"How to change Oracle SYS password without having to login into a database? Possible?
Yes. All you need is some knowledge about Oracle internals.
This document is to be used only for testing purposes and not to be used in production environment. Purpose is to show audience how hackers can gain access to your system without knowing it and how to prevent it.
As I said earlier I am not going to use SQL to access production database. In order to get necessary information about SYS user I will copy production system datafile to my test server using rcp, sftp or any other utility (assumption here is that we already have gained access to database server)."
I have updated my Oracle internals and undocumented Oracle page to include this paper.
There has been 4 Comments posted on this article