Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 







Oracle Web Hacker Tricks

Reprinted from Oracle Internals

August  2002 - Donald Burleson

Update - For a complete treatment of the topic of Oracle security on the web, see these books and resources:

Hardly a week goes by that we do not see a news report about a major web-based application being hacked.  Since most of these system use Oracle, the savvy DBA must be on the alert for attempts to hack into the database server.  As we will see, a hacker who can get onto your database server can change the UNIX file permission on the Oracle data files, and completely bypass Oracle security.

Trick 1 – Hacking your Oracle server from the web 

I recently had an Oracle client "hacked" from a foreign country, and this is the trick that they used to find my client over the web and access their server.

 Internet hackers are constantly cruising the web looking for servers to attack. To do this, hackers will write simple scripts that generate random IP addresses randomly "ping IP addresses, looking for a server that responds "I'm here". The response is called a "ping acknowledgement", and is a standard feature of the ping utility:

C:\ ping

 Here is the output from a ping command: 

Pinging with 32 bytes of data:
Reply from bytes=32 time=164ms TTL=254
Reply from bytes=32 time=162ms TTL=254
Reply from bytes=32 time=170ms TTL=254
Ping statistics for
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 162ms, Maximum = 170ms, Average = 165ms


The acknowledgement packet (called an "ack" in Netguru jargon) tells the hacker that there is an active server at this IP address.  The hacker will then telnet to your server and begin a series of attempts to hack the "root" or the oracle" user password.  The best way to foil this type of attack is to disable all server accounts after three password attempts. 

Below is the pseudocode for a UNIX shell script to prove the Internet for vulnerable servers. Hackers run this script as a daemon process, and scan hundred of thousands of IP addresses every hour. 

 Please note that I have deliberately introduced syntax errors into the pseudocode routine.  This script has been made unusable in order to prevent evil people who see this article from possessing a dangerous tool.


while true
  # Generate a random IP address
  # Submit the IP address to the ping command
  nohup ping $IP_ADDRESS > /tmp/t.lst 2>&1 &
  # If ping is responding – start the attack
     if `cat /tmp/t.lst|wc –l` > 0
         then invoke attack_routine


The attack_routine is a standard tool using random user/password generation, and after several million attempts, the routine can almost always gain access to the database server.  I recently hired a "white hat" hacker to see how easy this was, and their attack script was able to gain entry to the server in less than 3 hours!

As we can see, even a novice computer person can write an attack program and locate opportunities for server attack. While the main method of attack is directly from the IP address, some creating hackers gain entry with I/O-enabled Java applets, and other programs that compromise the writing of cookies. To prevent these types of external attack, savvy companies employ some of the following techniques: 

-          Trusted IP addresses - UNIX servers can be configured to only answer pings from a list of "trusted" hosts.  In UNIX, this is done by configuring the .rhosts file.  The .rhosts file restricts server access to a list of specific users. 

-          Server account disabling – If you suspend the server ID after three password attempts, you thwart attackers.  Without user ID suspension, an attacker can write a program that runs millions of passwords until it guesses a user and password combination. 

-          Special Tools – There are products such a Zone Alarm that sends an alert when an external server is attempting to breach your firewall security.

As we have noted, once the hacker gets access to the Oracle server, they can use tricks to bypass Oracle and read the data files directly from disk.

Trick 2 – Bypassing Oracle security

One trick commonly used by UNIX hackers is to leverage the UNIX operating system to probe into the Oracle data blocks.  With some knowledge of UNIX and Oracle, the nasty hacker can use UNIX to verify the contents of Oracle data rows. 

 This technique is also useful if a data corruption is causing a data file to go offline, or if Oracle data is suspect.  Let's see how this is done.

 We start by running a SQL query to locate the ROWID of the data block that contains the row we want to investigate. Here we rely on the dbms_rowid package, and use the row_block_number procedure to return the data block corresponding to our desired row.


   dbms_rowid.rowid_block_number(rowid) block
   customer_name = ‘Burleson';



Here we see that the customer information for Burleson resides on the 141st block in the data file.  We can now go to UNIX and display the contents of this row. 

This is a great tool because we can display Oracle data even if the database is shut down.  Of course, hackers can also use these tools to bypass the security of the Oracle database, hacking directly into the Oracle data files.

To display block 141, we can use the UNIX dd command.  The dd command accepts a skip parameter that tells it how far into a file to travel. To get to block 141 we must allow for nine blocks in the datafile header.  We must also remember that the skip statement should take us to the block immediately before our data block.

 Hence, our data block is on block 150 (141+9) and the skip parameter for block 141 will be:  141+9-1 = 149.  We also need to specify the blocksize for the dd command in the ibs parameter.

Once we run the UNIX dd command to read the Oracle data block, we can filter the output by piping it to the UNIX strings command to only show printable information. Here is the UNIX command and the output showing the displayable data inside the data block:


root> dd if=/u01/oradata/prod/customer.dbf \
      ibs=8192 skip=149 count=1|strings

1+0 records in
149+0 records out
Donald Burleson 3/35/56 1401 West Avenue


While this technique is most useful in emergency situation when you cannot start the Oracle database, it is important to understand how a UNIX hacker can bypass Oracle and read information directly from your Oracle database files.

See my related notes on Oracle web security:




Please note that Donald Keith Burleson is not related to Donald Gene Burleson, a person charged in Texas computer-related crimes.

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational