Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: USERs in ORACLE
Hi Amin
I posted the following article to the pen-test mailing list a few weeks ago. It may be of use to you.
It is pasted below as HTML between the lines +++++++++CUT and CUT+++++++ just cut it out and display it as html in IE or netscape.
cheers
Pete Finnigan
Pentest Limited
++++++++++++++++++++++++++++++++++++++++++++CUT
<HTML>
<BODY>
<DIV ALIGN=LEFT>
<H3>Investigation of Default Oracle Accounts</H3></DIV>
<P>
I have investigated standard installations of the Oracle 8i
<I>RDBMS</I> on both
Linux and Windows NT for version <I>8.1.5</I> and have found the following possible
default accounts and password's that could be installed. I have installed the
standard <I>RDBMS</I> and development tools. This gives us 9 default accounts under
Linux and 12 under Windows NT.
<P>
The Windows NT installation is more dangerous as it provides a
<I>DBA</I> account
with the user CTXSYS and also the user MDSYS has "ALL PRIVILEGES WITH ADMIN" granted.
Having "ALL PRIVILEGES" is as good as having <I>dba</I> privileges. None of the Linux
default users is as dangerous as this, except of course SYS and SYSTEM if the passwords
have been left set to the defaults.
<P>
There are 52 default users for Linux and 57 for Windows NT. You are never going to
see all of these users in one database unless someone is experimenting but its
going to be possible to see some of them. I found out these users by searching all
of the SQL files provided by Oracle in the standard
installation.
<P>
Remember it's the data in the actual database that should be protected, and most
often it's not. Its not necessary to get SYS, SYSTEM or even a DBA to get at user
data in an Oracle database. A user such as DBSNMP or OUTLN can access a list of
users in the database. The actual user information is stored in a database table
called <TT>USER$</TT> owned by the user SYS. Unless you are very lucky and someone
has inadvertently granted access to this table you will not be able to see it unless
you are logged on as SYS. There is also a view
<TT>DBA_USERS</TT> that accesses this
SYS table. Access is granted to select from this view to users who are DBA, or who
have been granted permission to select any view. All is not lost though as any user
who has the minimum permissions such as DBSNMP can access another view called <TT>ALL_USERS</TT>.
This view doesn't let you see the password hash, but does let you get a list of all
of the database users. If you can get a users password and quite often they are
set to USER_NAME/USER_NAME then you can probably access the production schema and
certainly do SQL Injection on the application. Using one of the innocent users such
as DBSNMP or OUTLN you can glean a lot of information about a
database, and who uses it.
<P>
Also for both Linux and Windows NT installations the
<TT>internal</TT> users default
password is set to <TT>oracle</TT>. This user name is used to connect effectivley as
SYS without having the SYS password.
<P>
Here is a table listing all of the default users and passwords i could find for both
Operating Systems. The usernames / passwords colored in Orange are the ones installed
from a standard installation.
<BR>
<BR>
<CENTER>
<TABLE BORDER=1 CELLPADDING=0 CELLSPACING=0>
<TR STYLE='background:silver'><TD width=220>WINDOWS NT</TD><TD
width=220>LINUX</TD><TD width=220>PRIVILEGES</TD></TR>
<TR><TD width=220>ADAMS/WOOD</TD><TD width=220 BGCOLOR=ORANGE>ADAMS/WOOD
</TD><TD width=220>.</TD></TR>
<TR><TD width=220>AQDEMO/AQDEMO</TD><TD width=220>AQDEMO/AQDEMO</TD><TD
width=220>.</TD></TR>
<TR><TD width=220>AQUSER/AQUSER</TD><TD width=220>AQUSER/AQUSER</TD><TD
width=220>.</TD></TR>
<TR><TD width=220 BGCOLOR=ORANGE>AURORA$ORB$UNAUTHENTICATED/INVALID</TD>
<TD width=220>AURORA$ORB$UNAUTHENTICATED/INVALID</TD><TD
width=220>.</TD></TR>
<TR><TD width=220>BLAKE/PAPER</TD><TD width=220 BGCOLOR=ORANGE>BLAKE/PAP
ER</TD><TD width=220>.</TD></TR>
<TR><TD width=220>CATALOG/CATALOG</TD><TD width=220>.</TD><TD
width=220>.</TD></TR>
<TR><TD width=220>CDEMO82/CDEMO82</TD><TD width=220>CDEMO82/CDEMO82</TD>
<TD width=220>.</TD></TR>
<TR><TD width=220>CDEMOCOR/CDEMOCOR</TD><TD width=220>CDEMOCOR/CDEMOCOR<
/TD><TD width=220>.</TD></TR>
<TR><TD width=220>CDEMOUCB/CDEMOUCB</TD><TD width=220>.</TD><TD
width=220>.</TD></TR>
<TR><TD width=220>.</TD><TD width=220>CDEMORID/CDEMORID</TD><TD
width=220>.</TD></TR>
<TR><TD width=220>CLARK/CLOTH</TD><TD width=220 BGCOLOR=ORANGE>CLARK/CLO
TH</TD><TD width=220>.</TD></TR>
<TR><TD width=220>COMPANY/COMPANY</TD><TD width=220>COMPANY/COMPANY</TD>
<TD width=220>All Privileges</TD></TR>
<TR><TD width=220 BGCOLOR=ORANGE>CTXSYS/CTXSYS</TD><TD
width=220>CTXSYS/<PASSED IN></TD><TD width=220>DBA</TD></TR>
<TR><TD width=220 BGCOLOR=ORANGE>DBSNMP/DBSNMP</TD><TD width=220
BGCOLOR=ORANGE>DBSNMP/DBSNMP</TD><TD width=220>.</TD></TR>
CUT+++++++++++++++++++++++++++++++++++++++++++++
In article <9kjic4$4u5hi$1_at_ID-101160.news.dfncis.de>, Amin Emami
<Amin_Emami_at_yahoo.com> writes
>hi folks, > >I've installed Oracle 81 on Win2000 but I've got a problem now! >I don't know what the passwords for the default users there is in the >system. >For example, what are the passwords of SYS or SYSTEM ? > >I've always worked with ORACLE at work and I don't know much more >administration stuffs. > >Any help on these admin users is welcome. > >Thanks, >Amin > > > >
-- Pete FinniganReceived on Wed Aug 08 2001 - 08:26:28 CDT