------ ------------------------------ --------------------------------------------------------------
AAAAAKAABAAAADVAAC 0EDE56329E1D82EA S:332623D5C1D6892E193E237C07028356C9E6E45E93A94AD331E059B88EEE
--在内存的数据块已经修改.
SCOTT@book> @ &r/rowid AAAAAKAABAAAADVAAC
OBJECT FILE BLOCK ROW ROWID_DBA DBA TEXT
---------- ---------- ---------- ---------- -------------------- -------------------- ----------------------------------------
10 1 213 2 0x4000D5 1,213 alter system dump datafile 1 block 213 ;
--通过bbed观察数据块:
BBED> set dba 1,213
DBA 0x004000d5 (4194517 1,213)
BBED> x /rccc *kdbr[10]
rowdata[0] @1879
----------
flag@1879: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)
lock@1880: 0x02
cols@1881: 22
col 0[5] @1883: SCOTT
col 1[2] @1889: ..
col 2[16] @1892: 0EDE56329E1D82EA
col 3[2] @1909: ..
col 4[2] @1912: ..
col 5[7] @1915: xq.....
col 6[7] @1923: xt.....
col 7[7] @1931: xs.....
col 8[7] @1939: xs.....
col 9[1] @1947: .
col 10[0] @1949: *NULL*
col 11[2] @1950: ..
col 12[0] @1953: *NULL*
col 13[0] @1954: *NULL*
col 14[1] @1955: .
col 15[1] @1957: .
col 16[22] @1959: DEFAULT_CONSUMER_GROUP
col 17[0] @1982: *NULL*
col 18[1] @1983: .
col 19[0] @1985: *NULL*
col 20[0] @1986: *NULL*
col 21[62] @1987: S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
--依旧是旧的口令在数据块中。
SCOTT@book> alter system checkpoint ;
System altered.
--退出bbed在观察,看到一样。
BBED> x /rccc *kdbr[10]
rowdata[0] @1879
----------
flag@1879: 0x6c (KDRHFL, KDRHFF, KDRHFH, KDRHFC)
lock@1880: 0x02
cols@1881: 22
col 0[5] @1883: SCOTT
col 1[2] @1889: ..
col 2[16] @1892: 0EDE56329E1D82EA
col 3[2] @1909: ..
col 4[2] @1912: ..
col 5[7] @1915: xq.....
col 6[7] @1923: xt.....
col 7[7] @1931: xs.....
col 8[7] @1939: xs.....
col 9[1] @1947: .
col 10[0] @1949: *NULL*
col 11[2] @1950: ..
col 12[0] @1953: *NULL*
col 13[0] @1954: *NULL*
col 14[1] @1955: .
col 15[1] @1957: .
col 16[22] @1959: DEFAULT_CONSUMER_GROUP
col 17[0] @1982: *NULL*
col 18[1] @1983: .
col 19[0] @1985: *NULL*
col 20[0] @1986: *NULL*
col 21[62] @1987: S:2B8D7DCC974D7ADF61D50A28F54E8C021D8998A639D1A93B8AC20FFB50EF
--重新启动数据库:
$ rlsql scott/book
SQL*Plus: Release 11.2.0.4.0 Production on Tue Sep 6 08:39:21 2016
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
--又回到使用原来的口令book。
