天萃荷净
Oracle10G使用user$表猜测试数据库用户密码,绕过密码登陆数据库过程
1.查询Oracle数据库版本
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod
PL/SQL Release 10.2.0.4.0 - Production
CORE 10.2.0.4.0 Production
TNS for Linux: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
2.user$表Oracle 10g密码加密猜测
user$表中的password=hash(user||password)
SQL> create user xff identified by oracleplus;
User created.
SQL> create user xf identified by foracleplus;
User created.
SQL> select name,password from user$ where name in('XF','XFF');
NAME PASSWORD
------------------------------ ------------------------------
XF 1B60F4BFF1DAB500
XFF 1B60F4BFF1DAB500
3.通过修改user$.password饶过oracle密码登陆
--创建两个可以登陆用户
SQL> grant connect to ab identified by oracleplus;
Grant succeeded.
SQL> grant connect to abc identified by oracleplus;
Grant succeeded.
--查看用户名和password内容
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 7AF07A2EFB054758
64 ABC 40C0E6EE497444B7
--修改ab用户的password内容和abc相同,即ab用户对应的密码应该为coracleplus
SQL> update user$ set password='40C0E6EE497444B7' where user#=63;
1 row updated.
SQL> commit;
Commit complete.
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 40C0E6EE497444B7
64 ABC 40C0E6EE497444B7
--修改后登陆失败
SQL> conn ab/coracleplus
ERROR:
ORA-01017: 用户名/口令无效; 登录被拒绝
Warning: You are no longer connected to ORACLE.
SQL> conn / as sysdba
Connected.
--ab的user$.password被重设为原先值
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 7AF07A2EFB054758
64 ABC 40C0E6EE497444B7
SQL> update user$ set password='40C0E6EE497444B7' where user#=63;
1 row updated.
SQL> commit;
Commit complete.
SQL> select user#,name,password from user$ where name in ('AB','ABC');
USER# NAME PASSWORD
---------- ------------------------------ ------------------------------
63 AB 40C0E6EE497444B7
64 ABC 40C0E6EE497444B7
--刷新databuffer和shared_pool
SQL> alter system flush buffer_cache ;
System altered.
SQL> alter system flush shared_buffer;
alter system flush shared_buffer
*
ERROR at line 1:
ORA-02000: missing SHARED_POOL/BUFFER_CACHE/GLOBAL CONTEXT keyword
SQL> alter system flush shared_pool;
System altered.
--修改ab的密码为coracleplus成功
SQL> conn ab/coracleplus
Connected.
SQL> show user;
USER is "AB"
3.绕过密码登陆数据库方法
1)建立一个和你需要登陆用户相似用户(一般是末尾多一个或者几个字符)
2)查询建立用户的user$.password,并修改你需要的用户的password
3)刷新data buffer和shared pool
4)使用你建立的用户多出在字符串+你建立用户的密码登陆你需要登陆用户
--------------------------------------ORACLE-DBA----------------------------------------
最权威、专业的Oracle案例资源汇总之案例:使用user$表猜测试数据库用户密码 Oracle 10g绕过密码登陆数据库