Oracle查询密码加密串方法
方法也是参考网上牛人的结果改写的,原来作者的需求是验证用户名和明文密码是否匹配,当时觉得用处不是很大,因为我的需求是检查在线库是否有弱密码存在,最后发现原来这样是有原因的。因为Oracle的密码是根据用户名和密码共同生成的密码。也就是说,A用户使用APP作为密码和B用户使用APP作为密码,生成的密文是不一样的。
废话不多说,贴一下我改动的函数吧。修改的东西非常少,原来是从库里面进行验证,现在我只是想得到加密串:
[sql]
create or replace function testpwd(password in varchar2)
return varchar2
authid current_user
is
--
raw_key raw(128):= hextoraw('0123456789ABCDEF');
--
raw_ip raw(128);
pwd_hash varchar2(16);
--
procedure unicode_str(userpwd in varchar2, unistr out raw)
is
enc_str varchar2(124):='';
tot_len number;
curr_char char(1);
padd_len number;
ch char(1);
mod_len number;
debugp varchar2(256);
begin
tot_len:=length(userpwd);
for i in 1..tot_len loop
curr_char:=substr(userpwd,i,1);
enc_str:=enc_str||chr(0)||curr_char;
end loop;
mod_len:= mod((tot_len*2),8);
if (mod_len = 0) then
padd_len:= 0;
else
padd_len:=8 - mod_len;
end if;
for i in 1..padd_len loop
enc_str:=enc_str||chr(0);
end loop;
unistr:=utl_raw.cast_to_raw(enc_str);
end;
--
function crack (userpwd in raw) return varchar2
is
enc_raw raw(2048);
--
raw_key2 raw(128);
pwd_hash raw(2048);
--
hexstr varchar2(2048);
len number;
password_hash varchar2(16);
begin
dbms_obfuscation_toolkit.DESEncrypt(input => userpwd,
key => raw_key, encrypted_data => enc_raw );
hexstr:=rawtohex(enc_raw);
len:=length(hexstr);
raw_key2:=hextoraw(substr(hexstr,(len-16+1),16));
dbms_obfuscation_toolkit.DESEncrypt(input => userpwd,
key => raw_key2, encrypted_data => pwd_hash );
hexstr:=hextoraw(pwd_hash);
len:=length(hexstr);
password_hash:=substr(hexstr,(len-16+1),16);
return(password_hash);
end;
begin
unicode_str(upper(password),raw_ip);
return crack(raw_ip);
end;
/
用法:
SQL> select TESTPWD('AAPP') from dual;
TESTPWD('AAPP')
--------------------------------------------------------------------------------
EA3CE5815EDA5617
SQL> select TESTPWD('BAPP') from dual;
TESTPWD('BAPP')
--------------------------------------------------------------------------------
86A292000F76737A
这里可以看到生成的密码串和上面查询出来的是一致的,所以AAPP代表的就是A用户,密码是APP,BAPP代表的就是B用户,密码是APP。
我这样改写的目的是准备测试弱密码口令,需要进行大量数据的对比和测试,因此不希望使用线上数据库进行破解,所以可以将线上的数据拷贝出来,然后在线下进行对比处理
原脚本(http://www.petefinnigan.com/testpwd.sql)
[sql]
-- -----------------------------------------------------------------------------
-- WWW.PETEFINNIGAN.COM LIMITED
-- -----------------------------------------------------------------------------
-- Script Name : testpwd.sql
-- Author : Pete Finnigan
-- Date : May 2009
-- -----------------------------------------------------------------------------
-- Description : This script can be used to test users passwords in databases
-- of versions 7 - 10gR2
-- -----------------------------------------------------------------------------
-- Maintainer : Pete Finnigan (http://www.petefinnigan.com)
-- Copyright : Copyright (C) 2008, 2009, PeteFinnigan.com Limited. All rights
-- reserved. All registered trademarks are the property of their
-- respective owners and are hereby acknowledged.
-- -----------------------------------------------------------------------------
-- License : This software is free software BUT it is not in the public
-- domain. This means that you can use it for personal or
-- commercial work but you cannot remove this notice or copyright
-- notices or the banner output by the program or edit them in any
-- way at all. You also cannot host/distribute/copy or in anyway
-- make this script available through any means either in original
-- form or any derivitive work based on it. The script is &nb