Re:RE: DBA_USERS view

dgoulet Tue, 03 Apr 2001 14:00:40 -0700
Hey folks, try this script that I call the "Skeleton Key":

/*
 *  DBA Skeleton Key
 *
 *  This script will allow one to crash into any Oracle account.
 *  The only restriction is that the invoker must have the
 *  'alter any user' system priviledge.
 */
 
accept usrname char prompt 'Enter account name to crack: '
set verify off
break on name
column gname new_value _name  noprint
select substr(global_name,1,instr(global_name,'.')-1)gname
from global_name;
clear breaks
break on password
column password new_value _pwd noprint
select password from dba_users
where username = upper('&usrname');
alter user &usrname identified by dummy;
connect &usrname/dummy@&_name
alter user &usrname identified by values '&_pwd';
@login


Dick Goulet

____________________Reply Separator____________________
Author: Jacques Kilchoer <[EMAIL PROTECTED]>
Date:       4/3/2001 1:16 PM

> -----Original Message-----
> From: Stefan Jahnke [mailto:[EMAIL PROTECTED]]
> 
> what information does the PASSWORD column in the DBA_USERS 
> view provide. 
> I know that it's the encrypted user password, but how can I 
> actually use
> it ? 
> For example: Can I reassign a password to a user via his encrypted
> password ?
> or: Can I test a logon with another user's encrpyted user password to
> test the logon ?
> I tried stuff like connect myuser/0CE92663BBC6FC34@MYDB, but that
> doesn't seem to work. 


I forget, did anyone answer this question?
You can use it with the (undocumented as far as I know) 'identified by
values' option of the alter user statement. This can be handy if you want to
sign on as user X without changing their password. Make their password
something you know, login with that password, then change their password
back to the old password. Example:

SQL> create user x identified by old_password ;

User created.

SQL> grant create session to x ;

Grant succeeded.

SQL> select password from dba_users where username = 'X' ;

PASSWORD
------------------------------
D64698D364A3B171

SQL> connect x/old_password
Connected.
SQL> alter user x identified by new_password ;

User altered.

SQL> connect x/new_password
Connected.
SQL> alter user x identified by values 'D64698D364A3B171' ;

User altered.

SQL> connect x/old_password
Connected.
SQL> 

> 
> TIA ...
> 
> -- 
> Regards,
> Stefan Jahnke
> -- 
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> -- 
> Author: Stefan Jahnke
>   INET: [EMAIL PROTECTED]
> 
> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> San Diego, California        -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).
> 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35">
<TITLE>RE: DBA_USERS view</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2>&gt; -----Original Message-----</FONT>
<BR><FONT SIZE=2>&gt; From: Stefan Jahnke [<A
HREF="mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]</A>
]</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; what information does the PASSWORD column in the DBA_USERS
</FONT>
<BR><FONT SIZE=2>&gt; view provide. </FONT>
<BR><FONT SIZE=2>&gt; I know that it's the encrypted user password, but how can
I </FONT>
<BR><FONT SIZE=2>&gt; actually use</FONT>
<BR><FONT SIZE=2>&gt; it ? </FONT>
<BR><FONT SIZE=2>&gt; For example: Can I reassign a password to a user via his
encrypted</FONT>
<BR><FONT SIZE=2>&gt; password ?</FONT>
<BR><FONT SIZE=2>&gt; or: Can I test a logon with another user's encrpyted user
password to</FONT>
<BR><FONT SIZE=2>&gt; test the logon ?</FONT>
<BR><FONT SIZE=2>&gt; I tried stuff like connect myuser/0CE92663BBC6FC34@MYDB,
but that</FONT>
<BR><FONT SIZE=2>&gt; doesn't seem to work. </FONT>
</P>
<BR>

<P><FONT SIZE=2>I forget, did anyone answer this question?</FONT>
<BR><FONT SIZE=2>You can use it with the (undocumented as far as I know)
'identified by values' option of the alter user statement. This can be handy if
you want to sign on as user X without changing their password. Make their
password something you know, login with that password, then change their
password back to the old password. Example:</FONT></P>

<P><FONT SIZE=2>SQL&gt; create user x identified by old_password ;</FONT>
</P>

<P><FONT SIZE=2>User created.</FONT>
</P>

<P><FONT SIZE=2>SQL&gt; grant create session to x ;</FONT>
</P>

<P><FONT SIZE=2>Grant succeeded.</FONT>
</P>

<P><FONT SIZE=2>SQL&gt; select password from dba_users where username = 'X'
;</FONT>
</P>

<P><FONT SIZE=2>PASSWORD</FONT>
<BR><FONT SIZE=2>------------------------------</FONT>
<BR><FONT SIZE=2>D64698D364A3B171</FONT>
</P>

<P><FONT SIZE=2>SQL&gt; connect x/old_password</FONT>
<BR><FONT SIZE=2>Connected.</FONT>
<BR><FONT SIZE=2>SQL&gt; alter user x identified by new_password ;</FONT>
</P>

<P><FONT SIZE=2>User altered.</FONT>
</P>

<P><FONT SIZE=2>SQL&gt; connect x/new_password</FONT>
<BR><FONT SIZE=2>Connected.</FONT>
<BR><FONT SIZE=2>SQL&gt; alter user x identified by values 'D64698D364A3B171'
;</FONT>
</P>

<P><FONT SIZE=2>User altered.</FONT>
</P>

<P><FONT SIZE=2>SQL&gt; connect x/old_password</FONT>
<BR><FONT SIZE=2>Connected.</FONT>
<BR><FONT SIZE=2>SQL&gt; </FONT>
</P>

<P><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; TIA ...</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; -- </FONT>
<BR><FONT SIZE=2>&gt; Regards,</FONT>
<BR><FONT SIZE=2>&gt; Stefan Jahnke</FONT>
<BR><FONT SIZE=2>&gt; -- </FONT>
<BR><FONT SIZE=2>&gt; Please see the official ORACLE-L FAQ: <A
HREF="http://www.orafaq.com" TARGET="_blank">http://www.orafaq.com</A></FONT>
<BR><FONT SIZE=2>&gt; -- </FONT>
<BR><FONT SIZE=2>&gt; Author: Stefan Jahnke</FONT>
<BR><FONT SIZE=2>&gt;&nbsp;&nbsp; INET: [EMAIL PROTECTED]</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; Fat City Network Services&nbsp;&nbsp;&nbsp; -- (858)
538-5051&nbsp; FAX: (858) 538-5051</FONT>
<BR><FONT SIZE=2>&gt; San Diego,
California&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Public Internet access /
Mailing Lists</FONT>
<BR><FONT SIZE=2>&gt;
--------------------------------------------------------------------</FONT>
<BR><FONT SIZE=2>&gt; To REMOVE yourself from this mailing list, send an E-Mail
message</FONT>
<BR><FONT SIZE=2>&gt; to: [EMAIL PROTECTED] (note EXACT spelling of
'ListGuru') and in</FONT>
<BR><FONT SIZE=2>&gt; the message BODY, include a line containing: UNSUB
ORACLE-L</FONT>
<BR><FONT SIZE=2>&gt; (or the name of mailing list you want to be removed
from).&nbsp; You may</FONT>
<BR><FONT SIZE=2>&gt; also send the HELP command for other information (like
subscribing).</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
</P>

</BODY>
</HTML>
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Re:RE: DBA_USERS view

Reply via email to
