修改oracle口令安全问题

[20171225]变态的windows批处理4.txt

[oracle@hb shell_test]$ cat echo_time 
#!/bin/sh

[20171101]修改oracle口令安全难点.txt

--//后天求学windows 批管理的echo &.使用它能够达成类似回车换行的功能.例子:

一.最轻松易行的调用sqlplus
sqlplus -S "sys/unimas as sysdba" << !
select to_char(sysdate,'yyyy-mm-dd') today from dual;
exit;
!

--//等保的难题,做一些有关修改oracle口令方面包车型客车测量检验.

1.echo &.
R:>echo 1111 & echo 2222
1111
2222

[oracle@hb shell_test]$ ./echo_time 

1.oracle改换口令平常如下格局:

--//可是如若写成如下:

TODAY

2011-03-21

-S 是silent mode,不出口邻近“SQL>”,连接数据库,关闭数据库之类的新闻。

eof能够是任何字符串 举例"laldf"那么当您输入单独一行laldf时"shell以为输入完结,然而必得代表块开端必得利用<<;
千帆竞发和终结要合营那些符号“<<”后边的原委
举例子:

[oracle@hb shell_test]$ sqlplus -s "sys/unimas as sysdba" << abc
> select to_char(sysdate,'yyyy-mm-dd') today from dual;
> exit;
> abc

alter user scott identified by oracle;
password scott
其三方工具,日常也是实行以上类似的命令.作者使用SQL Tracker(toad自带的工具)测量试验,实际上试行的也是第1种格局.

R:>echo 1111 & echo 2222 > aa.txt
1111

TODAY

2011-03-21

二.sqlplus的结果传递给shell的诀要一

[oracle@hb shell_test]$ cat test2.sh 
#!/bin/bash
VALUE=`sqlplus -S "test/unimas" << !
set heading off
set feedback off
set pagesize 0
set verify off
set echo off
select to_char(sysdate,'yyyy-mm-dd') today from dual;
exit
!`
echo $VALUE
if [ -n "$VALUE" ]; then
echo "The rows is $VALUE"
exit 0
else
echo "There is no row"
fi

三.sqlplus的结果传递给shell的措施二

[oracle@hb shell_test]$ cat test1.sh 
#!/bin/bash
sqlplus -S "test/unimas" << !
set heading off
set feedback off
set pagesize 0
set verify off
set echo off
col coun new_value v_coun
select count(*) coun from lesson;
exit v_coun
!
VALUE="$?"
echo "show row:$VALUE"

col coun new_value v_coun v_coun为number类型。因为exit 只可以回去数值类型。

四.把shell参数字传送递给sqlplus

#!/bin/bash
t_id="$1"
sqlplus -S "test/unimas" << !
set heading off
set feedback off
set pagesize 0
set verify off
set echo off
select teachername from teacher where id=$t_id;
exit
!

五.sqlplus的结果存款和储蓄在文件中

#!/bin/sh
sqlplus -S "test/unimas"<<EOF
set heading off
set feedback off
set pagesize 0
set verify off
set echo off
spool spool_file
SELECT * from teacher;
spool off
exit;
EOF

http://blog.chinaunix.net/space.php?uid=9124312&do=blog&id=181372

 

####################################################################################################################################

翻开调解系统状态脚本:

#!/bin/sh

if [[ -z "$1" ]] || [[ "$1" -ne 0 && "$1" -ne 2 ]]       #使用[[ ]] 举办逻辑不通操作
then
    echo "Please input your parameter: query status[0,2]!"
    exit
fi

#for buname in cnlog enlog ItLog JrLog AuLog InnerLog
for buname in cnlog enlog
do
    sqlplus -S 'etl/etl@dw_testdb' << abc        #采用 << EOF方式输入音信     set line 155
    set pages 9999
    SELECT /* PARALLEL(a,4) */ * FROM $buname.hla_job_rec a where status = $1;
    exit
abc
done

