sys用户密码含$ sqlplus登录数据库诡异事件分析

发表于 2011 年 10 月 17 日 惜分飞

联系:手机/微信(+86 17813235971) QQ(107644445)QQ咨询惜分飞

标题:sys用户密码含$ sqlplus登录数据库诡异事件分析

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

[oracle@ECP-UC-DB1 ~]$ sqlplus / as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Mon Oct 17 23:37:51 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter user sys identified by "ab$";

User altered.

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@ECP-UC-DB1 ~]$ sqlplus sys/ab$ as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Mon Oct 17 23:38:53 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter name;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_file_name_convert                 string
db_name                              string      test
db_unique_name                       string      test
global_names                         boolean     FALSE
instance_name                        string      test
lock_name_space                      string
log_file_name_convert                string
service_names                        string      test

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@ECP-UC-DB1 ~]$ sqlplus sys/ab$abc as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Mon Oct 17 23:39:05 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@ECP-UC-DB1 ~]$ sqlplus sys/ab$@abc as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Mon Oct 17 23:40:06 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter name;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_file_name_convert                 string
db_name                              string      test
db_unique_name                       string      test
global_names                         boolean     FALSE
instance_name                        string      test
lock_name_space                      string
log_file_name_convert                string
service_names                        string      test
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@ECP-UC-DB1 ~]$ sqlplus sys/ab$@abc11 as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Mon Oct 17 23:44:11 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter name;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_file_name_convert                 string
db_name                              string      test
db_unique_name                       string      test
global_names                         boolean     FALSE
instance_name                        string      test
lock_name_space                      string
log_file_name_convert                string
service_names                        string      test
SQL>

通过以上sql发现,把sys的密码改为ab$后,无论是什么tns都可以登录数据库,而且都是本地数据库,是不是感觉很诡异,其实你仔细观察发现,密码中有了$,使得$@的操作都变成了无效的,其实就是sqlplus sys/123(随意) as sysdba方式登录本地数据库

[oracle@ECP-UC-DB1 ~]$ sqlplus sys/123 as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Mon Oct 17 23:48:23 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>
此条目发表在 Oracle 分类目录。将固定链接加入收藏夹。

sys用户密码含$ sqlplus登录数据库诡异事件分析》有 2 条评论

  1. 惜分飞 说:
    2012 年 7 月 28 日18:54

    这个太容易解释了,文件,$符号代表什么吧

    在linux/unix中$一般是表示变量的时候使用,如果没有定义这个变量就是为空,所以导致密码不对

  2. hrora 说:
    2012 年 7 月 28 日15:00

    这个太容易解释了,文件,$符号代表什么吧