Can I find the Oracle schema user name and password knowing just the SID? [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 9 years ago.

Improve this question

I have an application running on a Linux machine. The application is using Oracle as back end.

I do not know the user name and password or any schema which the oracle is using to run the application. All I know is the Oracle SID. Can I know the oracle user name and password with this that is required to run the application?

Answer 1

Not without a lot more information, no.

Imagine that you could get a username and a password only by knowing the SID and, presumably, the IP address of the server the database is running on. That would meam that it would be incredibly trivial to break in to any database in the world. A SID is a 12 character string that is case-insensitive on some platforms and is limited to letters and numbers. That would be a rather insensitive password. But a SID is also needed to connect to the database so it has to be widely distributed. If that was all that was necessary to break in to a database, no one would use Oracle for anything remotely important.

Answer 2

No, the only thing you can possibly do, remotely, with the SID and address of the machine is to connect to the TNS listener and query the services (depending on listener configuration).

Otherwise, I'd be selling my Oracle license for security concerns. :)

If you are on the machine itself, unless you have a user account on the database, or belong to the dba or osoper group or the like, you will not be able to connect to the database. Not in interest of hacking, but for information purposes, if you have an OS account, the only thing you might see is sqlplus, sqlldr or export sessions with credentials in the command string (which is why on a non-private machine you should always login to those utilities in prompt mode and not by passing the credentials on the command line).

The OP updated the question:

Login to Oracle as sysdba from the OS account, and query the v$session view while the app is active. If the app is logging in, it will show up in v$session. If you have trouble that way, but you happen to know a table name, query SYS.DBA_TABLES for the table name, and note the OWNER column. Or look at V$SQLAREA or one of the other dynamic views that shows current or recent SQL queries on the system.

Example:

root# su - oracle
oracle@linuxdb ~]$ sqlplus / as sysdba
SQL> select username, status, program from v$session where username is not null;  

You can view or export the schema, once you know which one, without the app password. Once you reset the password, you will not be able to recover it. I would, instead, set the SYSTEM password, then run expdp (or exp) and export the schema. Something like:

oracle@linuxdb ~]$ expdp system/manager schemas=appschema <other parameters here...>