2.测试:
--//作者本身早已树立多个剧本(笔者修改加入包涵alter的内容):
# cat -v Tcpdumpsql
#! /bin/bash
/usr/sbin/tcpdump  -l -i eth0 -s 16384 -A -nn src host $1 and dst port 1521 2>/dev/null |  tee -a /tmp/aa1 |sed -u -e  "s/^M/!/g;s/^E...{1,100}//;s/.*$//;s/^.*//" |
awk '{if (tolower($0) ~ "select" || tolower($0) ~ "update" ||  tolower($0) ~ "delete" ||tolower($0) ~ "alter" || tolower($0) ~ "insert" || $0 ~ "ORA-" ) {p=1;print}
else if(p == 1 && $0 !~ "^[0-9][0-9]:") {print} else if ($0 ~ "^[0-9][0-9]:") {p=0}}'

R:>cat aa.txt
2222

--//注:^M 实际上在vi里面要透过ctrl v ctrl m输入(windows下ctrl q ctrl m),首假如因为大家付出写PB代码使用~r而从不加~n,这样
--//在呈现时因为未有换行突显内容会被覆盖.

--//你能够开采1111,突显输出,而2222写入文件aa.txt,改写成管道看看.

3.测试alter user修改口令:
--//在client端登陆,实施如下测量检验命令:
select sysdate from dual;
alter user scott identified by oracle;
select Sysdate from dual;

R:>echo 1111 &echo 2222 | cat
1111
2222

--//在服务器实行:
# Tcpdumpsql cliend_ip
--//注:client_id换来对应的ip.
select sysdate from dual
%alter user scott identified by oracle
select Sysdate from dual

--//OK.实际上那一个是假象,第1行动显示器,第2行动管道,看上面包车型客车测验就驾驭了.假设要写到文件实际上要加括号,那几个跟linux有一个相似.
R:>(echo 1111 &echo 2222 ) > aa.txt

--//很显著改造口令的命令原形毕露.

R:>cat aa.txt
1111
2222

4.测验password修改口令:
--//在client端登陆,实行如下测量试验命令:
select sysdate from dual;
password
select Sysdate from dual;

--//那些倒是平常的意况.

--//在服务器试行:
# Tcpdumpsql cliend_ip
select sysdate from dual
        ....................SCOTT.....AUTH_SESSKEY........!...!AUTH_PASSWORD@...@1498887FF997E2D432717C036E8672E9858F261F5A058B6927A9CE4DA137D1AD.........AUTH_NEWPASSWORD@...@FD4CD857F51847B1B86CFDC3263776C365CC27A33FACD76763AB40FE3B073052....!...!AUTH_TERMINAL.....IKD84BCP.........AUTH_PROGRAM_NM.....sqlplus.exe.........AUTH_MACHINE.....WORKGROUPIKD84BCP.........AUTH_PID        ...     1404:5880.........AUTH_SID!...!Administrator.........AUTH_ALTER_SESSION......ALTER SESSION SET NLS_LANGUAGE= 'AMERICAN' NLS_TERRITORY= 'AMERICA' NLS_CURRENCY= '$' NLS_ISO_CURRENCY= 'AMERICA' NLS_NUMERIC_CHARACTERS= '.,' NLS_CALENDAR= 'GREGORIAN' NLS_DATE_FORMAT= 'YYYY-MM-DD HH24:MI:SS' NLS_DATE_LANGUAGE= 'AMERICAN' NLS_SORT= 'BINA.RY' TIME_ZONE= ' 08:00' NLS_COMP= 'BINARY' NLS_DUAL_CURRENCY= '$' NLS_TIME_FORMAT= 'HH.MI.SSXFF AM' NLS_TIMESTAMP_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF' NLS_TIME_TZ_FORMAT= 'HH.MI.SSXFF AM TZR' NLS_TIMESTAMP_TZ_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF TZH:TZM'
select Sysdate from dual

2.行使那些特点能够透过管道传输命令给sqlplus.

