[20171101]修改oracle口令安全問題.txt

lfree發表於2017-11-01
Oracle

[20171101]修改oracle口令安全問題.txt

--//等保的問題,做一些關於修改oracle口令方面的測試.

1.oracle修改口令一般如下方式:

alter user scott identified by oracle;
password scott
第三方工具,通常也是執行以上類似的命令.我使用SQL Tracker(toad自帶的工具)測試,實際上執行的也是第1種方式.

2.測試:
--//我自己曾經建立一個指令碼(我修改加入包含alter的內容):
# cat -v Tcpdumpsql
#! /bin/bash
/usr/sbin/tcpdump  -l -i eth0 -s 16384 -A -nn src host $1 and dst port 1521 2>/dev/null |  tee -a /tmp/aa1 |sed -u -e  "s/^M/!/g;s/^E\.\..\{1,100\}//;s/\.*$//;s/^\.*//" | \
awk '{if (tolower($0) ~ "select" || tolower($0) ~ "update" ||  tolower($0) ~ "delete" ||tolower($0) ~ "alter" || tolower($0) ~ "insert" || $0 ~ "ORA-" ) {p=1;print} \
else if(p == 1 && $0 !~ "^[0-9][0-9]:") {print} else if ($0 ~ "^[0-9][0-9]:") {p=0}}'

--//注:^M 實際上在vi裡面要透過ctrl+v ctrl+m輸入(windows下ctrl+q ctrl+m),主要是因為我們開發寫PB程式碼使用~r而沒有加~n,這樣
--//在顯示時因為沒有換行顯示內容會被覆蓋.

3.測試alter user修改口令:
--//在client端登入,執行如下測試命令:
select sysdate from dual;
alter user scott identified by oracle;
select Sysdate from dual;

--//在伺服器執行:
# Tcpdumpsql cliend_ip
--//注:client_id換成對應的ip.
select sysdate from dual
%alter user scott identified by oracle
select Sysdate from dual

--//很明顯修改口令的命令暴露無遺.

4.測試password修改口令:
--//在client端登入,執行如下測試命令:
select sysdate from dual;
password
select Sysdate from dual;

--//在伺服器執行:
# Tcpdumpsql cliend_ip
select sysdate from dual
        ....................SCOTT.....AUTH_SESSKEY........!...!AUTH_PASSWORD@...@1498887FF997E2D432717C036E8672E9858F261F5A058B6927A9CE4DA137D1AD.........AUTH_NEWPASSWORD@...@FD4CD857F51847B1B86CFDC3263776C365CC27A33FACD76763AB40FE3B073052....!...!AUTH_TERMINAL.....IKD84BCP.........AUTH_PROGRAM_NM.....sqlplus.exe.........AUTH_MACHINE.....WORKGROUP\IKD84BCP.........AUTH_PID        ...     1404:5880.........AUTH_SID!...!Administrator.........AUTH_ALTER_SESSION......ALTER SESSION SET NLS_LANGUAGE= 'AMERICAN' NLS_TERRITORY= 'AMERICA' NLS_CURRENCY= '$' NLS_ISO_CURRENCY= 'AMERICA' NLS_NUMERIC_CHARACTERS= '.,' NLS_CALENDAR= 'GREGORIAN' NLS_DATE_FORMAT= 'YYYY-MM-DD HH24:MI:SS' NLS_DATE_LANGUAGE= 'AMERICAN' NLS_SORT= 'BINA.RY' TIME_ZONE= '+08:00' NLS_COMP= 'BINARY' NLS_DUAL_CURRENCY= '$' NLS_TIME_FORMAT= 'HH.MI.SSXFF AM' NLS_TIMESTAMP_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF' NLS_TIME_TZ_FORMAT= 'HH.MI.SSXFF AM TZR' NLS_TIMESTAMP_TZ_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF TZH:TZM'
select Sysdate from dual

--//做一些格式化處理
....................SCOTT.....AUTH_SESSKEY........!...!AUTH_PASSWORD@...@1498887FF997E2D432717C036E8672E9858F261F5A058B6927A9CE4DA137D1AD
.........AUTH_NEWPASSWORD@...@FD4CD857F51847B1B86CFDC3263776C365CC27A33FACD76763AB40FE3B073052....!...!AUTH_TERMINAL.....IKD84BCP
.........AUTH_PROGRAM_NM.....sqlplus.exe.........AUTH_MACHINE.....WORKGROUP\IKD84BCP.........AUTH_PID        ...    
1404:5880.........AUTH_SID!...!Administrator.........AUTH_ALTER_SESSION......ALTER SESSION SET NLS_LANGUAGE= 'AMERICAN'
NLS_TERRITORY= 'AMERICA' NLS_CURRENCY= '$' NLS_ISO_CURRENCY= 'AMERICA' NLS_NUMERIC_CHARACTERS= '.,'
NLS_CALENDAR= 'GREGORIAN' NLS_DATE_FORMAT= 'YYYY-MM-DD HH24:MI:SS' NLS_DATE_LANGUAGE= 'AMERICAN' NLS_SORT= 'BINA.RY' TIME_ZONE= '+08:00'
NLS_COMP= 'BINARY' NLS_DUAL_CURRENCY= '$' NLS_TIME_FORMAT= 'HH.MI.SSXFF AM' NLS_TIMESTAMP_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF'
NLS_TIME_TZ_FORMAT= 'HH.MI.SSXFF AM TZR' NLS_TIMESTAMP_TZ_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF TZH:TZM'


SYS@book> column SPARE4 format a70
SYS@book> select name,password,spare4 from user$ where name='SCOTT';
NAME  PASSWORD                       SPARE4
----- ------------------------------ ----------------------------------------------------------------------
SCOTT 0EDE56329E1D82EA               S:52BD300CE604E12EB9D6731005A8294E77D62C898D4C7CB2827DFCAE90AC

--//從這裡看出,改變口令使用password更加安全一些.

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/267265/viewspace-2146665/,如需轉載,請註明出處,否則將追究法律責任。

相關文章