Hacking the world’s most popular database

TL;DR

Oracle 23c can be deployed quickly for learning by running an Oracle Container Registry image in Docker and exposing the listener port 1521.

Briefing Cornell Notes

Briefing

Oracle Database 23c is presented as both a practical platform to build and a realistic target for ethical penetration testing—using Docker to stand up a local instance, then walking through Oracle’s distinctive architecture (CDB/PDB) before demonstrating how attackers enumerate and guess credentials.

The walkthrough starts by positioning Oracle SQL as “different” from MySQL, especially in how it organizes data and administration. A local Oracle 23c environment is deployed in minutes by installing Docker and running an Oracle 23c free container image with the listener port 1521 exposed. Inside the container, command-line access uses SQL Plus, logging in as the SYSDBA account (the system database administrator) to interact with Oracle’s internal structure.

From there, the core architectural concept is the multitenant model: a Container Database (CDB) root that hosts one or more Pluggable Databases (PDBs). The session shows how Oracle treats each PDB like an isolated “mini-database” with its own namespaces, users, tablespaces, and schemas. The tutorial then creates a new PDB named “matrix,” defines an admin user “Neo” inside it, and opens the PDB so it can be used. A key operational detail follows: users created in a PDB don’t automatically appear in the root container’s user list, and permissions must be granted within the correct container context.

To make Neo functional, the process grants Neo the privileges needed to operate: CREATE SESSION, CREATE TABLE, and UNLIMITED TABLESPACE. The workflow then switches into Neo’s SQL Plus session within the “matrix” PDB and creates a table (“Red Pill db”) with columns for id, name, real name, role, and ability. Data insertion, COMMIT, querying, and deletion mirror common SQL patterns, but the Oracle-specific naming and metadata queries differ—especially when listing tables via USER_TABLES and filtering by the owning user.

A major 23c feature is then introduced: JSON Relational Duality Views. Instead of treating JSON as a separate, awkward format, the example builds relational tables that store JSON-like key/value structures and then creates a duality view that behaves like JSON for application developers. The demonstration emphasizes bidirectional behavior: selecting from the duality view returns JSON-shaped documents, updates to underlying tables automatically reflect in the view, and inserting a pure JSON document into the view updates the relational tables underneath. The result is a blurring of lines between traditional relational SQL and NoSQL-style document workflows.

Finally, the ethical hacking portion uses Odat (run inside Docker) to enumerate and attack an Oracle instance. The approach checks for a reachable TNS listener on port 1521, identifies the correct SID (noting that PDBs share the root SID), and then uses a SID guessing module plus a brute-force-style password guessing module. By adding the expected SID and credentials to the tool’s wordlists, the run succeeds in finding valid SYSDBA credentials (SYS and password), illustrating why attackers focus on system-level accounts and why secure configuration and secrecy of connection details matter. The segment closes by framing the exercise as a high-level but concrete map of how Oracle’s multitenant design and new JSON capabilities intersect with real-world security testing.

Cornell Notes

Oracle Database 23c is set up locally using Docker, then accessed via SQL Plus to demonstrate Oracle’s multitenant architecture. A Container Database (CDB) root hosts Pluggable Databases (PDBs); the tutorial creates a new PDB named “matrix,” creates a user “Neo” inside it, and grants privileges (CREATE SESSION, CREATE TABLE, UNLIMITED TABLESPACE) before switching into Neo’s session. It also highlights Oracle’s metadata model: tables belong to schemas tied to users, so listing tables uses USER_TABLES rather than MySQL-style SHOW TABLES. The session then showcases JSON Relational Duality Views, where JSON-shaped queries and inserts automatically stay synchronized with underlying relational tables. The ethical hacking segment uses Odat to enumerate the TNS listener, guess the SID, and brute-force credentials, succeeding when SID and password lists are provided.

Why does Oracle’s multitenant design (CDB/PDB) change how users and metadata appear?

In the multitenant model, the CDB root (shown via commands like SHOW CON NAME) is separate from each PDB. Users created inside a PDB (e.g., Neo created in the “matrix” PDB) won’t show up when querying user metadata from the root container. The tutorial demonstrates this by selecting usernames from DBA_USERS in the root and not finding Neo, then reconnecting specifically to the PDB and confirming Neo appears there. Similarly, tables are tied to schemas owned by users, so visibility depends on the container and the connected user/schema context.