--//做一些格式化处理
....................SCOTT.....AUTH_SESSKEY........!...!AUTH_PASSWORD@...@1498887FF997E2D432717C036E8672E9858F261F5A058B6927A9CE4DA137D1AD
.........AUTH_NEWPASSWORD@...@FD4CD857F51847B1B86CFDC3263776C365CC27A33FACD76763AB40FE3B073052....!...!AUTH_TERMINAL.....IKD84BCP
.........AUTH_PROGRAM_NM.....sqlplus.exe.........AUTH_MACHINE.....WORKGROUPIKD84BCP.........AUTH_PID        ...     
1404:5880.........AUTH_SID!...!Administrator.........AUTH_ALTER_SESSION......ALTER SESSION SET NLS_LANGUAGE= 'AMERICAN'
NLS_TERRITORY= 'AMERICA' NLS_CURRENCY= '$' NLS_ISO_CURRENCY= 'AMERICA' NLS_NUMERIC_CHARACTERS= '.,'
NLS_CALENDAR= 'GREGORIAN' NLS_DATE_FORMAT= 'YYYY-MM-DD HH24:MI:SS' NLS_DATE_LANGUAGE= 'AMERICAN' NLS_SORT= 'BINA.RY' TIME_ZONE= ' 08:00'
NLS_COMP= 'BINARY' NLS_DUAL_CURRENCY= '$' NLS_TIME_FORMAT= 'HH.MI.SSXFF AM' NLS_TIMESTAMP_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF'
NLS_TIME_TZ_FORMAT= 'HH.MI.SSXFF AM TZR' NLS_TIMESTAMP_TZ_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF TZH:TZM'

R:>echo set timing off head off; &echo select  sysdate  from dual;
set timing off head off;
select  sysdate  from dual;

SYS@book> column SPARE4 format a70
SYS@book> select name,password,spare4 from user$ where name='SCOTT';
NAME  PASSWORD                       SPARE4

R:>echo set timing off head off; &echo select  sysdate  from dual;  | sqlplus -s scott/book@78
set timing off head off;


SYSDATE

2017-12-25 10:06:33

--//晕!!分明set timing off head off;那行未有通过管道出口,而是径直出口到显示器.因为若是输入管道,展现的相应是不曾sysdate字段名.
--//留神看眼下的事例才发掘实际上echo 1111 &echo 2222 | cat 输出1111走显示器,而输出2222管道,看上去展现是经常的.
--//也便是要2行都因此管道必需使用括号.修改如下.

R:>(echo set timing off head off; &echo select  sysdate  from dual; ) | sqlplus -s scott/book@78
2017-12-25 10:08:59

--//小编google发现此外的写法,在&前到场^.
R:>echo set timing off head off;^&echo select  sysdate  from dual;  | sqlplus -s scott/book@78
2017-12-25 10:11:57

--//确实是Ok了,可是此外的难题来了:
R:>echo set timing off head off;^&echo select  sysdate  from dual;  | cat
set timing off head off;
select  sysdate  from dual;

R:>echo set timing off head off;^&echo select  sysdate  from dual; > aa.txt

R:>cat aa.txt
set timing off head off;&echo select  sysdate  from dual;

--//无法通晓windows的批管理,通过管道出口2行.而使用文件吸收接纳展现的是set timing off head off;&echo select  sysdate  from dual;
--//重定向到文件时^实际上转义&.
set timing off head off; &echo select  sysdate  from dual;

--//而实际上那样进行是拾叁分的.
R:>cat aa.txt | sqlplus -s scott/book@78
Enter value for echo:
SP2-0546: User requested Interrupt or EOF detected.

--//如故糟糕精通windows的批管理的微妙!!在笔者认为最好的章程照旧加括号比较好驾驭一些.
--//实际上倘若能很好精晓链接
--//就能够很好精晓.

--//可是一旦echo里面有括号难点又来了:
R:>(echo set timing off head off;&echo select  (sysdate 1)  from dual;)  | sqlplus -s scott/book@78
此刻不该 from。

--//约等于)要转义,要转义3次.遭遇这种情景不断加码^便是了.
R:>(echo set timing off head off;&echo select  (sysdate 1^^^)  from dual;)  | sqlplus -s scott/book@78
2017-12-26 11:16:33

--//而前边这种格局就简单了.
R:>echo set timing off head off;^&echo select  (sysdate 1)  from dual; |   sqlplus -s scott/book@78
2017-12-26 11:17:35

--//在笔者眼里windows批管理真是变态加变态..


SCOTT 0EDE56329E1D82EA               S:52BD300CE604E12EB9D6731005A8294E77D62C898D4C7CB2827DFCAE90AC

--//从这里见到,更改口令使用password越发安全一些.

本文由星彩网app下载发布于星彩网app下载,转载请注明出处:修改oracle口令安全问题

TAG标签: 星彩网app下载
Ctrl+D 将本页面保存为书签,全面了解最新资讯,方便快捷。