Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Mailing Lists -> Oracle-L -> Re:RE: DBA_USERS view
Hey folks, try this script that I call the "Skeleton Key":
/* * DBA Skeleton Key * * This script will allow one to crash into any Oracle account. * The only restriction is that the invoker must have the * 'alter any user' system priviledge. */
accept usrname char prompt 'Enter account name to crack: '
set verify off
break on name
column gname new_value _name noprint
select substr(global_name,1,instr(global_name,'.')-1)gname
from global_name;
clear breaks
break on password
column password new_value _pwd noprint
select password from dba_users
where username = upper('&usrname');
alter user &usrname identified by dummy;
connect &usrname/dummy@&_name
alter user &usrname identified by values '&_pwd';
@login
Dick Goulet
____________________Reply Separator____________________ Author: Jacques Kilchoer <Jacques.Kilchoer_at_quest.com> Date: 4/3/2001 1:16 PM
> -----Original Message-----
> From: Stefan Jahnke [mailto:stefan.jahnke_at_d2vodafone.de] > > what information does the PASSWORD column in the DBA_USERS > view provide. > I know that it's the encrypted user password, but how can I > actually use > it ? > For example: Can I reassign a password to a user via his encrypted > password ? > or: Can I test a logon with another user's encrpyted user password to > test the logon ? > I tried stuff like connect myuser/0CE92663BBC6FC34_at_MYDB, but that > doesn't seem to work.
I forget, did anyone answer this question? You can use it with the (undocumented as far as I know) 'identified by values' option of the alter user statement. This can be handy if you want to sign on as user X without changing their password. Make their password something you know, login with that password, then change their password back to the old password. Example:
SQL> create user x identified by old_password ;
User created.
SQL> grant create session to x ;
Grant succeeded.
SQL> select password from dba_users where username = 'X' ;
PASSWORD
SQL> connect x/old_password
Connected.
SQL> alter user x identified by new_password ;
User altered.
SQL> connect x/new_password
Connected.
SQL> alter user x identified by values 'D64698D364A3B171' ;
User altered.
SQL> connect x/old_password
Connected.
SQL>
> > TIA ... > > -- > Regards, > Stefan Jahnke > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Stefan Jahnke > INET: stefan.jahnke_at_d2vodafone.de > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: DBA_USERS view</TITLE>
<P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: Stefan Jahnke [<A HREF="mailto:stefan.jahnke_at_d2vodafone.de">mailto:stefan.jahnke_at_d2vodafone.de</A> ]</FONT>
<BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> what information does the PASSWORD column in the DBA_USERS </FONT> <BR><FONT SIZE=2>> view provide. </FONT> <BR><FONT SIZE=2>> I know that it's the encrypted user password, but how canI </FONT>
<BR><FONT SIZE=2>> actually use</FONT> <BR><FONT SIZE=2>> it ? </FONT> <BR><FONT SIZE=2>> For example: Can I reassign a password to a user via hisencrypted</FONT>
<BR><FONT SIZE=2>> doesn't seem to work. </FONT> </P> <BR>
<P><FONT SIZE=2>I forget, did anyone answer this question?</FONT> <BR><FONT SIZE=2>You can use it with the (undocumented as far as I know) 'identified by values' option of the alter user statement. This can be handy if you want to sign on as user X without changing their password. Make their password something you know, login with that password, then change their password back to the old password. Example:</FONT></P>
<P><FONT SIZE=2>SQL> create user x identified by old_password ;</FONT> </P>
<P><FONT SIZE=2>User created.</FONT>
</P>
<P><FONT SIZE=2>SQL> grant create session to x ;</FONT> </P>
<P><FONT SIZE=2>Grant succeeded.</FONT>
</P>
<P><FONT SIZE=2>SQL> select password from dba_users where username = 'X'
;</FONT>
</P>
<P><FONT SIZE=2>PASSWORD</FONT> <BR><FONT SIZE=2>------------------------------</FONT> <BR><FONT SIZE=2>D64698D364A3B171</FONT> </P> <P><FONT SIZE=2>SQL> connect x/old_password</FONT> <BR><FONT SIZE=2>Connected.</FONT>
<P><FONT SIZE=2>User altered.</FONT>
</P>
<P><FONT SIZE=2>SQL> connect x/new_password</FONT> <BR><FONT SIZE=2>Connected.</FONT> <BR><FONT SIZE=2>SQL> alter user x identified by values 'D64698D364A3B171';</FONT>
<P><FONT SIZE=2>User altered.</FONT>
</P>
<P><FONT SIZE=2>SQL> connect x/old_password</FONT> <BR><FONT SIZE=2>Connected.</FONT> <BR><FONT SIZE=2>SQL> </FONT> </P> <P><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> TIA ...</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> -- </FONT> <BR><FONT SIZE=2>> Regards,</FONT> <BR><FONT SIZE=2>> Stefan Jahnke</FONT><BR><FONT SIZE=2>> -- </FONT>
<BR><FONT SIZE=2>> -- </FONT> <BR><FONT SIZE=2>> Author: Stefan Jahnke</FONT> <BR><FONT SIZE=2>> INET: stefan.jahnke_at_d2vodafone.de</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Fat City Network Services -- (858)538-5051 FAX: (858) 538-5051</FONT> <BR><FONT SIZE=2>> San Diego,
--------------------------------------------------------------------</FONT><BR><FONT SIZE=2>> To REMOVE yourself from this mailing list, send an E-Mail message</FONT>
</BODY>
</HTML>
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: dgoulet_at_vicr.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Apr 03 2001 - 16:00:40 CDT
![]() |
![]() |