昨天一网友问到,oracle 10g中关于用户密码忘记如何处理的问题?下面进行解答。 本文的目的不是
想说使用alter user去更改或通过orapwd去重建密码文件,因为在很 多情况下是不允许的,比如这个
网友的情况,应用马上要上线,如果alter user修改 密码了,那么势必要去修改应用配置,在10g以
前的版本中容易处理,在10g以及以后版本 这个问题就不那么容易了。复制
[ora10g@killdb ~]$ sqlplus "/as sysdba"
SQL*Plus: Release 10.2.0.5.0 - Production on Sat Nov 5 21:00:31 2011
Copyright (c) 1982, 2010, Oracle. All Rights Reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 167772160 bytes
Fixed Size 1272600 bytes
Variable Size 83887336 bytes
Database Buffers 79691776 bytes
Redo Buffers 2920448 bytes
Database mounted.
Database opened.
SQL> alter user roger identified by roger;
User altered.
SQL> alter user SCOTT identified by scott;
User altered.
SQL> alter user SCOTT account unlock;
User altered.
SQL> select username,password from dba_users where
2 username in('ROGER','SCOTT');
USERNAME PASSWORD
------------------------------ ------------------------------
ROGER F445AB203A65C4DB
SCOTT CDC57F9E62A38D03
SQL>
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER F445AB203A65C4DB
SCOTT CDC57F9E62A38D03
SQL> alter user roger identified by values 'CDC57F9E62A38D03';
User altered.
SQL> conn roger/scott
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL>
SQL> conn /as sysdba
Connected.
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER CDC57F9E62A38D03
SCOTT CDC57F9E62A38D03
SQL>
SQL> alter user roger identified by scott;
User altered.
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER 0212881AEAA22C4F
SCOTT CDC57F9E62A38D03
SQL>
SQL> conn roger/scott
Connected.
SQL>复制我们可以看到,传统的方式在10g中已经不好使了,即使password hash值相同,其密码也可能不一样的。
我们来看看dba_users的定义,如下:复制
SQL> select owner,object_name,object_type from dba_objects
2 where object_name='DBA_USERS';
OWNER OBJECT_NAME OBJECT_TYPE
------------------------------ ------------------------------ -------------------
SYS DBA_USERS VIEW
PUBLIC DBA_USERS SYNONYM
SQL> select dbms_metadata.get_ddl('VIEW','DBA_USERS','SYS') from dual;
DBMS_METADATA.GET_DDL('VIEW','DBA_USERS','SYS')
--------------------------------------------------------------------------------
CREATE OR REPLACE FORCE VIEW "SYS"."DBA_USERS" ("USERNAME", "USER_ID", "PASSWO
RD", "ACCOUNT_STATUS", "LOCK_DATE", "EXPIRY_DATE", "DEFAULT_TABLESPACE", "TEMPOR
ARY_TABLESPACE", "CREATED", "PROFILE", "INITIAL_RSRC_CONSUMER_GROUP", "EXTERNAL_
NAME") AS
select u.name, u.user#, u.password,
m.status,
decode(u.astatus, 4, u.ltime,
5, u.ltime,
6, u.ltime,
8, u.ltime,
9, u.ltime,
10, u.ltime, to_date(NULL)),
decode(u.astatus,
1, u.exptime,
2, u.exptime,
5, u.exptime,
6, u.exptime,
9, u.exptime,
10, u.exptime,
decode(u.ptime, '', to_date(NULL),
decode(pr.limit#, 2147483647, to_date(NULL),
decode(pr.limit#, 0,
decode(dp.limit#, 2147483647, to_date(NULL), u.ptime +
dp.limit#/86400),
u.ptime + pr.limit#/86400)))),
dts.name, tts.name, u.ctime, p.name,
nvl(cgm.consumer_group, 'DEFAULT_CONSUMER_GROUP'),
u.ext_username
from sys.user$ u left outer join sys.resource_group_mapping$ cgm
on (cgm.attribute = 'ORACLE_USER' and cgm.status = 'ACTIVE' and
cgm.value = u.name),
sys.ts$ dts, sys.ts$ tts, sys.profname$ p,
sys.user_astatus_map m, sys.profile$ pr, sys.profile$ dp
where u.datats# = dts.ts#
and u.resource$ = p.profile#
and u.tempts# = tts.ts#
and u.astatus = m.status#
and u.type# = 1
and u.resource$ = pr.profile#
and dp.profile# = 0
and dp.type#=1
and dp.resource#=1
