[20191127]表 full Hash Value的計算.txt
[20191127]表 full Hash Value的計算.txt
--//曾經做過表full Hash Value的計算,當時我是透過建立簡單的schema以及表名的形式,使用hashcat破解oracle的
--//表 full Hash Value的計算,參考連結:
http://blog.itpub.net/267265/viewspace-2149366/ => [20171227]表的FULL_HASH_VALUE值的計算
http://blog.itpub.net/267265/viewspace-2214232/ => [20180914]oracle 12c 表 full_hash_value如何計算.txt
--//得到的結論是:
--//表的FULL_HASH_VALUE計算就是table_name.owner加上"\01\0\0\0".
--//12c引入了PDB,表的full_hash_value是table_name.owner.con_name\01\0\0\0的md5sum值.
--//昨天看了一篇部落格,連結https://mvelikikh.blogspot.com/2019/07/vdbpipes-unveiling-truth-of-oracle-hash.html
--//作者透過DebugTrace獲得oracle內部函式,主要透過kggmd5Update,確定裡面參與運算的字元.
--//我僅僅重複作者的測試驗證這個過程:
1.環境:
SYS@book> @ ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
2. 定位相關內部函式:
$ gdb $(which oracle )
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-45.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<
Reading symbols from /u01/app/oracle/product/11.2.0.4/dbhome_1/bin/oracle...(no debugging symbols found)...done.
(gdb) disassemble kglComputeHash
...
0x00000000098445d8 <kglComputeHash+96>: movl $0xefcdab89,0x4(%r9)
0x00000000098445e0 <kglComputeHash+104>: mov -0x48(%rbp),%r10
0x00000000098445e4 <kglComputeHash+108>: movl $0x98badcfe,0x8(%r10)
0x00000000098445ec <kglComputeHash+116>: mov -0x48(%rbp),%r11
0x00000000098445f0 <kglComputeHash+120>: movl $0x10325476,0xc(%r11)
0x00000000098445f8 <kglComputeHash+128>: mov 0x10(%r15),%rsi
0x00000000098445fc <kglComputeHash+132>: mov (%r15),%edx
0x00000000098445ff <kglComputeHash+135>: callq 0x97f09a4 <kggmd5Update>
0x0000000009844604 <kglComputeHash+140>: movzbl 0x8(%r15),%eax
0x0000000009844609 <kglComputeHash+145>: test %eax,%eax
0x000000000984460b <kglComputeHash+147>: je 0x984463a <kglComputeHash+194>
0x000000000984460d <kglComputeHash+149>: lea -0x90(%rbp),%rdi
0x0000000009844614 <kglComputeHash+156>: lea 0x6359d1(%rip),%rsi # 0x9e79fec <_2__STRING.98.0>
0x000000000984461b <kglComputeHash+163>: mov $0x1,%edx
0x0000000009844620 <kglComputeHash+168>: callq 0x97f09a4 <kggmd5Update>
...
--//你可以發現多處kggmd5Update的呼叫.
3.建立gdb指令碼:
$ cat md5.gdb
set pagination off
break kggmd5Update
commands
printf "Length: %d\n",$rdx
x/8xc $rsi
c
end
break kglComputeHash
commands
c
end
break kggmd5Process
commands
c
end
break kggmd5Finish
commands
c
end
--//session 1:
SCOTT@book> @ spid
SID SERIAL# PROCESS SERVER SPID PID P_SERIAL# C50
---------- ---------- ------------------------ --------- ------ ------- ---------- --------------------------------------------------
75 751 21617 DEDICATED 21618 29 156 alter system kill session '75,751' immediate;
--//session 2:
$ gdb -p 21618 -x md5.gdb
...
Breakpoint 1 at 0x97f09a8
Breakpoint 2 at 0x984457c
Breakpoint 3 at 0x97f14be
Breakpoint 4 at 0x97f0830
--//session 1:
SCOTT@book> desc emp
Name Null? Type
-------- -------- ------------
EMPNO NOT NULL NUMBER(4)
ENAME VARCHAR2(10)
JOB VARCHAR2(9)
MGR NUMBER(4)
HIREDATE DATE
SAL NUMBER(7,2)
COMM NUMBER(7,2)
DEPTNO NUMBER(2)
--//session 2,按c繼續:
Breakpoint 2, 0x000000000984457c in kglComputeHash ()
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 3
0x7faa77e1fca8: 69 'E' 77 'M' 80 'P' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
--//length=3,EMP對應表
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 1
0x9e79fec <_2__STRING.98.0>: 46 '.' 0 '\000' 0 '\000' 0 '\000' 107 'k' 116 't' 99 'c' 110 'n'
--//length=1 ,小數點.
