仅知道 SID 就可以找到 Oracle 模式用户名和密码吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23645809/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can I find the Oracle schema user name and password knowing just the SID?
提问by Megha Sharma
I have an application running on a Linux machine. The application is using Oracle as back end.
我有一个在 Linux 机器上运行的应用程序。该应用程序使用 Oracle 作为后端。
I do not know the user name and password or any schema which the oracle is using to run the application. All I know is the Oracle SID. Can I know the oracle user name and password with this that is required to run the application?
我不知道 oracle 用来运行应用程序的用户名和密码或任何架构。我只知道 Oracle SID。我可以知道运行应用程序所需的 oracle 用户名和密码吗?
回答by Justin Cave
Not without a lot more information, no.
不是没有更多信息,不。
Imagine that you could get a username and a password only by knowing the SID and, presumably, the IP address of the server the database is running on. That would meam that it would be incredibly trivial to break in to any database in the world. A SID is a 12 character string that is case-insensitive on some platforms and is limited to letters and numbers. That would be a rather insensitive password. But a SID is also needed to connect to the database so it has to be widely distributed. If that was all that was necessary to break in to a database, no one would use Oracle for anything remotely important.
想象一下,您只能通过知道 SID 以及运行数据库的服务器的 IP 地址来获取用户名和密码。这意味着闯入世界上的任何数据库都非常简单。SID 是12 个字符的字符串,在某些平台上不区分大小写,并且仅限于字母和数字。那将是一个相当不敏感的密码。但是连接到数据库也需要一个 SID,所以它必须广泛分布。如果这就是闯入数据库所需的全部内容,那么没有人会使用 Oracle 来处理任何远程重要的事情。
回答by codenheim
No, the only thing you can possibly do, remotely, with the SID and address of the machine is to connect to the TNS listener and query the services (depending on listener configuration).
不,您唯一可以远程使用机器的 SID 和地址执行的操作是连接到 TNS 侦听器并查询服务(取决于侦听器配置)。
Otherwise, I'd be selling my Oracle license for security concerns. :)
否则,我会出于安全考虑出售我的 Oracle 许可证。:)
If you are on the machine itself, unless you have a user account on the database, or belong to the dba or osoper group or the like, you will not be able to connect to the database. Not in interest of hacking, but for information purposes, if you have an OS account, the only thing you might see is sqlplus, sqlldr or export sessions with credentials in the command string (which is why on a non-private machine you should always login to those utilities in prompt mode and not by passing the credentials on the command line).
如果你在机器本身,除非你在数据库上有一个用户帐户,或者属于dba或osoper组等,否则你将无法连接到数据库。不是为了黑客攻击,而是为了提供信息,如果您有操作系统帐户,您可能会看到的唯一内容是命令字符串中带有凭据的 sqlplus、sqlldr 或导出会话(这就是为什么在非私有机器上您应该始终以提示模式登录这些实用程序,而不是通过在命令行上传递凭据)。
The OP updated the question:
OP 更新了问题:
Login to Oracle as sysdba from the OS account, and query the v$sessionview while the app is active. If the app is logging in, it will show up in v$session. If you have trouble that way, but you happen to know a table name, query SYS.DBA_TABLES for the table name, and note the OWNER column. Or look at V$SQLAREA or one of the other dynamic views that shows current or recent SQL queries on the system.
从操作系统帐户以 sysdba 身份登录 Oracle,并在应用程序处于活动状态时查询v$session视图。如果应用程序正在登录,它将显示在 v$session 中。如果您遇到麻烦,但碰巧知道表名,请查询 SYS.DBA_TABLES 以获取表名,并注意 OWNER 列。或者查看 V$SQLAREA 或显示系统上当前或最近 SQL 查询的其他动态视图之一。
Example:
例子:
root# su - oracle
oracle@linuxdb ~]$ sqlplus / as sysdba
SQL> select username, status, program from v$session where username is not null;
You can view or export the schema, once you know which one, without the app password. Once you reset the password, you will not be able to recover it. I would, instead, set the SYSTEM password, then run expdp (or exp) and export the schema. Something like:
您可以查看或导出架构,一旦您知道是哪个架构,无需应用密码。一旦您重置密码,您将无法恢复它。相反,我会设置系统密码,然后运行 expdp(或 exp)并导出架构。就像是:
oracle@linuxdb ~]$ expdp system/manager schemas=appschema <other parameters here...>
