[20191127]表 full Hash Value的计算.txt
[20191127]表 full Hash Value的计算.txt
--//曾经做过表full Hash Value的计算,当时我是通过建立简单的schema以及表名的形式,使用hashcat破解oracle的
--//表 full Hash Value的计算,参考链接:
http://blog.itpub.net/267265/viewspace-2149366/ => [20171227]表的FULL_HASH_VALUE值的计算
http://blog.itpub.net/267265/viewspace-2214232/ => [20180914]oracle 12c 表 full_hash_value如何计算.txt
--//得到的结论是:
--//表的FULL_HASH_VALUE计算就是table_name.owner加上"1".
--//12c引入了PDB,表的full_hash_value是table_name.owner.con_name1的md5sum值.
--//昨天看了一篇博客,链接https://mvelikikh.blogspot.com/2019/07/vdbpipes-unveiling-truth-of-oracle-hash.html
--//作者通过DebugTrace获得oracle内部函数,主要通过kggmd5Update,确定里面参与运算的字符.
--//我仅仅重复作者的测试验证这个过程:
1.环境:
SYS@book> @ ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
2. 定位相关内部函数:
$ gdb $(which oracle )
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-45.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /u01/app/oracle/product/11.2.0.4/dbhome_1/bin/oracle...(no debugging symbols found)...done.
(gdb) disassemble kglComputeHash
...
0x00000000098445d8
0x00000000098445e0
0x00000000098445e4
0x00000000098445ec
0x00000000098445f0
0x00000000098445f8
0x00000000098445fc
0x00000000098445ff
0x0000000009844604
0x0000000009844609
0x000000000984460b
0x000000000984460d
0x0000000009844614
0x000000000984461b
0x0000000009844620
...
--//你可以发现多处kggmd5Update的调用.
3.建立gdb脚本:
$ cat md5.gdb
set pagination off
break kggmd5Update
commands
printf "Length: %d
",$rdx
x/8xc $rsi
c
end
break kglComputeHash
commands
c
end
break kggmd5Process
commands
c
end
break kggmd5Finish
commands
c
end
--//session 1:
SCOTT@book> @ spid
SID SERIAL# PROCESS SERVER SPID PID P_SERIAL# C50
---------- ---------- ------------------------ --------- ------ ------- ---------- --------------------------------------------------
75 751 21617 DEDICATED 21618 29 156 alter system kill session "75,751" immediate;
--//session 2:
$ gdb -p 21618 -x md5.gdb
...
Breakpoint 1 at 0x97f09a8
Breakpoint 2 at 0x984457c
Breakpoint 3 at 0x97f14be
Breakpoint 4 at 0x97f0830
--//session 1:
SCOTT@book> desc emp
Name Null? Type
-------- -------- ------------
EMPNO NOT NULL NUMBER(4)
ENAME VARCHAR2(10)
JOB VARCHAR2(9)
MGR NUMBER(4)
HIREDATE DATE
SAL NUMBER(7,2)
COMM NUMBER(7,2)
DEPTNO NUMBER(2)
--//session 2,按c继续:
Breakpoint 2, 0x000000000984457c in kglComputeHash ()
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 3
0x7faa77e1fca8: 69 "E" 77 "M" 80 "P" 0 "00" 0 "00" 0 "00" 0 "00" 0 "00"
--//length=3,EMP对应表
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 1
0x9e79fec <_2__STRING.98.0>: 46 "." 0 "00" 0 "00" 0 "00" 107 "k" 116 "t" 99 "c" 110 "n"
--//length=1 ,小数点.
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 5
0x863db2f4: 83 "S" 67 "C" 79 "O" 84 "T" 84 "T" 0 "00" 0 "00" 0 "00"
--//length=5 ,SCOTT就是owner.
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 4
0x7fffbb155800: 1 "01" 0 "00" 0 "00" 0 "00" -1 "" 127 "177" 0 "00" 0 "00"
--//length=4 ,字符"01000000"
Breakpoint 4, 0x00000000097f0830 in kggmd5Finish ()
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 43
0xbefbe20
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 8
0x7fffbb155750: 104 "h" 0 "00" 0 "00" 0 "00" 0 "00" 0 "00" 0 "00" 0 "00"
--//这些字符拼接起来就是EMP.SCOTT01000000,也就是表md5按照此内容计算.
SYS@book> select dbms_crypto.hash(rawtohex("EMP.SCOTT"||chr(1)||chr(0)||chr(0)||chr(0)), 2) c40 from dual;
C40
----------------------------------------
1EA14E682B60AB3ED11D8E77D1E781E2
--//1EA14E682B60AB3ED11D8E77D1E781E 按照4位反转就是 684ea11e 3eab602b 778e1dd1 0081e7d1
--//验证看看:
SYS@book> select owner,name,namespace,type,hash_value,full_hash_value from V$DB_OBJECT_CACHE where owner="SCOTT" and name="EMP";
OWNER NAME NAMESPACE TYPE HASH_VALUE FULL_HASH_VALUE
------ ---- --------------- ----- ---------- --------------------------------
SCOTT EMP TABLE/PROCEDURE TABLE 3800164305 684ea11e3eab602b778e1dd1e281e7d1
--//对比反转后结果完全能对上.后面的chr(1)||chr(0)||chr(0)||chr(0)实际上与namespace有关.可以执行如下确定:
--//select distinct kglhdnsp,kglhdnsd,kglobtyd from x$kglob order by 1;
--//使用操作系统命令计算如下:
$ echo -e -n "EMP.SCOTT1" | md5sum | sed "s/ -//" | xxd -r -p | od -t x4 | sed -n -e "s/^0000000 //" -e "s/ //gp"
684ea11e3eab602b778e1dd1e281e7d1
--//可以发现完成能对上.
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341