What privileges does Neo need to create and use objects inside the PDB?

After creating Neo, the tutorial grants Neo the operational privileges required for typical database work: CREATE SESSION (to log in and start sessions), CREATE TABLE (to define new tables), and UNLIMITED TABLESPACE (to avoid tablespace restrictions when creating objects). Once those grants succeed, Neo can create a table (“Red Pill db”), insert rows, commit, query, and delete records within the “matrix” PDB.

How do Oracle table listings differ from MySQL-style commands?

Oracle doesn’t use a direct SHOW TABLES equivalent in SQL Plus. Because tables belong to schemas tied to users, the tutorial uses USER_TABLES to list tables visible to the current user. For example, selecting TABLE_NAME from USER_TABLES returns the tables in the connected schema (Neo’s schema in the “matrix” PDB). An admin could query DBA_TABLES to see more globally, but the key point is that schema ownership drives what you can see.

What does JSON Relational Duality Views change for developers?

JSON Relational Duality Views let applications work with JSON-shaped documents while the database maintains relational storage. The example creates a duality view that joins underlying tables and returns JSON-like key/value structures when selected. Crucially, changes propagate both ways: adding a new row to the underlying relational tables makes the duality view reflect the update automatically, and inserting a pure JSON document into the duality view updates the underlying tables. This effectively blurs the boundary between relational SQL and document-oriented NoSQL workflows.

How does Odat’s attack workflow map to Oracle’s network and identity layers?

Odat is used in a staged process: first, verify the TNS listener is reachable on port 1521; second, identify the correct SID (the tutorial notes that PDBs share the root SID, so the SID is found from the CDB root context); third, brute-force credentials using a password guessing module that requires the SID. The run succeeds only after the expected SID and username/password candidates are present in the tool’s wordlists, illustrating how enumeration and credential guessing depend on accurate target identity.

Review Questions

When switching between CDB root and a PDB, which commands or connection parameters ensure the session is in the correct container, and why does that matter for user visibility?
How do schema ownership and USER_TABLES affect what a connected user can list and query in Oracle compared with MySQL’s SHOW TABLES approach?
In JSON Relational Duality Views, what evidence shows that inserts/updates are synchronized between the JSON view and the underlying relational tables?

Key Points

1
Oracle 23c can be deployed quickly for learning by running an Oracle Container Registry image in Docker and exposing the listener port 1521.
2
Oracle’s multitenant architecture splits administration and metadata across a CDB root and one or more PDBs, so users and tables appear differently depending on the active container.
3
Creating a PDB requires opening it before use, and users created inside a PDB must be granted the right privileges within that PDB context.
4
Oracle object visibility is schema-driven; listing tables typically uses USER_TABLES (and DBA_TABLES for broader access), not MySQL-style SHOW TABLES.
5
JSON Relational Duality Views allow JSON-shaped querying and insertion while keeping relational tables underneath, with updates reflecting both directions.
6
Odat-based ethical testing follows a practical chain: confirm TNS listener reachability, determine the correct SID (root SID shared by PDBs), then attempt credential guessing using SID plus wordlists.
7
Successful credential guessing in the demo depends on providing the correct SID and candidate credentials; without that, enumeration and brute force become much harder.

Highlights

Oracle’s CDB/PDB model makes Neo “disappear” from root queries until the session connects to the correct PDB, underscoring how container context controls visibility.

JSON Relational Duality Views behave like a two-way bridge: inserting pure JSON into a duality view updates underlying relational tables, and relational changes automatically appear in JSON-shaped queries.

Odat’s workflow emphasizes that PDBs don’t have their own SID; the SID is shared with the CDB root, so enumeration must target the root identity.

The tutorial’s hacking success hinges on SID and credential wordlists—demonstrating why secrecy of connection details and strong authentication matter.

Topics

Oracle Database 23c Setup
CDB PDB Multitenant
SQL Plus Administration
JSON Relational Duality Views
Odat Oracle Hacking

Mentioned

Oracle
Docker
Oracle Container Registry
Odat
SQL
PDB
CDB
SYSDBA
TNS
SID
DBA
WSL
WSL 2
JSON