Re:RE: DBA_USERS view

From: <dgoulet_at_vicr.com>
Date: Tue, 03 Apr 2001 14:00:40 -0700
Message-ID: <F001.002E07F7.20010403135228@fatcity.com>

Hey folks, try this script that I call the "Skeleton Key":

/*
 *  DBA Skeleton Key
 *
 *  This script will allow one to crash into any Oracle account.
 *  The only restriction is that the invoker must have the
 *  'alter any user' system priviledge.
 */

accept usrname char prompt 'Enter account name to crack: ' set verify off
break on name
column gname new_value _name noprint
select substr(global_name,1,instr(global_name,'.')-1)gname from global_name;
clear breaks
break on password
column password new_value _pwd noprint
select password from dba_users
where username = upper('&usrname');
alter user &usrname identified by dummy; connect &usrname/dummy@&_name
alter user &usrname identified by values '&_pwd'; @login

Dick Goulet

____________________Reply Separator____________________
Author: Jacques Kilchoer <Jacques.Kilchoer_at_quest.com>
Date:       4/3/2001 1:16 PM

> -----Original Message-----

> From: Stefan Jahnke [mailto:stefan.jahnke_at_d2vodafone.de]
> 
> what information does the PASSWORD column in the DBA_USERS 
> view provide. 
> I know that it's the encrypted user password, but how can I 
> actually use
> it ? 
> For example: Can I reassign a password to a user via his encrypted
> password ?
> or: Can I test a logon with another user's encrpyted user password to
> test the logon ?
> I tried stuff like connect myuser/0CE92663BBC6FC34_at_MYDB, but that
> doesn't seem to work.

I forget, did anyone answer this question? You can use it with the (undocumented as far as I know) 'identified by values' option of the alter user statement. This can be handy if you want to sign on as user X without changing their password. Make their password something you know, login with that password, then change their password back to the old password. Example:

SQL> create user x identified by old_password ;

User created.

SQL> grant create session to x ;

Grant succeeded.

SQL> select password from dba_users where username = 'X' ;

PASSWORD

D64698D364A3B171

SQL> connect x/old_password
Connected.
SQL> alter user x identified by new_password ;

User altered.

SQL> connect x/new_password
Connected.
SQL> alter user x identified by values 'D64698D364A3B171' ;

User altered.

SQL> connect x/old_password
Connected.
SQL>

> 
> TIA ...
> 
> -- 
> Regards,
> Stefan Jahnke
> -- 
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> -- 
> Author: Stefan Jahnke
>   INET: stefan.jahnke_at_d2vodafone.de
> 
> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> San Diego, California        -- Public Internet access / Mailing Lists


> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).
> 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35">
<TITLE>RE: DBA_USERS view</TITLE>

</HEAD>
<BODY>

> -----Original Message----- > From: Stefan Jahnke [<A HREF="mailto:stefan.jahnke_at_d2vodafone.de">mailto:stefan.jahnke_at_d2vodafone.de</A> ]

<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; what information does the PASSWORD column in the DBA_USERS
</FONT>
<BR><FONT SIZE=2>&gt; view provide. </FONT>
<BR><FONT SIZE=2>&gt; I know that it's the encrypted user password, but how can

I

<BR><FONT SIZE=2>&gt; actually use</FONT>
<BR><FONT SIZE=2>&gt; it ? </FONT>
<BR><FONT SIZE=2>&gt; For example: Can I reassign a password to a user via his

encrypted
 > password ?
 > or: Can I test a logon with another user's encrpyted user password to
 > test the logon ? > I tried stuff like connect myuser/0CE92663BBC6FC34_at_MYDB, but that

<BR><FONT SIZE=2>&gt; doesn't seem to work. </FONT>
</P>
<BR>

I forget, did anyone answer this question? You can use it with the (undocumented as far as I know) 'identified by values' option of the alter user statement. This can be handy if you want to sign on as user X without changing their password. Make their password something you know, login with that password, then change their password back to the old password. Example:

SQL> create user x identified by old_password ;

User created.

SQL> grant create session to x ;

Grant succeeded.

SQL> select password from dba_users where username = 'X' ;

<P><FONT SIZE=2>PASSWORD</FONT>
<BR><FONT SIZE=2>------------------------------</FONT>
<BR><FONT SIZE=2>D64698D364A3B171</FONT>
</P>

<P><FONT SIZE=2>SQL&gt; connect x/old_password</FONT>
<BR><FONT SIZE=2>Connected.</FONT>

SQL> alter user x identified by new_password ;

User altered.

<P><FONT SIZE=2>SQL&gt; connect x/new_password</FONT>
<BR><FONT SIZE=2>Connected.</FONT>
<BR><FONT SIZE=2>SQL&gt; alter user x identified by values 'D64698D364A3B171'

;

User altered.

<P><FONT SIZE=2>SQL&gt; connect x/old_password</FONT>
<BR><FONT SIZE=2>Connected.</FONT>
<BR><FONT SIZE=2>SQL&gt; </FONT>
</P>

<P><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; TIA ...</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; -- </FONT>
<BR><FONT SIZE=2>&gt; Regards,</FONT>
<BR><FONT SIZE=2>&gt; Stefan Jahnke</FONT>

> -- 
 > Please see the official ORACLE-L FAQ: <A HREF="http://www.orafaq.com" TARGET="_blank">http://www.orafaq.com</A>

<BR><FONT SIZE=2>&gt; -- </FONT>
<BR><FONT SIZE=2>&gt; Author: Stefan Jahnke</FONT>
<BR><FONT SIZE=2>&gt;&nbsp;&nbsp; INET: stefan.jahnke_at_d2vodafone.de</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; Fat City Network Services&nbsp;&nbsp;&nbsp; -- (858)

538-5051  FAX: (858) 538-5051 > San Diego,
California        -- Public Internet access / Mailing Lists
 >

--------------------------------------------------------------------</FONT>

> To REMOVE yourself from this mailing list, send an E-Mail message
 > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
 > the message BODY, include a line containing: UNSUB ORACLE-L
 > (or the name of mailing list you want to be removed from).  You may
 > also send the HELP command for other information (like subscribing).
 >

</BODY>
</HTML>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: dgoulet_at_vicr.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Received on Tue Apr 03 2001 - 16:00:40 CDT