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 5
0x863db2f4: 83 'S' 67 'C' 79 'O' 84 'T' 84 'T' 0 '\000' 0 '\000' 0 '\000'
--//length=5 ,SCOTT就是owner.
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 4
0x7fffbb155800: 1 '\001' 0 '\000' 0 '\000' 0 '\000' -1 '' 127 '\177' 0 '\000' 0 '\000'
--//length=4 ,字元'\001\000\000\000'
Breakpoint 4, 0x00000000097f0830 in kggmd5Finish ()
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 43
0xbefbe20 <kggmd5padding.0>: -128 '\200' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
Breakpoint 1, 0x00000000097f09a8 in kggmd5Update ()
Length: 8
0x7fffbb155750: 104 'h' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
--//這些字元拼接起來就是EMP.SCOTT\001\000\000\000,也就是表md5按照此內容計算.
SYS@book> select dbms_crypto.hash(rawtohex('EMP.SCOTT'||chr(1)||chr(0)||chr(0)||chr(0)), 2) c40 from dual;
C40
----------------------------------------
1EA14E682B60AB3ED11D8E77D1E781E2
--//1EA14E682B60AB3ED11D8E77D1E781E 按照4位反轉就是 684ea11e 3eab602b 778e1dd1 0081e7d1
--//驗證看看:
SYS@book> select owner,name,namespace,type,hash_value,full_hash_value from V$DB_OBJECT_CACHE where owner='SCOTT' and name='EMP';
OWNER NAME NAMESPACE TYPE HASH_VALUE FULL_HASH_VALUE
------ ---- --------------- ----- ---------- --------------------------------
SCOTT EMP TABLE/PROCEDURE TABLE 3800164305 684ea11e3eab602b778e1dd1e281e7d1
--//對比反轉後結果完全能對上.後面的chr(1)||chr(0)||chr(0)||chr(0)實際上與namespace有關.可以執行如下確定:
--//select distinct kglhdnsp,kglhdnsd,kglobtyd from x$kglob order by 1;
--//使用作業系統命令計算如下:
$ echo -e -n 'EMP.SCOTT\01\0\0\0' | md5sum | sed 's/ -//' | xxd -r -p | od -t x4 | sed -n -e 's/^0000000 //' -e 's/ //gp'
684ea11e3eab602b778e1dd1e281e7d1
--//可以發現完成能對上.
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/267265/viewspace-2665902/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- [20171227]表的FULL_HASH_VALUE值的計算
- [20180914]oracle 12c 表 full_hash_value如何計算.txtOracle
- [20171227]表的FULL_HASH_VALUE值的計算2
- [20171231]oracle full_hash_value如何計算的總結Oracle
- 20171228db_link的full_hash_value值的計算
- [20191012]使用bash從sql_id計算hash_value.txtSQL
- 12C 的 Adaptive 查詢的新 FULL_PLAN_HASH_VALUE 列 (文件 ID 2179473.1)APT
- [20221104]執行計劃一樣Plan hash value不同.txt
- [20120425]PLAN_HASH_VALUE與 V$SQLAREA.txtSQL
- [20210119]看執行計劃可以使用hash_value.txt
- [20140807]hash_value sql_id衝突.txtSQL
- [20191127]探究等待事件的本源4.txt事件
- greenplum分佈鍵的hash值計算分析
- oracle實驗記錄(INDEX fast full scan 的成本計算)OracleIndexAST
- C++ 透過CryptoPP計算Hash值C++
- SQL_ID怎麼轉化成HASH_VALUESQL
- 【資料結構】30、hashmap=》hash 計算方式資料結構HashMap
- oracle實驗記錄 (計算hash join cost)Oracle
- perl 陣列的hash表陣列
- Oracle SQL_ID轉換成SQL_HASH_VALUEOracleSQL
- 模擬計算hash前面N個0需要的時間
- PostgreSQL 原始碼解讀(142)- Buffer Manager#7(hash_search_with_hash_value函式)SQL原始碼函式
- 國密SM3線上摘要(hash)計算工具
- 雜湊表(Hash)的應用
- 一個hash表的實現
- Tableau的計算欄位、粒度、聚合、比率、表計算
- day6 hash表
- KMP演算法的next、next value陣列的手工計算KMP演算法陣列
- python 計算txt文字詞頻率Python
- mysql索引型別Normal,Unique,Full Text區別以及索引方法Btree,Hash的區別MySql索引型別ORM
- oracle計算表的記錄數Oracle
- 資料結構,雜湊表hash設計實驗資料結構
- [20230303]sqlplus column new_value old_value.txtSQL
- hash 表在 go 語言中的實現Go
- 教你幾招HASH表查詢的方法
- [20170525]分析函式first_value.txt函式
- [20170402]函式索引standard_hash.txt函式索引
- MySQL:Innodb表 Data free 的計算概要MySql