捕获第三方应用程序中的oracle pwd更改。需要帮助 [英] capture oracle pwd change in 3rd party application. help needed

问题描述

我的客户使用的应用程序允许用户更改他们的

密码。该应用程序使用''ALTER USER xxx IDENTIFIED

BY .....''命令。我需要做的是使用Oracle捕获

用户名和密码，并将信息发送到另一台不同服务器上的另一个Oracle实例并更新该用户密码。


基本上我需要让两个

不同数据库之间保持用户密码同步。


我也不能无论如何都需要更改应用程序，因此需要从Oracle端执行此操作。


任何想法都会很棒.........

解决方案

这听起来有点像黑客攻击我，不是最好的办法解决一个

问题！ - 也许最好问一下这个应用程序

制造商？


但是有你可以尝试多种可能性，你可以实现一个OCI以上的层（它应该是OCI，除非它是薄的

驱动程序）并基本上得到第三方应用程序打电话给你的

版本o首先是O OCI，提取字符串，然后调用真正的OCI

图层。但这是解决问题的难题。如果它是java你

可以做一些非法的事情并反编译java并修改它并且

重新编译 - 你的供应商不会支持你!!!!


你不必在

应用程序中访问用户名和密码，你可以定期运行一个同步的过程

数据库之间的密码哈希使用由值标识

版本的alter user。这取决于您可以等待多长时间来同步

密码。你也可以使用单点登录？


你也可以通过线路或通过跟踪获取文本，我最近的论文

称为检测SQL注入在甲骨文可能有帮助。您可以在
http://www.petefinnigan.com/orasec上找到它。热媒。最后你可能能够找到一种在终端级别屏幕抓取应用程序的方法 -

有一些商业产品可以做到这一点，主要用于

自动测试。


hth

亲切的问候


Pete


PS：请不要过帖，大多数人都会阅读所有这些团体！

-

Pete Finnigan

电子邮件：pe ** @ petefinnigan.com

网站： http ：//www.petefinnigan.com - Oracle安全审计专家

书籍：Oracle安全分步指南 - 参见 http://store.sans.org 了解详情。

Lasher写道：

我让客户使用允许用户更改密码的应用程序。该应用程序使用''ALTER USER xxx IDENTIFIED
BY .....''命令。我需要做的是使用Oracle捕获
用户名和密码，并将信息发送到另一台服务器上的另一个Oracle实例并更新用户密码。

基本上我需要保持用户的密码在两个不同的数据库之间保持同步。

我也无法改变应用程序，因此需要从Oracle端执行此操作。

任何想法都会很棒.........

转到

< blockquote> ORACLE_HOME / rdmbs / admin

查看文件utlpwdmg.sql


如果您有任何业务这样做，您将能够填写其余的

图片。


就个人而言，我同意Pete。这是无稽之谈，而且比任何合理的系统安全定义都要严重违反

巨额违规

。 OEM应该解决

问题。并且

我建议你不要这样做。它可以做到并不是b $ b意味着它应该完成b
。整个想法很糟糕。


-

Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/ e ... oa / aoa_crs.asp
da******@x.washington .edu

（将''x''替换为''u''来回复）

Hi,

I have clients using an application that allows users to change their
passwords. The application uses the ''ALTER USER xxx IDENTIFIED
BY.....'' command. What I need to do is use Oracle to capture the
username and password and send the info to another Oracle instance on
a different server and update that users password.

Basically I need to keep the user''s password in sync between two
different databases.

I also cannot change the application in anyway and therefore need to
do this from the Oracle side.

Any ideas would be great.........

解决方案

Hi,

This all sounds a bit like hacking to me, not the best way to solve a
problem!, - maybe it would be better to ask the application
manufacturer?.

BUT, there are a number of possibilities that you could try, you could
implement a layer above OCI (it should be OCI unless its the thin
driver) and basically get the third party application to call your
version of OCI first, extract the string and then call the real OCI
layer. This is a hard way to crack the problem though. If it is java you
could do something illegal and decompile the java and modify it and
recompile - your supplier would not support you though!!!!

You don''t have to access the username and password either in the
application, you could just run a process regularly that synchronises
password hashes between the databases using the "identified by values"
version of alter user. This would depend on how long you can wait for
passwords to synchronise. You could also use single sign on?

You could also grab the text off the wire or via trace, my recent paper
called "detecting SQL injection in Oracle" might help. You can get it at
http://www.petefinnigan.com/orasec.htm. Finally you might be able to
find a way to screen scrape the application at the terminal level -
there are a few commercial products to do this, mainly used for
automated testing.

hth
kind regards

Pete

PS: please don''t cross post, most people read all of these groups!
--
Pete Finnigan
email:pe**@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

Lasher wrote:

Hi,

I have clients using an application that allows users to change their
passwords. The application uses the ''ALTER USER xxx IDENTIFIED
BY.....'' command. What I need to do is use Oracle to capture the
username and password and send the info to another Oracle instance on
a different server and update that users password.

Basically I need to keep the user''s password in sync between two
different databases.

I also cannot change the application in anyway and therefore need to
do this from the Oracle side.

Any ideas would be great.........

Go to

ORACLE_HOME/rdmbs/admin
Look at the file utlpwdmg.sql

If you have any business doing this you will be able to fill in the rest
of the picture.

Personally I agree with Pete. This is nonsense and worse than nonsense a
huge violation
of any reasonable definition of system security. The OEM should fix the
problem. And
my advise to you would be not to do this. That it can be done doesn''t
mean that it should
be done. The entire idea stinks.

--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.washington.edu
(replace ''x'' with a ''u'' to reply)

这篇关于捕获第三方应用程序中的oracle pwd更改。需要帮助的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！