and pr.type# = 1
and pr.resource# = 1
其中很关键的一个基表是user$,其定义如下:
create table user$ /* user table */
( user# number not null, /* user identifier number */
name varchar2("M_IDEN") not null, /* name of user */
type# number not null, /* 0 = role, 1 = user */
password varchar2("M_IDEN"), /* encrypted password */
datats# number not null, /* default tablespace for permanent objects */
tempts# number not null, /* default tablespace for temporary tables */
ctime date not null, /* user account creation time */
ptime date, /* password change time */
exptime date, /* actual password expiration time */
ltime date, /* time when account is locked */
resource$ number not null, /* resource profile# */
audit$ varchar2("S_OPFL"), /* user audit options */
defrole number not null, /* default role indicator: */
/* 0 = no roles, 1 = all roles granted, 2 = roles in defrole$ */
defgrp# number, /* default undo group */
defgrp_seq# number, /* global sequence number for the grp *
spare varchar2("M_IDEN"), /* reserved for future */
astatus number default 0 not null, /* status of the account */
/* 1 = Locked, 2 = Expired, 3 = Locked and Expired, 0 - open */
lcount number default 0 not null, /* count of failed login attempts */
defschclass varchar2("M_IDEN"), /* initial consumer group */
ext_username varchar2("M_VCSZ"), /* external username */
spare1 number, /* used for schema level supp. logging: see ktscts.h */
spare2 number,
spare3 number,
spare4 varchar2(1000),
spare5 varchar2(1000),
spare6 date
)复制我们可以看到这里的password是经过DES加密以后的密码,在11g中,直接通过查询dba_users
已经无法查到其加密密码了。
下面我们用orabf来进行10g,11g 用户密码的暴力破解。复制
F:\orabf-v0.7.6>orabf 0212881AEAA22C4F:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: GA7PB
16190190 passwords tried. elapsed time 00:00:12. t/s:1302291
password found: ROGER:SCOTT
44096071 passwords tried. elapsed time 00:00:33. t/s:1315172
F:\orabf-v0.7.6>
SQL> alter user roger identified by killdb$;
User altered.
SQL> conn /as sysdba
Connected.
SQL> select name,password from user$ where name in('ROGER','SCOTT');
NAME PASSWORD
------------------------------ ------------------------------
ROGER 6885905A13FAFAA9
SCOTT CDC57F9E62A38D03
SQL>
F:\orabf-v0.7.6>orabf 6885905A13FAFAA9:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...done
Starting brute force session using charset:
#$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_
press 'q' to quit. any other key to see status
current password: CW4KD
8236685 passwords tried. elapsed time 00:00:06. t/s:1282510
wrote resume data to ROGER.res
794380208 passwords tried. elapsed time 00:10:05. t/s:1312408
F:\orabf-v0.7.6> ---可以看到,密码比较复杂以后,暴力破解时间就非常漫长了。
我们来看下11g中的情况:
SQL> select * from v$version where rownum <3;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
PL/SQL Release 11.2.0.2.0 - Production
SQL>
SQL> select username,password from dba_users where username='ROGER';
USERNAME PASSWORD
------------------------------ ------------------------------
ROGER
SQL> select name,password from user$ where name='ROGER';
NAME PASSWORD
------------------------------ ------------------------------
ROGER F445AB203A65C4DB
F:\orabf-v0.7.6>orabf F445AB203A65C4DB:ROGER
orabf v0.7.6, (C)2005 orm@toolcrypt.org
---------------------------------------
Trying default passwords...
password found: ROGER:ROGER
F:\orabf-v0.7.6>
SQL> conn roger/roger
Connected.
SQL> --对于较为简单的密码,破解速度是非常快的。
老外还有有个更猛的暴力破解工具ops_sse2,不过该工具仅仅只能破解
sys密码,可能软件作者是出于安全考虑吧,下面来试试:
[ora10g@killdb pw_cracker]$ cat filename.txt
SYS:EF78257248B5860C:159
[ora10g@killdb pw_cracker]$
[ora10g@killdb pw_cracker]$ ./ops_sse2 --hashlist=filename.txt
Oracle passwords (DES) solver 0.3 (SSE2) -- Dennis Yurichev
Compiled @ Apr 5 2011 12:25:36
Demo version, supporting only SYS usernames.
username=SYS: 1 unsolved hash(es) left
Checking 1-symbol passwords for username SYS
overall progress= 0{39ecd679003247f2ed728ad9c7ed019a369dd84d0731b449c26bf628d3c1a20b}
username=SYS: 1 unsolved hash(es) left
Checking 2-symbol passwords for username SYS
overall progress= 0{39ecd679003247f2ed728ad9c7ed019a369dd84d0731b449c26bf628d3c1a20b}
username=SYS: 1 unsolved hash(es) left
Checking 3-symbol passwords for username SYS
overall progress= 0{39ecd679003247f2ed728ad9c7ed019a369dd84d0731b449c26bf628d3c1a20b}
username=SYS: 1 unsolved hash(es) left
Checking 4-symbol passwords for username SYS
overall progress= 0{39ecd679003247f2ed728ad9c7ed019a369dd84d0731b449c26bf628d3c1a20b}
username=SYS: 1 unsolved hash(es) left
Checking 5-symbol passwords for username SYS
overall progress= 61{39ecd679003247f2ed728ad9c7ed019a369dd84d0731b449c26bf628d3c1a20b} / time remaining: 3s
time elapsed: 7s, ~ 5783305 passwords/hashes per second
SYS/159: Found password: ROGER
SYS:ROGER:159
SQL> conn sys/roger as sysdba
Connected.
SQL> show user
USER is "SYS"
SQL>
大家可以去http://conus.info/utils/ops_SIMD/ 下载该软件。复制「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
评论
dong wu
3年前
评论
012c密码要重置为原来的,咋搞?user$.password的值变为空的了
3年前
点赞 评论
相关阅读
【专家有话说第五期】在不同年龄段,DBA应该怎样规划自己的职业发展?
墨天轮编辑部
1397次阅读
2025-03-13 11:40:53
Oracle RAC ASM 磁盘组满了,无法扩容怎么在线处理?
Lucifer三思而后行
850次阅读
2025-03-17 11:33:53
RAC 19C 删除+新增节点
gh
528次阅读
2025-03-14 15:44:18
2月“墨力原创作者计划”获奖名单公布
墨天轮编辑部
487次阅读
2025-03-13 14:38:19
Oracle 如何修改 db_unique_name?强迫症福音!
Lucifer三思而后行
386次阅读
2025-03-12 21:27:56
Oracle DataGuard高可用性解决方案详解
孙莹
345次阅读
2025-03-26 23:27:33
墨天轮个人数说知识点合集
JiekeXu
287次阅读
2025-04-01 15:56:03
一键装库脚本3分钟极速部署,传统耗时砍掉95%!
IT邦德
277次阅读
2025-03-10 07:58:44
切换Oracle归档路径后,不能正常删除原归档路径上的归档文件
dbaking
260次阅读
2025-03-19 14:41:51
风口浪尖!诚通证券扩容采购Oracle 793万...
Roger的数据库专栏
259次阅读
2025-03-24 09:42:53
TA的专栏
Roger's Database Notes
收录77篇内容
